Skip to content

Update verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml #95

Update verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml

Update verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml #95

# This produces a test for the generic workflows for the CLI e2e test.
# The output will be a file binary-linux-amd64-workflow_dispatch and
# its associated provenance that should be moved to the
# cli/slsa-verifier/testdata/gha_generic/$BUILDER_TAG folder.
on:
workflow_dispatch:
push:
tags:
# We only expect these on a hard-coded set of tags.
- "v14.2"
- "v14"
- "v13.0.30"
permissions: read-all
env:
GH_TOKEN: ${{ secrets.E2E_CONTAINER_TOKEN }}
IMAGE_REGISTRY: ghcr.io
# NOTE: This pushes a container image to a "package" under the
# slsa-framework GitHub org.
# The image name should be of the form: slsa-framework/example-package.<test name>
IMAGE_NAME: slsa-framework/example-package.verifier-e2e.all.tag.main.default.slsa3
jobs:
generate_name:
outputs:
gha_generic_binary-name: ${{ steps.create_name.outputs.gha_generic_binary-name }}
gha_delegator_binary-name: ${{ steps.create_name.outputs.gha_delegator_binary-name }}
gha_delegator-lowperms_binary-name: ${{ steps.create_name.outputs.gha_delegator-lowperms_binary-name }}
config-file: ${{ steps.create_name.outputs.config-file }}
config-path: ${{ steps.create_name.outputs.config-path }}
runs-on: ubuntu-latest
steps:
- name: Creates the output name
id: create_name
run: |
if [ "${GITHUB_EVENT_NAME}" == "workflow_dispatch" ]; then
{
echo "gha_generic_binary-name=gha_generic-binary-linux-amd64-workflow_dispatch"
echo "gha_delegator_binary-name=gha_delegator-binary-linux-amd64-workflow_dispatch"
echo "gha_delegator-lowperms_binary-name=gha_delegator-lowperms-binary-linux-amd64-workflow_dispatch"
echo "config-file=.github/configs-go/config-ldflags-workflow_dispatch.yml"
echo "config-path=.github/configs-docker/config-workflow_dispatch.toml"
} >> "${GITHUB_OUTPUT}"
exit 0
fi
# This must be a tag event.
{
echo "gha_generic_binary-name=gha_generic-binary-linux-amd64-${GITHUB_REF_NAME}"
echo "gha_delegator_binary-name=gha_delegator-binary-linux-amd64-${GITHUB_REF_NAME}"
echo "gha_delegator-lowperms_binary-name=gha_delegator-lowperms-binary-linux-amd64-${GITHUB_REF_NAME}"
echo "config-file=.github/configs-go/config-ldflags-tag-name.yml"
echo "config-path=.github/configs-docker/config-tag-${GITHUB_REF_NAME}.toml"
} >> "${GITHUB_OUTPUT}"
build:
needs: [generate_name]
env:
BINARY_NAME: ${{ needs.generate_name.outputs.gha_generic_binary-name }}
outputs:
gha_generic_binary-name: ${{ steps.build.outputs.gha_generic_binary-name }}
digest: ${{ steps.hash.outputs.digest }}
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Bazelisk
uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0
with:
bazelisk-version: "1.11"
- name: Build artifact
id: build
run: |
bazelisk build //:hello
cp bazel-bin/hello_/hello "${BINARY_NAME}" # Copy binary from Bazel path to root
echo "gha_generic_binary-name=$BINARY_NAME" >> "${GITHUB_OUTPUT}"
- name: Upload binary
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: ${{ steps.build.outputs.gha_generic_binary-name }}
path: ${{ steps.build.outputs.gha_generic_binary-name }}
if-no-files-found: error
retention-days: 5
- name: Generate hash
shell: bash
id: hash
run: |
set -euo pipefail
echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}"
gha_generic:
needs: [build]
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build.outputs.digest }}"
upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
gha_go:
needs: [generate_name]
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
go-version: "1.21"
# We cannot use ${{ env.CONFIG_FILE }} because env variables are not available.
config-file: ${{ needs.generate_name.outputs.config-file }}
container_build:
env:
REGISTRY_USERNAME: "ianlewis"
permissions:
contents: read # For reading repository contents.
packages: write # For writing container images.
outputs:
image: ${{ steps.image.outputs.image }}
