Fix actionlint errors

Signed-off-by: Ian Lewis <[email protected]>
slsa-framework · Jun 7, 2023 · d725362 · d725362
1 parent f29a1b3
commit d725362
Show file tree

Hide file tree

Showing 21 changed files with 107 additions and 97 deletions.
diff --git a/.github/workflows/e2e.container-based.schedule.main.default.slsa3.yml b/.github/workflows/e2e.container-based.schedule.main.default.slsa3.yml
@@ -40,8 +40,8 @@ jobs:
         id: build
         run: |
           name=$(find outputs/ -type f | head -1)
-          cp $name .
-          echo "name=$(basename $name)" >> "${GITHUB_OUTPUT}"
+          cp "$name" .
+          echo "name=$(basename "$name")" >> "${GITHUB_OUTPUT}"
       - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
         with:
           name: ${{ needs.build.outputs.attestations-download-name }}

diff --git a/.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml b/.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml
@@ -36,11 +36,6 @@ jobs:
       contents: read # For reading repository contents.
       packages: write # For writing container images.
       id-token: write # For authenticating to Google Cloud Workload Identity
-    outputs:
-      image: ${{ steps.image.outputs.image }}
-      digest: ${{ steps.build.outputs.digest }}
-      service_account: ${{ steps.image.outputs.service_account }}
-      provider_name: ${{ steps.image.outputs.provider_name }}
     steps:
       - id: auth
         name: "Authenticate to Google Cloud"
@@ -87,8 +82,6 @@ jobs:
     outputs:
       image: ${{ steps.image.outputs.image }}
       digest: ${{ steps.image.outputs.digest }}
-      service_account: ${{ steps.image.outputs.service_account }}
-      provider_name: ${{ steps.image.outputs.provider_name }}
     steps:
       - id: auth
         name: "Authenticate to Google Cloud"
@@ -110,15 +103,17 @@ jobs:
         run: |
           # NOTE: We need to use the image and digest in order to make sure
           # that the image we attest has not been modified.
-          image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
-          docker pull "$image_name:main"
-          repo_digest=$(docker inspect --format='{{index .RepoDigests 0}}' $image_name:main)
-          echo $repo_digest
-
-          echo "image=$image_name" >> "${GITHUB_OUTPUT}"
-          echo "digest=${repo_digest#*@}" >> "${GITHUB_OUTPUT}"
-          echo "service_account=${SERVICE_ACCOUNT}" >> "${GITHUB_OUTPUT}"
-          echo "provider_name=${PROVIDER_NAME}" >> "${GITHUB_OUTPUT}"
+          full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
+          docker pull "${full_image_name}:main"
+          repo_digest=$(docker inspect --format='{{index .RepoDigests 0}}' "${full_image_name}:main")
+          echo "$repo_digest"
+
+          {
+            echo "image=$image_name"
+            echo "digest=${repo_digest#*@}"
+            echo "service_account=${SERVICE_ACCOUNT}"
+            echo "provider_name=${PROVIDER_NAME}"
+          } >> "${GITHUB_OUTPUT}"
 
   build:
     permissions:
@@ -147,8 +142,8 @@ jobs:
         id: build
         run: |
           name=$(find outputs/ -type f | head -1)
-          cp $name .
-          echo "name=$(basename $name)" >> "${GITHUB_OUTPUT}"
+          cp "${name}" .
+          echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}"
       - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
         with:
           name: ${{ needs.build.outputs.attestations-download-name }}

diff --git a/.github/workflows/e2e.container-based.schedule.main.matrix.slsa3.yml b/.github/workflows/e2e.container-based.schedule.main.matrix.slsa3.yml
@@ -34,8 +34,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build]
     steps:
-      - run: |
-          echo ${{ needs.build.outputs }}
+      - env:
+          OUTPUTS: ${{ toJSON(needs.build.outputs) }}
+        run: echo "${OUTPUTS}"
       - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
       - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
         with:
@@ -45,8 +46,8 @@ jobs:
         id: build
         run: |
           name=$(find outputs/ -type f | head -1)
-          cp $name .
-          echo "name=$(basename $name)" >> "${GITHUB_OUTPUT}"
+          cp "$name" .
+          echo "name=$(basename "$name")" >> "${GITHUB_OUTPUT}"
       - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
         with:
           name: ${{ needs.build.outputs.attestations-download-name }}

