Skip to content

.github/workflows/e2e.delegator-lowperms.tag.main.default.slsa3.yml #11366

.github/workflows/e2e.delegator-lowperms.tag.main.default.slsa3.yml

.github/workflows/e2e.delegator-lowperms.tag.main.default.slsa3.yml #11366

# This e2e test performs the following via a GitHub Actions push event with ref_type == tag.
# - Build the Go application into a Docker image
# - Push the image to GCP Artifact Registry
# - Generate SLSA provenance for the image
# - Upload the provenance to ghcr.io
# - Verify the created provenance attestation.
on:
schedule:
- cron: "0 3 * * *"
workflow_dispatch:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+" # triggers only if push new tag version, like `v0.8.4` or else
permissions: {}
concurrency: "e2e.container.tag.main.gcp-workload-identity.slsa3"
env:
GH_TOKEN: ${{ secrets.E2E_CONTAINER_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
IMAGE_NAME: slsa-tooling/example-package-repo/e2e.container.tag.main.gcp-workload-identity.slsa3
IMAGE_REGISTRY: us-west2-docker.pkg.dev
SERVICE_ACCOUNT: [email protected]
PROVIDER_NAME: projects/819720953812/locations/global/workloadIdentityPools/example-package-pool/providers/example-package-provider
# NOTE: This version must be unique for each e2e test built on GitHub Actions.
DEFAULT_VERSION: v32.0.0
jobs:
release:
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
permissions:
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-create-release.sh
shim:
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref_type == 'tag'
outputs:
continue: ${{ steps.verify.outputs.continue }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- id: verify
run: ./.github/workflows/scripts/e2e-verify-release.sh
# Build the Go application into a Docker image
# Push the image to ghcr.io
build:
needs: [shim]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
permissions:
contents: read # For reading repository contents.
packages: write # For writing container images.
id-token: write # For authenticating to Google Cloud Workload Identity
outputs:
image: ${{ steps.image.outputs.image }}
digest: ${{ steps.build.outputs.digest }}
service_account: ${{ steps.image.outputs.service_account }}
provider_name: ${{ steps.image.outputs.provider_name }}
runs-on: ubuntu-latest
steps:
- id: auth
name: "Authenticate to Google Cloud"
uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0
with:
token_format: "access_token"
service_account: ${{ env.SERVICE_ACCOUNT }}
workload_identity_provider: ${{ env.PROVIDER_NAME }}
- name: Checkout the repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Authenticate Docker
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ env.IMAGE_REGISTRY }}
username: oauth2accesstoken
password: ${{ steps.auth.outputs.access_token }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push Docker image
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
id: build
with:
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Output image
id: image
run: |
# NOTE: We need to use the image and digest in order to make sure
# that the image we attest has not been modified.
# NOTE: The digest output from docker/build-push-action is of the
# form "sha256:<digest>"
full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
{
echo "image=$full_image_name"
echo "service_account=${SERVICE_ACCOUNT}"
echo "provider_name=${PROVIDER_NAME}"
} >> "${GITHUB_OUTPUT}"
# Generate SLSA provenance for the image
# Upload the provenance to ghcr.io
provenance:
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
needs: [shim, build]
permissions:
id-token: write # For signing.
actions: read # For reading workflow info.
packages: write # For uploading attestations.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@main
with:
image: ${{ needs.build.outputs.image }}
digest: ${{ needs.build.outputs.digest }}
gcp-service-account: ${{ needs.build.outputs.service_account }}
gcp-workload-identity-provider: ${{ needs.build.outputs.provider_name }}
compile-generator: true
# Verify the created provenance attestation.
verify:
# NOTE: this name is used as the status check name and by protected
# branches for required status checks. It should have a unique name among
# other pre-submits.
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
needs: [shim, build, provenance]
permissions:
packages: read # For reading attestations.
id-token: write # For authenticating to Google Cloud Workload Identity
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- id: auth
name: "Authenticate to Google Cloud"
uses: google-github-actions/auth@5a50e581162a13f4baa8916d01180d2acbc04363 # v2.1.0
with:
token_format: "access_token"
service_account: ${{ env.SERVICE_ACCOUNT }}
workload_identity_provider: ${{ env.PROVIDER_NAME }}
- uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
- env:
REGISTRY_USERNAME: oauth2accesstoken
REGISTRY_PASSWORD: ${{ steps.auth.outputs.access_token }}
IMAGE_NAME: ${{ needs.build.outputs.image }}
IMAGE_DIGEST: ${{ needs.build.outputs.digest }}
run: |
cosign login "${IMAGE_REGISTRY}" -u "${REGISTRY_USERNAME}" -p "${REGISTRY_PASSWORD}"
# TODO: use --enforce-sct
# TODO: add cue policy for further validation.
# NOTE: COSIGN_EXPERIMENTAL is needed to check the transparency log.
COSIGN_EXPERIMENTAL=1 cosign verify-attestation \
--type slsaprovenance \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main \
"${IMAGE_NAME}@${IMAGE_DIGEST}" > "${GITHUB_WORKSPACE}/provenance.json"
echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV"
echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV"
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
- env:
CONTAINER: "${{ env.container }}"
PROVENANCE: "${{ env.provenance_file }}"
run: ./.github/workflows/scripts/e2e.container.default.verify.sh
if-succeeded:
runs-on: ubuntu-latest
needs: [shim, build, provenance, verify]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
runs-on: ubuntu-latest
needs: [shim, build, provenance, verify]
if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure')
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-failure.sh