.github/workflows/e2e.gcb.tag.main.annotated-build.slsa3.yml #454
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow pushes a new tag to trigger a new GCB build | |
| on: | |
| schedule: | |
| # Twice a month scheduled cron for rebuilding. | |
| - cron: "0 3 1,15 * *" | |
| # Verify the last built image daily. | |
| - cron: "0 2 * * *" | |
| workflow_dispatch: | |
| permissions: read-all | |
| concurrency: "e2e.gcb.tag.main.annotated-build.slsa3" | |
| env: | |
| GH_TOKEN: ${{ secrets.E2E_CONTAINER_TOKEN }} | |
| ISSUE_REPOSITORY: slsa-framework/slsa-github-generator | |
| IMAGE_REGISTRY: us-west2-docker.pkg.dev | |
| # The IMAGE_NAME matches the substitution variable in the trigger configuration. | |
| IMAGE_NAME: slsa-tooling/example-package-repo/e2e-gcb-tag-main-annotated-slsa3 | |
| # NOTE: This version must be unique for each e2e test built on GitHub Actions. | |
| DEFAULT_VERSION: v33.0.0 | |
| jobs: | |
| # This should trigger the GCB build. | |
| # This does not run on workflow_dispatch - we may use an input here to allow | |
| # retriggering the build by workflow_dispatch. | |
| # This was removed to avoid retriggering the build when intending to reverify provenance. | |
| release: | |
| runs-on: ubuntu-latest | |
| if: (github.event_name == 'schedule' && github.event.schedule == '0 3 1,15 * *') | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - id: create | |
| run: ./.github/workflows/scripts/e2e-create-release.sh | |
| # Retrieve provenance of the latest build. | |
| provenance: | |
| if: github.event_name == 'workflow_dispatch' || (github.event_name == 'schedule' && github.event.schedule == '0 2 * * *') | |
| permissions: | |
| id-token: write # For auth. | |
| outputs: | |
| image: ${{ steps.describe.outputs.image }} | |
| provenance-name: ${{ steps.describe.outputs.provenance-name }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout the repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - id: "auth" | |
| name: "Authenticate to Google Cloud" | |
| uses: "google-github-actions/auth@v2" | |
| with: | |
| workload_identity_provider: "projects/819720953812/locations/global/workloadIdentityPools/example-package-pool/providers/example-package-provider" | |
| service_account: "example-package-user@slsa-tooling.iam.gserviceaccount.com" | |
| - name: "Set up Cloud SDK" | |
| uses: "google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200" # v2.1.0 | |
| - name: Retrieve the latest builds provenance | |
| id: describe | |
| run: | | |
| # Retrieve the build ID filtering by image name | |
| build_id=$(gcloud builds list --filter "results.images.name=${IMAGE_REGISTRY}/${IMAGE_NAME}" --region=us-west2 --project slsa-tooling --limit=1 --format="value(id)") | |
| echo "Found build with build id ${build_id}..." | |
| image_digest=$(gcloud builds describe "${build_id}" --project=slsa-tooling --region=us-west2 --format="value(results.images[0].digest)") | |
| echo "image=${IMAGE_REGISTRY}/${IMAGE_NAME}@${image_digest}" >> "${GITHUB_OUTPUT}" | |
| echo "Retrieved image digest ${image_digest}..." | |
| # Get latest builds provenance | |
| gcloud artifacts docker images describe "${IMAGE_REGISTRY}/${IMAGE_NAME}@${image_digest}" --show-provenance --format json > provenance.json | |
| echo "provenance-name=provenance.json" >> "${GITHUB_OUTPUT}" | |
| - name: Upload provenance | |
| uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
| with: | |
| name: ${{ steps.describe.outputs.provenance-name }} | |
| path: ${{ steps.describe.outputs.provenance-name }} | |
| if-no-files-found: error | |
| retention-days: 5 | |
| # Verify the created provenance attestation: does not require the build job. | |
| verify: | |
| if: github.event_name == 'workflow_dispatch' || (github.event_name == 'schedule' && github.event.schedule == '0 2 * * *') | |
| needs: provenance | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
| with: | |
| name: ${{ needs.provenance.outputs.provenance-name }} | |
| - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version: "1.21" | |
| - env: | |
| CONTAINER: ${{ needs.provenance.outputs.image }} | |
| PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} | |
| run: ./.github/workflows/scripts/e2e.gcb.default.verify.sh | |
| if-succeeded: | |
| runs-on: ubuntu-latest | |
| needs: [provenance, verify] | |
| if: needs.provenance.result == 'success' && needs.verify.result == 'success' | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - run: ./.github/workflows/scripts/e2e-report-success.sh | |
| if-failed: | |
| runs-on: ubuntu-latest | |
| needs: [provenance, verify] | |
| if: always() && needs.provenance.result == 'failure' || needs.verify.result == 'failure' | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - run: ./.github/workflows/scripts/e2e-report-failure.sh |