Skip to content

.github/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml #1032

.github/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml

.github/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml #1032

on:
schedule:
- cron: "0 1 * * *"
workflow_dispatch:
permissions: read-all
concurrency: "e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3"
env:
GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
# WARNING: update build job if CONFIG_FILE changes.
CONFIG_FILE: .github/configs-go/config-ldflags.yml
jobs:
dispatch:
runs-on: ubuntu-latest
permissions:
actions: write
contents: write
# WARNING: need `github.ref_name == 'main'` to avoid infinite loop when triggering manually.
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && github.ref_name == 'main')
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- run: ./.github/workflows/scripts/e2e-dispatch.sh
shim:
runs-on: ubuntu-latest
if: github.event_name == 'workflow_dispatch'
outputs:
continue: ${{ steps.verify.outputs.continue }}
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- id: verify
env:
REF_NAME: ${{ github.ref_name }}
run: |
set -euo pipefail
this_file=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" | jq -r '.path' | cut -d '/' -f3)
branch=$(echo "${this_file}" | cut -d '.' -f4)
if [[ "${branch}" == "${REF_NAME}" ]]; then
echo "continue=yes" >> "${GITHUB_OUTPUT}"
fi
args:
needs: [shim]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
outputs:
version: ${{ steps.ldflags.outputs.version }}
commit: ${{ steps.ldflags.outputs.commit }}
branch: ${{ steps.ldflags.outputs.branch }}
steps:
- id: checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0
- id: ldflags
run: |
set -euo pipefail
this_file=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" | jq -r '.path' | cut -d '/' -f3)
branch=$(echo "${this_file}" | cut -d '.' -f4)
{
echo "version=-X main.gitVersion=v1.2.3"
echo "commit=-X main.gitCommit=abcdef"
echo "branch=-X main.gitBranch=${branch}"
} >> "${GITHUB_OUTPUT}"
build:
needs: [shim, args]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'workflow_dispatch'
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@main
with:
go-version: 1.18
# We cannot use ${{ env.CONFIG_FILE }} because env variables are not available.
config-file: .github/configs-go/config-ldflags.yml
evaluated-envs: "VERSION:${{needs.args.outputs.version}},COMMIT:${{needs.args.outputs.commit}},BRANCH:${{needs.args.outputs.branch}}"
compile-builder: true
verify:
runs-on: ubuntu-latest
needs: [shim, build]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'workflow_dispatch'
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ needs.build.outputs.go-binary-name }}
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version: "1.18"
- env:
BINARY: ${{ needs.build.outputs.go-binary-name }}
# NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`,
# so we implictely verify that `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl = ${{ needs.build.outputs.go-provenance-name }}`.
PROVENANCE: ${{ needs.build.outputs.go-provenance-name }}
run: ./.github/workflows/scripts/e2e.go.default.verify.sh
if-succeeded:
runs-on: ubuntu-latest
needs: [shim, build, verify]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
runs-on: ubuntu-latest
needs: [build, verify]
if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.verify.result == 'failure')
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- run: ./.github/workflows/scripts/e2e-report-failure.sh