digest: ${{ steps.build.outputs.digest }}
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Authenticate Docker
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ env.IMAGE_REGISTRY }}
username: ${{ env.REGISTRY_USERNAME }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push Docker image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
id: build
with:
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Output image
id: image
run: |
# NOTE: We need to use the image and digest in order to make sure
# that the image we attest has not been modified.
# NOTE: The digest output from docker/build-push-action is of the
# form "sha256:<digest>"
full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
echo "image=${full_image_name}" >> "${GITHUB_OUTPUT}"
gha_container:
needs: container_build
permissions:
id-token: write # For signing.
actions: read # For reading workflow info.
packages: write # For uploading attestations.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.container_build.outputs.image }}
digest: ${{ needs.container_build.outputs.digest }}
registry-username: "ianlewis" # We cannot use env vars here
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
gha_container-based:
needs: [generate_name]
permissions:
id-token: write # For signing.
actions: read # For reading workflow info.
contents: write # For asset upload.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
builder-image: "bash"
builder-digest: "sha256:9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9"
config-path: ${{ needs.generate_name.outputs.config-path }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
gha_delegator-lowperms_generic:
needs: [generate_name]
permissions:
id-token: write # For signing
contents: write # For asset uploads
actions: read
uses: slsa-framework/example-trw/.github/workflows/[email protected]
with:
artifact: ${{ needs.generate_name.outputs.gha_delegator-lowperms_binary-name }}
content: "hello"
secrets:
# NOTE: this password is set to 'delegator-password'.
password: ${{ secrets.DELEGATOR_PASSWORD }}
gha_delegator_generic:
needs: [generate_name]
permissions:
id-token: write # For signing
contents: write # For asset uploads
packages: write # To write to github packages
actions: read
uses: slsa-framework/example-trw/.github/workflows/[email protected]
with:
artifact: ${{ needs.generate_name.outputs.gha_delegator_binary-name }}
content: "hello"
secrets:
# NOTE: this password is set to 'delegator-password'.
password: ${{ secrets.DELEGATOR_PASSWORD }}
gha_maven:
permissions:
id-token: write # For signing.
contents: read # For repo checkout of private repos.
actions: read # For getting workflow run on private repos.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
directory: ./e2e/maven/workflow_dispatch
gha_gradle:
permissions:
id-token: write # For signing.
contents: read # For repo checkout of private repos.
actions: read # For getting workflow run on private repos.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
directory: ./e2e/gradle/workflow_dispatch
artifact-list: build/libs/workflow_dispatch-GRADLE_VERSION.jar,build/libs/workflow_dispatch-GRADLE_VERSION-javadoc.jar,build/libs/workflow_dispatch-GRADLE_VERSION-sources.jar
# Delete existing tags before triggering new ones.
delete-tags:
if: github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- id: push
run: |
git config user.name "${GITHUB_ACTOR}"
git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
# Dispatch tags v14 v14.2 v13.0.30
for tag in v14 v14.2 v13.0.30
do
gh release delete "$tag" -y --cleanup-tag || true
git push --delete origin "$tag" || true
done
# Now dispatch this workflow again with push tags.
dispatch:
if: github.event_name == 'workflow_dispatch'
needs: [delete-tags]
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- id: push
shell: bash
run: |
# Dispatch tags v14 v14.2 v13.0.30
echo "tagging ${GITHUB_SHA}"
for tag in v14 v14.2 v13.0.30
do
gh release create "${tag}" --target main --notes "gha_generic"
done