-
Notifications
You must be signed in to change notification settings - Fork 24
122 lines (112 loc) · 4.71 KB
/
e2e.generic.push.main.upload-tag-name.slsa3.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
# This e2e test performs the following via a GitHub Actions push event.
# - Build the Go application
# - Generate SLSA provenance for the binary
# - Upload the provenance to a GitHub release
# - Verify the created provenance attestation.
on:
schedule:
- cron: "0 2 * * *"
workflow_dispatch:
push:
branches: [main]
permissions: read-all
env:
PAT_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }}
GH_TOKEN: ${{ github.token }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
DEFAULT_VERSION: v32.0.0
jobs:
push:
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
permissions:
contents: write
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- run: ./.github/workflows/scripts/e2e-push.sh
build:
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.event.head_commit.message == github.workflow
outputs:
binary-name: ${{ steps.build.outputs.binary-name }}
digest: ${{ steps.hash.outputs.digest }}
upload-tag-name: ${{ steps.hash.outputs.upload-tag-name }}
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Bazelisk
uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # tag=v2.0.0
with:
bazelisk-version: "1.11"
- name: Build artifact
id: build
run: |
bazelisk build //:hello
cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root
echo "binary-name=hello" >> "$GITHUB_OUTPUT"
- name: Upload binary
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: ${{ steps.build.outputs.binary-name }}
path: ${{ steps.build.outputs.binary-name }}
if-no-files-found: error
retention-days: 5
- name: Generate hash
shell: bash
id: hash
env:
BINARY_NAME: ${{ steps.build.outputs.binary-name }}
run: |
set -euo pipefail
source "./.github/workflows/scripts/e2e-utils.sh"
echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> "$GITHUB_OUTPUT"
filename="$(e2e_this_file)"
filename="${filename%.*}" # Remove the file extension.
echo "upload-tag-name=${filename}" >> "$GITHUB_OUTPUT"
provenance:
needs: [build]
if: github.event_name == 'push' && github.event.head_commit.message == github.workflow
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
with:
base64-subjects: "${{ needs.build.outputs.digest }}"
compile-generator: true
upload-assets: true
# NOTE: For non-tag triggers this will still upload to a tag.
upload-tag-name: "${{ needs.build.outputs.upload-tag-name }}"
verify:
runs-on: ubuntu-latest
needs: [build, provenance]
if: github.event_name == 'push' && github.event.head_commit.message == github.workflow
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
with:
name: ${{ needs.build.outputs.binary-name }}
- uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
with:
name: ${{ needs.provenance.outputs.attestation-name }}
- uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: "1.18"
- env:
BINARY: ${{ needs.build.outputs.binary-name }}
PROVENANCE: ${{ needs.provenance.outputs.attestation-name }}
run: ./.github/workflows/scripts/e2e.generic.default.verify.sh
if-succeeded:
runs-on: ubuntu-latest
needs: [build, provenance, verify]
if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
runs-on: ubuntu-latest
needs: [build, provenance, verify]
if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure')
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- run: ./.github/workflows/scripts/e2e-report-failure.sh