.github/workflows/e2e.nodejs.tag.main.default.slsa3.yml #17038
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| schedule: | |
| - cron: "0 2 * * *" | |
| workflow_dispatch: | |
| push: | |
| tags: | |
| - "v[0-9]+.[0-9]+.[0-9]+" # # triggers only if push new tag version, like `v0.8.4` or else | |
| permissions: read-all | |
| concurrency: "e2e.generic.tag.main.assets.slsa3" | |
| env: | |
| GH_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }} | |
| ISSUE_REPOSITORY: slsa-framework/slsa-github-generator | |
| DEFAULT_VERSION: v18.0.0 | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - id: create | |
| run: ./.github/workflows/scripts/e2e-create-release.sh | |
| shim: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref_type == 'tag' | |
| outputs: | |
| continue: ${{ steps.verify.outputs.continue }} | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - id: verify | |
| run: ./.github/workflows/scripts/e2e-verify-release.sh | |
| build: | |
| runs-on: ubuntu-latest | |
| needs: [shim] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' | |
| outputs: | |
| binary-name: ${{ steps.build.outputs.binary-name }} | |
| digest: ${{ steps.hash.outputs.digest }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Bazelisk | |
| uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 | |
| with: | |
| bazelisk-version: "1.11" | |
| - name: Build artifact | |
| id: build | |
| run: | | |
| bazelisk build //:hello | |
| cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root | |
| echo "binary-name=hello" >> "${GITHUB_OUTPUT}" | |
| - name: Upload binary | |
| uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
| with: | |
| name: ${{ steps.build.outputs.binary-name }} | |
| path: ${{ steps.build.outputs.binary-name }} | |
| if-no-files-found: error | |
| retention-days: 5 | |
| - name: Generate hash | |
| shell: bash | |
| id: hash | |
| env: | |
| BINARY_NAME: ${{ steps.build.outputs.binary-name }} | |
| run: | | |
| set -euo pipefail | |
| echo "digest=$(sha256sum "$BINARY_NAME" | base64 -w0)" >> "${GITHUB_OUTPUT}" | |
| provenance: | |
| needs: [shim, build] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' | |
| permissions: | |
| id-token: write # For signing. | |
| contents: write # For asset uploads. | |
| actions: read # For the entrypoint. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main | |
| with: | |
| base64-subjects: "${{ needs.build.outputs.digest }}" | |
| compile-generator: true | |
| upload-assets: true | |
| verify: | |
| runs-on: ubuntu-latest | |
| needs: [shim, build, provenance] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
| with: | |
| name: ${{ needs.build.outputs.binary-name }} | |
| - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
| with: | |
| name: ${{ needs.provenance.outputs.provenance-name }} | |
| - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version: "1.21" | |
| - env: | |
| BINARY: ${{ needs.build.outputs.binary-name }} | |
| PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} | |
| run: ./.github/workflows/scripts/e2e.generic.default.verify.sh | |
| if-succeeded: | |
| runs-on: ubuntu-latest | |
| needs: [shim, build, provenance, verify] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - run: ./.github/workflows/scripts/e2e-report-success.sh | |
| if-failed: | |
| runs-on: ubuntu-latest | |
| needs: [shim, build, provenance, verify] | |
| if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - run: ./.github/workflows/scripts/e2e-report-failure.sh |