e2e.container-based.schedule.main.default.slsa3.yml

on:
  schedule:
    - cron: "0 3 * * *"
  workflow_dispatch:

permissions: read-all

concurrency: "e2e.container-based.schedule.main.default.slsa3"

env:
  # TODO: Replace this token.
  PAT_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }}
  GH_TOKEN: ${{ github.token }}
  ISSUE_REPOSITORY: slsa-framework/slsa-github-generator

  PROVENANCE_NAME: attestation.intoto

jobs:
  build:
    permissions:
      id-token: write # For signing
      actions: read
      contents: write # For asset uploads
    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_container-based_slsa3.yml@main
    with:
      builder-image: "bash"
      builder-digest: "sha256:9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9"
      config-path: ".github/configs-docker/config.toml"
      provenance-name: attestation.intoto
      compile-builder: true

  verify:
    runs-on: ubuntu-latest
    needs: [build]
    steps:
      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
        with:
          name: ${{ needs.build.outputs.build-outputs-name }}
          path: outputs
      - name: Get build artifact
        id: build
        run: |
          name=$(find outputs/ -type f | head -1)
          cp "$name" .
          echo "name=$(basename "$name")" >> "${GITHUB_OUTPUT}"
      - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
        with:
          name: ${{ needs.build.outputs.attestations-download-name }}
          path: attestations
      - name: Get attestation
        id: att
        env:
          FOLDER: attestations
        run: |
          name=$(find "${FOLDER}"/ -type f | head -1)
          cp "${name}" .
          echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}"
      - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
        with:
          go-version: "1.18"
      - env:
          BINARY: ${{ steps.build.outputs.name }}
          PROVENANCE: ${{ steps.att.outputs.name }}
        run: ./.github/workflows/scripts/e2e.container-based.default.verify.sh

  if-succeeded:
    runs-on: ubuntu-latest
    needs: [build, verify]
    # NOTE: The workflow is allowed to run for other event types but don't post
    # to issues unless it's a schedule event.
    if: github.event_name == 'schedule' && needs.build.result == 'success' && needs.verify.result == 'success'
    steps:
      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - run: ./.github/workflows/scripts/e2e-report-success.sh

  if-failed:
    runs-on: ubuntu-latest
    needs: [build, verify]
    # NOTE: The workflow is allowed to run for other event types but don't post
    # to issues unless it's a schedule event.
    if: always() && github.event_name == 'schedule' && (needs.build.result == 'failure' || needs.verify.result == 'failure')
    steps:
      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
      - run: ./.github/workflows/scripts/e2e-report-failure.sh