From fe954904368b9b5056d437d1e6e6f8cf4f084aca Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Wed, 2 Aug 2023 21:23:38 +0100 Subject: [PATCH 01/57] Add simple test for Maven builder Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .../e2e.maven.push.main.default.slsa3.yml | 17 ++ pom.xml | 163 ++++++++++++++++++ src/main/java/hello/Greeter.java | 7 + src/main/java/hello/HelloWorld.java | 8 + 4 files changed, 195 insertions(+) create mode 100644 .github/workflows/e2e.maven.push.main.default.slsa3.yml create mode 100644 pom.xml create mode 100644 src/main/java/hello/Greeter.java create mode 100644 src/main/java/hello/HelloWorld.java diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml new file mode 100644 index 0000000000..b109567b7a --- /dev/null +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -0,0 +1,17 @@ +name: Maven e2e test - simple +on: + schedule: + - cron: "0 6 * * *" + workflow_dispatch: + +permissions: read-all + +jobs: + build: + permissions: + id-token: write # For signing. + contents: read # For repo checkout of private repos. + actions: read # For getting workflow run on private repos. + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@main + with: + rekor-log-public: true diff --git a/pom.xml b/pom.xml new file mode 100644 index 0000000000..1a25343adb --- /dev/null +++ b/pom.xml @@ -0,0 +1,163 @@ + + + 4.0.0 + io.github.adamkorcz + test-java-project + 0.1.19 + jar + Adams test java project + A test java project. + https://github.com/AdamKorcz/test-java-project + + 1.8 + 1.8 + + + + ossrh + https://s01.oss.sonatype.org/content/repositories/snapshots + + + ossrh + https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ + + + + + MIT License + http://www.opensource.org/licenses/mit-license.php + + + + + Adam K + Adam@adalogics.com + Ada Logics + http://www.adalogics.com + + + + scm:git:git://github.com/adamkorcz/test-java-project.git + scm:git:ssh://github.com:simpligility/test-java-project.git + http://github.com/adamkorcz/test-java-project/tree/main + + + + + org.apache.maven.plugins + maven-source-plugin + 2.2.1 + + + attach-sources + package + + jar-no-fork + + + + + + org.apache.maven.plugins + maven-javadoc-plugin + 2.9.1 + + ${java.home}/bin/javadoc + + + + attach-javadocs + + jar + + + + + + org.apache.maven.plugins + maven-shade-plugin + 3.2.4 + + + package + + shade + + + + + hello.HelloWorld + + + + + + + + org.sonatype.plugins + nexus-staging-maven-plugin + 1.6.7 + true + + ossrh + https://s01.oss.sonatype.org/ + false + + + + org.apache.maven.plugins + maven-gpg-plugin + 3.1.0 + + + sign-artifacts + verify + + sign + + + + + + --pinentry-mode + loopback + + + + + org.apache.maven.plugins + maven-deploy-plugin + 3.1.1 + + + deploy-file + deploy + + deploy-file + + + textfile.txt + https://s01.oss.sonatype.org/ + io.github.adamkorcz + + + + + + io.github.slsa-framework.slsa-github-generator + hash-maven-plugin + 0.0.1 + + + + hash-jarfile + + + + + ${SLSA_OUTPUTS_ARTIFACTS_FILE} + + + + + diff --git a/src/main/java/hello/Greeter.java b/src/main/java/hello/Greeter.java new file mode 100644 index 0000000000..f92a442354 --- /dev/null +++ b/src/main/java/hello/Greeter.java @@ -0,0 +1,7 @@ +package hello; + +public class Greeter { + public String sayHello() { + return "Hello world!"; + } +} diff --git a/src/main/java/hello/HelloWorld.java b/src/main/java/hello/HelloWorld.java new file mode 100644 index 0000000000..1626b45cbd --- /dev/null +++ b/src/main/java/hello/HelloWorld.java @@ -0,0 +1,8 @@ +package hello; + +public class HelloWorld { + public static void main(String[] args) { + Greeter greeter = new Greeter(); + System.out.println(greeter.sayHello()); + } +} From d82c25394aba2ade7c2a2d7dc3fa79482f10949e Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Wed, 2 Aug 2023 23:19:23 +0100 Subject: [PATCH 02/57] move maven files to e2e/ Signed-off-by: