-
Notifications
You must be signed in to change notification settings - Fork 25
135 lines (124 loc) · 4.98 KB
/
e2e.generic.schedule.main.multi-subjects.slsa3.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
on:
schedule:
- cron: "0 4 * * *"
workflow_dispatch:
permissions: read-all
concurrency: "e2e.generic.schedule.main.multi-subjects.slsa3"
env:
GH_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
jobs:
build:
outputs:
digests: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest
steps:
- name: Build artifacts
run: |
# These are some amazing artifacts.
echo "artifact1" > artifact1
echo "artifact2" > artifact2
echo "artifact3" > artifact3
- name: Upload artifacts
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: artifacts
if-no-files-found: error
retention-days: 5
path: |
artifact1
artifact2
artifact3
- name: Generate hashes
shell: bash
id: hash
run: |
# sha256sum generates sha256 hash for all artifacts.
# base64 -w0 encodes to base64 and outputs on a single line.
# sha256sum artifact1 artifact2 ... | base64 -w0
echo "hashes=$(sha256sum artifact1 artifact2 artifact3 | base64 -w0)" >> "${GITHUB_OUTPUT}"
provenance:
needs: [build]
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
with:
base64-subjects: "${{ needs.build.outputs.digests }}"
compile-generator: true
verify:
runs-on: ubuntu-latest
needs: [build, provenance]
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Download binary
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: artifacts
- name: Download provenance
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.provenance.outputs.provenance-name }}
- name: Setup Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
# Note: the 3 artifacts share the same provenance file.
- name: Verify provenance artifact1
env:
BINARY: artifact1
PROVENANCE: ${{ needs.provenance.outputs.provenance-name }}
run: ./.github/workflows/scripts/e2e.generic.default.verify.sh
- name: Verify provenance artifact2
env:
BINARY: artifact2
PROVENANCE: ${{ needs.provenance.outputs.provenance-name }}
run: ./.github/workflows/scripts/e2e.generic.default.verify.sh
- name: Verify provenance artifact3
env:
BINARY: artifact3
PROVENANCE: ${{ needs.provenance.outputs.provenance-name }}
run: ./.github/workflows/scripts/e2e.generic.default.verify.sh
no-verify:
runs-on: ubuntu-latest
needs: [build, provenance]
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Download provenance
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.provenance.outputs.provenance-name }}
- name: Setup Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
- name: Alter artifacts
run: |
# Altered artifact.
echo "artifact4" > artifact2
- name: Verify provenance artifact2
env:
BINARY: artifact2
PROVENANCE: ${{ needs.provenance.outputs.provenance-name }}
run: ./.github/workflows/scripts/e2e.generic.default.verify.sh
if-succeeded:
runs-on: ubuntu-latest
needs: [build, provenance, verify, no-verify]
# NOTE: The workflow is allowed to run for other event types but don't post
# to issues unless it's a schedule event.
if: always() && github.event_name == 'schedule' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' && needs.no-verify.result == 'failure'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
runs-on: ubuntu-latest
needs: [build, provenance, verify, no-verify]
# NOTE: The workflow is allowed to run for other event types but don't post
# to issues unless it's a schedule event.
if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure' || needs.no-verify.result == 'success')
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-failure.sh