add provenance workflow dispatch #153
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build SLSA3 Provenances | |
# See https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-using-concurrency-to-cancel-any-in-progress-job-or-run | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
on: | |
on: workflow_dispatch | |
push: | |
branches: [main] | |
# This workflow builds several binaries and is very time and resource consuming. As a result it | |
# is disabled by default on pull-request events. If you need to test this workflow on your PR | |
# before merge, label it with `provenance:force-run` to trigger the workflow. | |
pull_request: | |
branches: [main] | |
jobs: | |
build_binary: | |
if: | | |
github.event_name == 'push' || | |
contains(github.event.pull_request.labels.*.name, 'provenance:force-run') | |
# We use the same job template to generate provenances for multiple binaries. | |
strategy: | |
fail-fast: false | |
matrix: | |
buildconfig: | |
- buildconfigs/key_xor_test_app.toml | |
- buildconfigs/oak_containers_kernel.toml | |
- buildconfigs/oak_containers_orchestrator.toml | |
- buildconfigs/oak_containers_stage1.toml | |
- buildconfigs/oak_containers_syslogd.toml | |
- buildconfigs/oak_containers_system_image.toml | |
- buildconfigs/oak_echo_enclave_app.toml | |
- buildconfigs/oak_echo_raw_enclave_app.toml | |
- buildconfigs/oak_functions_enclave_app.toml | |
- buildconfigs/oak_functions_insecure_enclave_app.toml | |
- buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.toml | |
- buildconfigs/stage0_bin.toml | |
- buildconfigs/oak_orchestrator.toml | |
permissions: | |
actions: read | |
id-token: write | |
# Allow the job to update the repo with the latest provenance info and index. | |
contents: write | |
# Allow the job to add a comment to the PR. | |
pull-requests: write | |
attestations: write | |
uses: ./.github/workflows/reusable_provenance.yaml | |
with: | |
build-config-path: ${{ matrix.buildconfig }} | |
# Key pair generated with `ent keygen`, under which Ent tags are published. | |
# The secret key is stored in the repo secrets page: https://github.com/project-oak/oak/settings/secrets/actions | |
# The public key is stored in the repo variables page: https://github.com/project-oak/oak/settings/variables/actions | |
ent-public-key: ${{ vars.ENT_PUBLIC_KEY }} | |
secrets: | |
ENT_API_KEY: ${{ secrets.ENT_API_KEY }} | |
# Secret key corresponding to `ent-public-key` above, used to sign Ent tags. | |
ENT_SECRET_KEY: ${{ secrets.ENT_SECRET_KEY }} | |
GCP_SERVICE_ACCOUNT_KEY_JSON: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }} |