diff --git a/.github/workflows/e2e.container.push.main.default.slsa3.yml b/.github/workflows/e2e.container.push.main.default.slsa3.yml
@@ -81,8 +81,8 @@ jobs:
           # that the image we attest has not been modified.
           # NOTE: The digest output from docker/build-push-action is of the
           # form "sha256:<digest>"
-          image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
-          echo "image=$image_name" >> "${GITHUB_OUTPUT}"
+          full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
+          echo "image=${full_image_name}" >> "${GITHUB_OUTPUT}"
 
   # Generate SLSA provenance for the image
   # Upload the provenance to ghcr.io
@@ -130,10 +130,10 @@ jobs:
             --type slsaprovenance \
             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
             --certificate-identity https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main \
-            "${IMAGE_NAME}@${IMAGE_DIGEST}" > ${GITHUB_WORKSPACE}/provenance.json
+            "${IMAGE_NAME}@${IMAGE_DIGEST}" > "${GITHUB_WORKSPACE}/provenance.json"
 
-          echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> $GITHUB_ENV
-          echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_ENV
+          echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV"
+          echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV"
       - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
           go-version: "1.18"

diff --git a/.github/workflows/e2e.container.schedule.main.continue-on-error.slsa3.yml b/.github/workflows/e2e.container.schedule.main.continue-on-error.slsa3.yml
@@ -65,8 +65,8 @@ jobs:
           # that the image we attest has not been modified.
           # NOTE: The digest output from docker/build-push-action is of the
           # form "sha256:<digest>"
-          image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
-          echo "image=$image_name" >> "${GITHUB_OUTPUT}"
+          full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
+          echo "image=${full_image_name}" >> "${GITHUB_OUTPUT}"
 
   # Generate SLSA provenance for the image
   # Upload the provenance to ghcr.io
@@ -115,10 +115,10 @@ jobs:
             --type slsaprovenance \
             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
             --certificate-identity https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main \
-            "${IMAGE_NAME}@${IMAGE_DIGEST}" > ${GITHUB_WORKSPACE}/provenance.json
+            "${IMAGE_NAME}@${IMAGE_DIGEST}" > "${GITHUB_WORKSPACE}/provenance.json"
 
-          echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> $GITHUB_ENV
-          echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_ENV
+          echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV"
+          echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV"
       - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
           go-version: "1.18"
@@ -180,7 +180,7 @@ jobs:
 
   if-succeeded-continue-on-error:
     runs-on: ubuntu-latest
-    needs: [verify-continue-on-error]
+    needs: [provenance-continue-on-error, verify-continue-on-error]
     # NOTE: The workflow is allowed to run for other event types but don't post
     # to issues unless it's a schedule event.
     if: github.event_name == 'schedule' && needs.provenance-continue-on-error.result == 'success' && needs.verify-continue-on-error.result == 'success'

diff --git a/.github/workflows/e2e.container.tag.main.registry-username-secret.yml b/.github/workflows/e2e.container.tag.main.registry-username-secret.yml
@@ -95,8 +95,8 @@ jobs:
           # that the image we attest has not been modified.
           # NOTE: The digest output from docker/build-push-action is of the
           # form "sha256:<digest>"
-          image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
-          echo "image=$image_name" >> "${GITHUB_OUTPUT}"
+          full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
+          echo "image=${full_image_name}" >> "${GITHUB_OUTPUT}"
 
   # Generate SLSA provenance for the image
   # Upload the provenance to ghcr.io
@@ -145,10 +145,10 @@ jobs:
             --type slsaprovenance \
             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
             --certificate-identity https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main \
-            "${IMAGE_NAME}@${IMAGE_DIGEST}" > ${GITHUB_WORKSPACE}/provenance.json
+            "${IMAGE_NAME}@${IMAGE_DIGEST}" > "${GITHUB_WORKSPACE}/provenance.json"
 
