Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: add workflow detection action #35

Merged
merged 8 commits into from
Apr 26, 2022
Merged

Feature: add workflow detection action #35

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
6013230
add workflow detection action
asraa Apr 22, 2022
6c9aa4b
add permission
asraa Apr 22, 2022
739f879
update
asraa Apr 22, 2022
089bfca
set output correctly
asraa Apr 22, 2022
0081096
remove local test
asraa Apr 22, 2022
38f1565
use go code
asraa Apr 25, 2022
9b20c22
fix output
asraa Apr 25, 2022
dd7e3ad
update
asraa Apr 25, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
17 changes: 17 additions & 0 deletions .github/actions/detect-workflow/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
FROM golang@sha256:3b7fa1bed1510cfdadbbd839ab1c2c4ca5ee86bc259d2cb71142f6bd4e70b59f as builder

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a little late, but I was wondering if we could avoid dockerfile by using:

- uses: action/setup-go@xxx
- uses: action/checkout@xxx
- runs: go build
- runs: run the program

I ask because docker build/run take longer, and because it would avoid maintaining the hashes in the docker file.

I don't know if this code works, though.. especially the part on checkout. I feel that it might, the same way that the dockerfile is able to reference its own code...

WORKDIR /app
COPY . /app

RUN go get -d -v

# Statically compile our app for use in a distroless container
RUN CGO_ENABLED=0 go build -ldflags="-w -s" -v -o app .

# A distroless container image with some basics like SSL certificates
# https://github.com/GoogleContainerTools/distroless
FROM gcr.io/distroless/static@sha256:0bec8e882c023de03ba9ed6bb07cd6b5e52b19fb1641505ea1b1c8937f3ccc7d

COPY --from=builder /app/app /app

ENTRYPOINT ["/app"]
12 changes: 12 additions & 0 deletions .github/actions/detect-workflow/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
name: 'Detect Reusable Workflow Repository and Ref'
description: 'Get the current reusable workflow repository name and ref. Requires "id-token: write" permission'
outputs:
repository:
description: The current workflow repository, format org/repository
value: ${{ steps.detect.outputs.repository }}
ref:
description: The current workflow reference
value: ${{ steps.detect.outputs.ref }}
runs:
using: 'docker'
image: 'Dockerfile'
17 changes: 17 additions & 0 deletions .github/actions/detect-workflow/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
module github.com/slsa-framework/slsa-github-generator/.github/actions/detect-workflow

go 1.18

require github.com/slsa-framework/slsa-github-generator v0.0.0-20220418072137-6847f817dbea

require (
github.com/coreos/go-oidc v2.2.1+incompatible // indirect
github.com/golang/protobuf v1.5.2 // indirect
github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021 // indirect
golang.org/x/crypto v0.0.0-20220213190939-1e6e3497d506 // indirect
golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd // indirect
golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/protobuf v1.28.0 // indirect
gopkg.in/square/go-jose.v2 v2.6.0 // indirect
)