Skip to content

.github/workflows/e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml #24

.github/workflows/e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml

.github/workflows/e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml #24

on:
# Only triggered manually for pre-release.
workflow_dispatch:
permissions: read-all
concurrency: "e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3"
env:
GH_TOKEN: ${{ secrets.E2E_CONTAINER_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
IMAGE_REGISTRY: ghcr.io
# NOTE: This pushes a container image to a "package" under the
# slsa-framework GitHub org.
# The image name should be of the form: slsa-framework/example-package.<test name>
IMAGE_NAME: slsa-framework/example-package.e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3
DEFAULT_VERSION: v27.0.0
jobs:
# Build the Go application into a Docker image
# Push the image to ghcr.io
build:
permissions:
contents: read # For reading repository contents.
packages: write # For writing container images.
outputs:
image: ${{ steps.image.outputs.image }}
digest: ${{ steps.build.outputs.digest }}
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Authenticate Docker
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ env.IMAGE_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push Docker image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
id: build
with:
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Output image
id: image
run: |
# NOTE: We need to use the image and digest in order to make sure
# that the image we attest has not been modified.
# NOTE: The digest output from docker/build-push-action is of the
# form "sha256:<digest>"
full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
echo "image=${full_image_name}" >> "${GITHUB_OUTPUT}"
# Generate SLSA provenance for the image
# Upload the provenance to ghcr.io
provenance:
needs: [build]
permissions:
id-token: write # For signing.
actions: read # For reading workflow info.
packages: write # For uploading attestations.
# uses: ianlewis/slsa-github-generator/.github/workflows/[email protected]
uses: laurentsimon/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.build.outputs.image }}
digest: ${{ needs.build.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
if-succeeded:
runs-on: ubuntu-latest
needs: [provenance]
if: needs.provenance.result == 'success'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: |
set -euo pipefail
echo "This test should fail"
exit 1