e2e.generic.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml

on:
  # Only triggered manually for pre-release.
  workflow_dispatch:

permissions: read-all

jobs:
  build:
    outputs:
      digests: ${{ steps.hash.outputs.digests }}
    runs-on: ubuntu-latest
    steps:
      - name: Build artifacts
        run: |
          # These are some amazing artifacts.
          echo "artifact1" > artifact1
          echo "artifact2" > artifact2

      - name: Generate hashes
        shell: bash
        id: hash
        run: |
          # sha256sum generates sha256 hash for all artifacts.
          # base64 -w0 encodes to base64 and outputs on a single line.
          # sha256sum artifact1 artifact2 ... | base64 -w0
          echo "digests=$(sha256sum artifact1 artifact2 | base64 -w0)" >> "${GITHUB_OUTPUT}"

  provenance:
    needs: [build]
    permissions:
      id-token: write # For signing.
      contents: write # For asset uploads.
      actions: read # For the entrypoint.
    # Update the reference in this line with the builder's version to test.
    # uses: ianlewis/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.8.0-rc.2
    # uses: laurentsimon/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0-rc.0
    # uses: kpk47/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.1-rc.0
    uses: ramonpetgrave64/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0-rc.0
    with:
      base64-subjects: "${{ needs.build.outputs.digests }}"

  if-succeeded:
    runs-on: ubuntu-latest
    needs: [provenance]
    if: needs.provenance.result == 'success'
    steps:
      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
      - run: |
          set -euo pipefail

          echo "This test should fail"
          exit 1