AdamKorcz --- .../e2e.maven.push.main.default.slsa3.yml | 10 +- e2e/maven/pom.xml | 163 ++++++++++++++++++ e2e/maven/src/main/java/hello/Greeter.java | 7 + e2e/maven/src/main/java/hello/HelloWorld.java | 8 + 4 files changed, 186 insertions(+), 2 deletions(-) create mode 100644 e2e/maven/pom.xml create mode 100644 e2e/maven/src/main/java/hello/Greeter.java create mode 100644 e2e/maven/src/main/java/hello/HelloWorld.java diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index b109567b7a..36dadfee0b 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -7,11 +7,17 @@ on: permissions: read-all jobs: + bootstrap: + runs-on: ubuntu-latest + permissions: + contents: write + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - run: mv e2e/maven/pom.xml ./ && mv e2e/maven/src ./ build: + runs-on: ubuntu-latest permissions: id-token: write # For signing. contents: read # For repo checkout of private repos. actions: read # For getting workflow run on private repos. uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@main - with: - rekor-log-public: true diff --git a/e2e/maven/pom.xml b/e2e/maven/pom.xml new file mode 100644 index 0000000000..1a25343adb --- /dev/null +++ b/e2e/maven/pom.xml @@ -0,0 +1,163 @@ + + + 4.0.0 + io.github.adamkorcz + test-java-project + 0.1.19 + jar + Adams test java project + A test java project. + https://github.com/AdamKorcz/test-java-project + + 1.8 + 1.8 + + + + ossrh + https://s01.oss.sonatype.org/content/repositories/snapshots + + + ossrh + https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ + + + + + MIT License + http://www.opensource.org/licenses/mit-license.php + + + + + Adam K + Adam@adalogics.com + Ada Logics + http://www.adalogics.com + + + + scm:git:git://github.com/adamkorcz/test-java-project.git + scm:git:ssh://github.com:simpligility/test-java-project.git + http://github.com/adamkorcz/test-java-project/tree/main + + + + + org.apache.maven.plugins + maven-source-plugin + 2.2.1 + + + attach-sources + package + + jar-no-fork + + + + + + org.apache.maven.plugins + maven-javadoc-plugin + 2.9.1 + + ${java.home}/bin/javadoc + + + + attach-javadocs + + jar + + + + + + org.apache.maven.plugins + maven-shade-plugin + 3.2.4 + + + package + + shade + + + + + hello.HelloWorld + + + + + + + + org.sonatype.plugins + nexus-staging-maven-plugin + 1.6.7 + true + + ossrh + https://s01.oss.sonatype.org/ + false + + + + org.apache.maven.plugins + maven-gpg-plugin + 3.1.0 + + + sign-artifacts + verify + + sign + + + + + + --pinentry-mode + loopback + + + + + org.apache.maven.plugins + maven-deploy-plugin + 3.1.1 + + + deploy-file + deploy + + deploy-file + + + textfile.txt + https://s01.oss.sonatype.org/ + io.github.adamkorcz + + + + + + io.github.slsa-framework.slsa-github-generator + hash-maven-plugin + 0.0.1 + + + + hash-jarfile + + + + + ${SLSA_OUTPUTS_ARTIFACTS_FILE} + + + + + diff --git a/e2e/maven/src/main/java/hello/Greeter.java b/e2e/maven/src/main/java/hello/Greeter.java new file mode 100644 index 0000000000..f92a442354 --- /dev/null +++ b/e2e/maven/src/main/java/hello/Greeter.java @@ -0,0 +1,7 @@ +package hello; + +public class Greeter { + public String sayHello() { + return "Hello world!"; + } +} diff --git a/e2e/maven/src/main/java/hello/HelloWorld.java b/e2e/maven/src/main/java/hello/HelloWorld.java new file mode 100644 index 0000000000..1626b45cbd --- /dev/null +++ b/e2e/maven/src/main/java/hello/HelloWorld.java @@ -0,0 +1,8 @@ +package hello; + +public class HelloWorld { + public static void main(String[] args) { + Greeter greeter = new Greeter(); + System.out.println(greeter.sayHello()); + } +} From 80d23b4ac471a8837be978f50168d24ac69ac0bc Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 11:06:21 +0100 Subject: [PATCH 03/57] add verification Signed-off-by: AdamKorcz --- .../e2e.maven.push.main.default.slsa3.