Skip to content

.github/workflows/e2e.gradle.workflow_dispatch.main.project-at-repo-r… #11313

.github/workflows/e2e.gradle.workflow_dispatch.main.project-at-repo-r…

.github/workflows/e2e.gradle.workflow_dispatch.main.project-at-repo-r… #11313

on:
schedule:
- cron: "0 3 * * *"
workflow_dispatch:
push:
branches: [main]
permissions: read-all
concurrency: "e2e.go.push.main.config-noldflags.slsa3"
env:
GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
# WARNING: update build job if CONFIG_FILE changes.
CONFIG_FILE: .github/configs-go/config-noldflags.yml
jobs:
push:
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
permissions:
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-push.sh
# TODO: support multiple config files.
build:
if: github.event_name == 'push' && github.event.head_commit.message == github.workflow
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@main
with:
go-version: "1.21"
# We cannot use ${{ env.CONFIG_FILE }} because env variables are not available.
config-file: .github/configs-go/config-noldflags.yml
compile-builder: true
verify:
runs-on: ubuntu-latest
needs: build
if: github.event_name == 'push' && github.event.head_commit.message == github.workflow
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ needs.build.outputs.go-binary-name }}
- uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
- env:
BINARY: ${{ needs.build.outputs.go-binary-name }}
# NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`,
# so we implictely verify that `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl = ${{ needs.build.outputs.go-provenance-name }}`.
PROVENANCE: ${{ needs.build.outputs.go-provenance-name }}
run: ./.github/workflows/scripts/e2e.go.default.verify.sh
if-succeeded:
runs-on: ubuntu-latest
needs: [build, verify]
if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
runs-on: ubuntu-latest
needs: [build, verify]
if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.verify.result == 'failure')
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-failure.sh