Skip to content

.github/workflows/e2e.go.tag.main.config-ldflags-assets-draft-tag.sls… #22997

.github/workflows/e2e.go.tag.main.config-ldflags-assets-draft-tag.sls…

.github/workflows/e2e.go.tag.main.config-ldflags-assets-draft-tag.sls… #22997

# NOTE: this file is identical to the 'main' version of this test.
# The only logic that's different is in e2e-create-release.sh
on:
schedule:
- cron: "0 2 * * *"
workflow_dispatch:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+" # # triggers only if push new tag version, like `v0.8.4` or else
permissions: read-all
concurrency: "e2e.generic.tag.branch1.default.slsa3"
env:
GH_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
DEFAULT_VERSION: v22.0.0
jobs:
release:
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
permissions:
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- id: create
run: ./.github/workflows/scripts/e2e-create-release.sh
shim:
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref_type == 'tag'
outputs:
continue: ${{ steps.verify.outputs.continue }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- id: verify
run: ./.github/workflows/scripts/e2e-verify-release.sh
build:
runs-on: ubuntu-latest
needs: [shim]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
outputs:
binary-name: ${{ steps.build.outputs.binary-name }}
digest: ${{ steps.hash.outputs.digest }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Bazelisk
uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0
with:
bazelisk-version: "1.11"
- name: Build artifact
id: build
run: |
bazelisk build //:hello
cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root
echo "binary-name=hello" >> "${GITHUB_OUTPUT}"
- name: Upload binary
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ steps.build.outputs.binary-name }}
path: ${{ steps.build.outputs.binary-name }}
if-no-files-found: error
retention-days: 5
- name: Generate hash
shell: bash
id: hash
env:
BINARY_NAME: ${{ steps.build.outputs.binary-name }}
run: |
set -euo pipefail
echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}"
provenance:
needs: [shim, build]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
with:
base64-subjects: "${{ needs.build.outputs.digest }}"
compile-generator: true
verify:
runs-on: ubuntu-latest
needs: [shim, build, provenance]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.binary-name }}
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.provenance.outputs.provenance-name }}
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
- env:
BINARY: ${{ needs.build.outputs.binary-name }}
PROVENANCE: ${{ needs.provenance.outputs.provenance-name }}
run: ./.github/workflows/scripts/e2e.generic.default.verify.sh
if-succeeded:
runs-on: ubuntu-latest
needs: [shim, build, provenance, verify]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
runs-on: ubuntu-latest
needs: [shim, build, provenance, verify]
if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure')
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-failure.sh