-          echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> $GITHUB_ENV
-          echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_ENV
+          echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV"
+          echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV"
       - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
           go-version: "1.18"

diff --git a/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml b/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml
@@ -85,8 +85,8 @@ jobs:
           # that the image we attest has not been modified.
           # NOTE: The digest output from docker/build-push-action is of the
           # form "sha256:<digest>"
-          image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
-          echo "image=$image_name" >> "${GITHUB_OUTPUT}"
+          full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
+          echo "image=$full_image_name" >> "${GITHUB_OUTPUT}"
 
   # Generate SLSA provenance for the image
   # Upload the provenance to ghcr.io
@@ -134,10 +134,10 @@ jobs:
             --type slsaprovenance \
             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
             --certificate-identity https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main \
-            "${IMAGE_NAME}@${IMAGE_DIGEST}" > ${GITHUB_WORKSPACE}/provenance.json
+            "${IMAGE_NAME}@${IMAGE_DIGEST}" > "${GITHUB_WORKSPACE}/provenance.json"
 
-          echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> $GITHUB_ENV
-          echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_ENV
+          echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV"
+          echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV"
       - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
         with:
           go-version: "1.18"

diff --git a/.github/workflows/e2e.generic.push.main.default.slsa3.yml b/.github/workflows/e2e.generic.push.main.default.slsa3.yml
@@ -40,7 +40,7 @@ jobs:
         run: |
           bazelisk build //:hello
           cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root
-          echo "::set-output name=binary-name::hello"
+          echo "binary-name=hello" >>"${GITHUB_OUTPUT}"
       - name: Upload binary
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
@@ -55,7 +55,7 @@ jobs:
           BINARY_NAME: ${{ steps.build.outputs.binary-name }}
         run: |
           set -euo pipefail
-          echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> "${GITHUB_OUTPUT}"
+          echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}"
 
   provenance:
     if: github.event_name == 'push' && github.event.head_commit.message == github.workflow

diff --git a/.github/workflows/e2e.generic.push.main.upload-tag-name.slsa3.yml b/.github/workflows/e2e.generic.push.main.upload-tag-name.slsa3.yml
@@ -48,7 +48,7 @@ jobs:
         run: |
           bazelisk build //:hello
           cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root
-          echo "binary-name=hello" >> ""${GITHUB_OUTPUT}""
+          echo "binary-name=hello" >> "${GITHUB_OUTPUT}"
       - name: Upload binary
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
@@ -64,11 +64,11 @@ jobs:
         run: |
           set -euo pipefail
           source "./.github/workflows/scripts/e2e-utils.sh"
-          echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> ""${GITHUB_OUTPUT}""
+          echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}"
 
           filename="$(e2e_this_file)"
           filename="${filename%.*}" # Remove the file extension.
-          echo "upload-tag-name=${filename}" >> ""${GITHUB_OUTPUT}""
+          echo "upload-tag-name=${filename}" >> "${GITHUB_OUTPUT}"
 
   provenance:
     needs: [build]

diff --git a/.github/workflows/e2e.generic.release.main.default.slsa3.yml b/.github/workflows/e2e.generic.release.main.default.slsa3.yml
@@ -56,7 +56,7 @@ jobs:
         run: |
           bazelisk build //:hello
           cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root
-          echo "::set-output name=binary-name::hello"
+          echo "binary-name=hello" >> "${GITHUB_OUTPUT}"
       - name: Upload binary
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
@@ -71,7 +71,7 @@ jobs:
           BINARY_NAME: ${{ steps.build.outputs.binary-name }}
         run: |
           set -euo pipefail
-          echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> "${GITHUB_OUTPUT}"
+          echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}"
 
   provenance:
     needs: [shim, build]

diff --git a/.github/workflows/e2e.generic.schedule.main.attestation-name.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.attestation-name.slsa3.yml
@@ -28,7 +28,7 @@ jobs:
         run: |
           bazelisk build //:hello
           cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root
-          echo "::set-output name=binary-name::hello"
+          echo "binary-name=hello" >> "${GITHUB_OUTPUT}"
       - name: Upload binary
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
@@ -43,7 +43,7 @@ jobs:
           BINARY_NAME: ${{ steps.build.outputs.binary-name }}
         run: |
           set -euo pipefail
-          echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> "${GITHUB_OUTPUT}"
+          echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}"
 
   provenance:
     needs: [build]

