Skip to content

Update verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml #9337

Update verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml

Update verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml #9337

on:
schedule:
- cron: "0 2 * * *"
workflow_dispatch:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+" # # triggers only if push new tag version, like `v0.8.4` or else
permissions: read-all
concurrency: "e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3"
env:
GH_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
DEFAULT_VERSION: v38.0.0
jobs:
release:
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
permissions:
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- id: create
run: ./.github/workflows/scripts/e2e-create-release.sh
shim:
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref_type == 'tag'
outputs:
continue: ${{ steps.verify.outputs.continue }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- id: verify
run: ./.github/workflows/scripts/e2e-verify-release.sh
build:
runs-on: ubuntu-latest
permissions:
contents: write # For uploading assets to release
needs: [shim]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Generate version flags
id: args
run: |
set -euo pipefail
THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3)
BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4)
SOURCE_DATE_EPOCH=$(git log --date=iso8601-strict -1 --pretty=%ct)
GIT_TREESTATE=$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi)
echo "version_flags=-X main.gitVersion=v1.2.3 -X main.gitCommit=abcdef -X main.gitBranch=${BRANCH} -X main.gitTreeState=${GIT_TREESTATE} -X main.buildDate=${SOURCE_DATE_EPOCH} -w" >> "${GITHUB_OUTPUT}"
- name: Run GoReleaser
id: run-goreleaser
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
with:
version: latest
args: release --rm-dist
workdir: ./e2e/goreleaser
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VERSION_LDFLAGS: ${{ steps.args.outputs.version_flags }}
- name: Generate subject
id: hash
env:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
working-directory: ./e2e/goreleaser
run: |
set -euo pipefail
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
echo "hashes=$(base64 -w0 <"$checksum_file")" >> "${GITHUB_OUTPUT}"
provenance:
needs: [shim, build]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
compile-generator: true
upload-assets: true
verify:
runs-on: ubuntu-latest
needs: [shim, build, provenance]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Download assets
run: gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME"
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
- env:
CHECKSUMS_B64: ${{ needs.build.outputs.hashes }}
PROVENANCE: ${{ needs.provenance.outputs.provenance-name }}
run: |
set -euo pipefail
checksums=$(echo "${CHECKSUMS_B64}" | base64 -d)
while read -r line; do
fn=$(echo "$line" | awk '{ print $2 }')
echo "Verifying $fn"
BINARY="$fn" ./.github/workflows/scripts/e2e.generic.default.verify.sh
done <<<"$checksums"
if-succeeded:
runs-on: ubuntu-latest
needs: [shim, build, provenance, verify]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
runs-on: ubuntu-latest
needs: [shim, build, provenance, verify]
if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure')
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-failure.sh