.github/workflows/e2e.delegator-lowperms.tag.main.default.slsa3.yml #8818
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This e2e test performs the following via a GitHub Actions push event. | |
# - Build the Go application | |
# - Generate SLSA provenance for the binary | |
# - Upload the provenance to a GitHub release | |
# - Verify the created provenance attestation. | |
on: | |
schedule: | |
- cron: "0 2 * * *" | |
workflow_dispatch: | |
push: | |
branches: [main] | |
permissions: read-all | |
concurrency: "e2e.generic.push.main.upload-tag-name.slsa3" | |
env: | |
GH_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }} | |
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator | |
DEFAULT_VERSION: v32.0.0 | |
jobs: | |
push: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- run: ./.github/workflows/scripts/e2e-push.sh | |
build: | |
runs-on: ubuntu-latest | |
if: github.event_name == 'push' && github.event.head_commit.message == github.workflow | |
outputs: | |
binary-name: ${{ steps.build.outputs.binary-name }} | |
digest: ${{ steps.hash.outputs.digest }} | |
upload-tag-name: ${{ steps.hash.outputs.upload-tag-name }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Setup Bazelisk | |
uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0 | |
with: | |
bazelisk-version: "1.11" | |
- name: Build artifact | |
id: build | |
run: | | |
bazelisk build //:hello | |
cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root | |
echo "binary-name=hello" >> "${GITHUB_OUTPUT}" | |
- name: Upload binary | |
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
with: | |
name: ${{ steps.build.outputs.binary-name }} | |
path: ${{ steps.build.outputs.binary-name }} | |
if-no-files-found: error | |
retention-days: 5 | |
- name: Generate hash | |
shell: bash | |
id: hash | |
env: | |
BINARY_NAME: ${{ steps.build.outputs.binary-name }} | |
run: | | |
set -euo pipefail | |
source "./.github/workflows/scripts/e2e-utils.sh" | |
echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}" | |
filename="$(e2e_this_file)" | |
filename="${filename%.*}" # Remove the file extension. | |
echo "upload-tag-name=${filename}" >> "${GITHUB_OUTPUT}" | |
provenance: | |
needs: [build] | |
if: github.event_name == 'push' && github.event.head_commit.message == github.workflow | |
permissions: | |
id-token: write # For signing. | |
contents: write # For asset uploads. | |
actions: read # For the entrypoint. | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main | |
with: | |
base64-subjects: "${{ needs.build.outputs.digest }}" | |
compile-generator: true | |
upload-assets: true | |
# NOTE: For non-tag triggers this will still upload to a tag. | |
upload-tag-name: "${{ needs.build.outputs.upload-tag-name }}" | |
verify: | |
runs-on: ubuntu-latest | |
needs: [build, provenance] | |
if: github.event_name == 'push' && github.event.head_commit.message == github.workflow | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: ${{ needs.build.outputs.binary-name }} | |
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: ${{ needs.provenance.outputs.provenance-name }} | |
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version: "1.21" | |
- env: | |
BINARY: ${{ needs.build.outputs.binary-name }} | |
PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} | |
run: ./.github/workflows/scripts/e2e.generic.default.verify.sh | |
if-succeeded: | |
runs-on: ubuntu-latest | |
needs: [build, provenance, verify] | |
if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- run: ./.github/workflows/scripts/e2e-report-success.sh | |
if-failed: | |
runs-on: ubuntu-latest | |
needs: [build, provenance, verify] | |
if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- run: ./.github/workflows/scripts/e2e-report-failure.sh |