diff --git a/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml
@@ -28,7 +28,7 @@ jobs:
         run: |
           bazelisk build //:hello
           cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root
-          echo "::set-output name=binary-name::hello"
+          echo "binary-name=hello" >> "${GITHUB_OUTPUT}"
       - name: Upload binary
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
@@ -43,7 +43,7 @@ jobs:
           BINARY_NAME: ${{ steps.build.outputs.binary-name }}
         run: |
           set -euo pipefail
-          echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> "${GITHUB_OUTPUT}"
+          echo "digest=$(sha256sum "$BINARY_NAME" | base64 -w0)" >> "${GITHUB_OUTPUT}"
 
   provenance:
     needs: [build]

diff --git a/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml b/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml
@@ -58,7 +58,7 @@ jobs:
         run: |
           bazelisk build //:hello
           cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root
-          echo "::set-output name=binary-name::hello"
+          echo "binary-name=hello" >> "${GITHUB_OUTPUT}"
       - name: Upload binary
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
@@ -73,7 +73,7 @@ jobs:
           BINARY_NAME: ${{ steps.build.outputs.binary-name }}
         run: |
           set -euo pipefail
-          echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> "${GITHUB_OUTPUT}"
+          echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}"
 
   provenance:
     needs: [shim, build]

diff --git a/.github/workflows/e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml b/.github/workflows/e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml
@@ -78,7 +78,7 @@ jobs:
           set -euo pipefail
 
           checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
-          echo "hashes=$(cat $checksum_file | base64 -w0)" >> ""${GITHUB_OUTPUT}""
+          echo "hashes=$(base64 -w0 <"$checksum_file")" >> "${GITHUB_OUTPUT}"
 
   provenance:
     needs: [shim, build]
@@ -107,15 +107,15 @@ jobs:
         with:
           go-version: "1.18"
       - env:
-          CHECKSUMS: ${{ needs.build.outputs.hashes }}
+          CHECKSUMS_B64: ${{ needs.build.outputs.hashes }}
           PROVENANCE: ${{ needs.provenance.outputs.provenance-name }}
         run: |
           set -euo pipefail
-          checksums=$(echo "$CHECKSUMS" | base64 -d)
+          checksums=$(echo "${CHECKSUMS_B64}" | base64 -d)
           while read -r line; do
-              fn=$(echo $line | cut -d ' ' -f2)
+              fn=$(echo "$line" | cut -d ' ' -f2)
               echo "Verifying $fn"
-              BINARY=$fn ./.github/workflows/scripts/e2e.generic.default.verify.sh
+              BINARY="$fn" ./.github/workflows/scripts/e2e.generic.default.verify.sh
           done <<<"$checksums"
 
   if-succeeded:

diff --git a/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml
@@ -43,7 +43,7 @@ jobs:
         run: |
           bazelisk build //:hello
           cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root
-          echo "::set-output name=binary-name::hello"
+          echo "binary-name=hello" >> "${GITHUB_OUTPUT}"
       - name: Upload binary
         uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         with:
@@ -58,7 +58,7 @@ jobs:
           BINARY_NAME: ${{ steps.build.outputs.binary-name }}
         run: |
           set -euo pipefail
-          echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> "${GITHUB_OUTPUT}"
+          echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}"
 
   provenance:
     if: github.event_name == 'workflow_dispatch'

diff --git a/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml b/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml
@@ -58,11 +58,13 @@ jobs:
         run: |
           set -euo pipefail
 
-          THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3)
-          BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4)
-          echo "version=-X main.gitVersion=v1.2.3" >> "${GITHUB_OUTPUT}"
-          echo "commit=-X main.gitCommit=abcdef" >> "${GITHUB_OUTPUT}"
-          echo "branch=-X main.gitBranch=$BRANCH" >> "${GITHUB_OUTPUT}"
+          this_file=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" | jq -r '.path' | cut -d '/' -f3)
+          branch=$(echo "${this_file}" | cut -d '.' -f4)
+          {
+            echo "version=-X main.gitVersion=v1.2.3"
+            echo "commit=-X main.gitCommit=abcdef"
+            echo "branch=-X main.gitBranch=${branch}"
+          } >> "${GITHUB_OUTPUT}"
 
   build:
     needs: [shim, args]