Skip to content

add provenance workflow dispatch #153

add provenance workflow dispatch

add provenance workflow dispatch #153

Workflow file for this run

name: Build SLSA3 Provenances
# See https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-using-concurrency-to-cancel-any-in-progress-job-or-run
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: true
on:
on: workflow_dispatch
push:
branches: [main]
# This workflow builds several binaries and is very time and resource consuming. As a result it
# is disabled by default on pull-request events. If you need to test this workflow on your PR
# before merge, label it with `provenance:force-run` to trigger the workflow.
pull_request:
branches: [main]
jobs:
build_binary:
if: |
github.event_name == 'push' ||
contains(github.event.pull_request.labels.*.name, 'provenance:force-run')
# We use the same job template to generate provenances for multiple binaries.
strategy:
fail-fast: false
matrix:
buildconfig:
- buildconfigs/key_xor_test_app.toml
- buildconfigs/oak_containers_kernel.toml
- buildconfigs/oak_containers_orchestrator.toml
- buildconfigs/oak_containers_stage1.toml
- buildconfigs/oak_containers_syslogd.toml
- buildconfigs/oak_containers_system_image.toml
- buildconfigs/oak_echo_enclave_app.toml
- buildconfigs/oak_echo_raw_enclave_app.toml
- buildconfigs/oak_functions_enclave_app.toml
- buildconfigs/oak_functions_insecure_enclave_app.toml
- buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.toml
- buildconfigs/stage0_bin.toml
- buildconfigs/oak_orchestrator.toml
permissions:
actions: read
id-token: write
# Allow the job to update the repo with the latest provenance info and index.
contents: write
# Allow the job to add a comment to the PR.
pull-requests: write
attestations: write
uses: ./.github/workflows/reusable_provenance.yaml
with:
build-config-path: ${{ matrix.buildconfig }}
# Key pair generated with `ent keygen`, under which Ent tags are published.
# The secret key is stored in the repo secrets page: https://github.com/project-oak/oak/settings/secrets/actions
# The public key is stored in the repo variables page: https://github.com/project-oak/oak/settings/variables/actions
ent-public-key: ${{ vars.ENT_PUBLIC_KEY }}
secrets:
ENT_API_KEY: ${{ secrets.ENT_API_KEY }}
# Secret key corresponding to `ent-public-key` above, used to sign Ent tags.
ENT_SECRET_KEY: ${{ secrets.ENT_SECRET_KEY }}
GCP_SERVICE_ACCOUNT_KEY_JSON: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}