diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index 36dadfee0b..c643a496fa 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -6,6 +6,9 @@ on: permissions: read-all +env: + GH_TOKEN: ${{ github.token }} + jobs: bootstrap: runs-on: ubuntu-latest @@ -13,11 +16,41 @@ jobs: contents: write steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - run: mv e2e/maven/pom.xml ./ && mv e2e/maven/src ./ + - run: mv e2e/maven/pom.xml ./ && cp -r e2e/maven/src ./ && rm -r e2e/maven/src build: - runs-on: ubuntu-latest + #runs-on: ubuntu-latest permissions: id-token: write # For signing. contents: read # For repo checkout of private repos. actions: read # For getting workflow run on private repos. uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@main + verify: + runs-on: ubuntu-latest + needs: [build] + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main #v1.8.0-rc.2 + with: + name: "${{ needs.build.outputs.provenance-download-name }}" + sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" + path: slsa-attestations + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main #v1.8.0-rc.2 + with: + name: target + sha256: "${{ needs.build.outputs.target-download-sha256 }}" + path: ./ + - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + with: + go-version: "1.18" +# - env: +# # NOTE: We move the artifact because the verification script +# # check that the subject name matches the filename. +# ARTIFACT: "${{ needs.build.outputs.artifact }}" +# run: | +# mv "artifacts/${ARTIFACT}" . + - env: + BINARY: ./target/test-java-project-0.1.19.jar + PROVENANCE: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" + BUILDER_ID: "https://github.com/slsa-framework/example-trw/.github/workflows/builder_example_slsa3.yml" + BUILDER_TAG: "v2.0.0" + run: ./.github/workflows/scripts/e2e.delegator.default.verify.sh diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh index 22e0354b54..65fe96aa1e 100755 --- a/.github/workflows/scripts/e2e-verify.common.sh +++ b/.github/workflows/scripts/e2e-verify.common.sh @@ -340,6 +340,11 @@ verify_provenance_authenticity() { if [[ "$tag" == "HEAD" ]] || version_ge "$tag" "v1.3"; then echo " **** Default parameters (annotated tags) *****" + echo "1: ${artifactAndbuilderMinArgs[@]}" + echo "2: ${provenanceArg[@]}" + echo "3: ${packageArg[@]}" + echo "4: ${sourceArg[@]}" + echo "5: github.com/$GITHUB_REPOSITORY" $verifierCmd "${artifactAndbuilderMinArgs[@]}" "${provenanceArg[@]}" "${packageArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "not main default parameters (annotated_tags)" elif [[ -z "$annotated_tags" ]]; then diff --git a/.github/workflows/scripts/e2e.delegator.default.verify.sh b/.github/workflows/scripts/e2e.delegator.default.verify.sh index e88ff0ea61..485d0d492d 100755 --- a/.github/workflows/scripts/e2e.delegator.default.verify.sh +++ b/.github/workflows/scripts/e2e.delegator.default.verify.sh @@ -39,6 +39,10 @@ echo "DEBUG: file is $THIS_FILE" export SLSA_VERIFIER_TESTING="true" +echo "finding..................." +find . -name *.build.slsa +find . -name "*.jar" + # Verify provenance authenticity. # TODO(233): Update to v1.8.0 tag. e2e_run_verifier_all_releases "HEAD"