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index 36dadfee0b..f0fcb14cbf 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -21,3 +21,18 @@ jobs: contents: read # For repo checkout of private repos. actions: read # For getting workflow run on private repos. uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@main + verify: + runs-on: ubuntu-latest + needs: [build] + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.2 + with: + name: "${{ needs.build.outputs.provenance-download-name }}" + sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" + path: slsa-attestations + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.2 + with: + name: target + sha256: "${{ inputs.target-download-sha256 }}" + path: ./ From 6d78b492a8bb910f70458fa29ea1aa264d75daf7 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 11:20:21 +0100 Subject: [PATCH 04/57] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index f0fcb14cbf..05cc41e0a2 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -15,7 +15,7 @@ jobs: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - run: mv e2e/maven/pom.xml ./ && mv e2e/maven/src ./ build: - runs-on: ubuntu-latest + #runs-on: ubuntu-latest permissions: id-token: write # For signing. contents: read # For repo checkout of private repos. From 84e4198d16fd48b6714fdddbd87a9fa534153781 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 11:23:16 +0100 Subject: [PATCH 05/57] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index 05cc41e0a2..c580396ae9 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -13,7 +13,7 @@ jobs: contents: write steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - run: mv e2e/maven/pom.xml ./ && mv e2e/maven/src ./ + - run: mv e2e/maven/pom.xml ./ && cp -r e2e/maven/src ./ && rm -r e2e/maven/src build: #runs-on: ubuntu-latest permissions: From df5eca035367050129f551e5157a9f2cb6acbdf2 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 11:31:52 +0100 Subject: [PATCH 06/57] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index c580396ae9..7ea5d6c19b 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -34,5 +34,5 @@ jobs: - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.2 with: name: target - sha256: "${{ inputs.target-download-sha256 }}" + sha256: "${{ needs.build.outputs.target-download-sha256 }}" path: ./ From b3142514e7d5415badd4c5dcb78a078de8c2c855 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 11:54:26 +0100 Subject: [PATCH 07/57] rb --- .../e2e.maven.push.main.default.slsa3.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index 7ea5d6c19b..df971e7b1c 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -36,3 +36,18 @@ jobs: name: target sha256: "${{ needs.build.outputs.target-download-sha256 }}" path: ./ + - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + with: + go-version: "1.18" + - env: + # NOTE: We move the artifact because the verification script + # check that the subject name matches the filename. + ARTIFACT: "${{ needs.build.outputs.artifact }}" + run: | + mv "artifacts/${ARTIFACT}" . + - env: + BINARY: "${{ needs.build.outputs.artifact }}" + PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. + BUILDER_ID: "https://github.com/slsa-framework/example-trw/.github/workflows/builder_example_slsa3.yml" + BUILDER_TAG: "v2.0.0" + run: ./.github/workflows/scripts/e2e.delegator.default.verify.sh From 412cb377acc0721abe42d70dd397dd8bde1538e1 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 12:01:24 +0100 Subject: [PATCH 08/57] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index df971e7b1c..fc3f5396a7 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -43,11 +43,11 @@ jobs: # NOTE: We move the artifact because the verification script # check that the subject name matches the filename. ARTIFACT: "${{ needs.build.outputs.artifact }}" - run: | - mv "artifacts/${ARTIFACT}" . + #run: | + # mv "artifacts/${ARTIFACT}" . - env: BINARY: "${{ needs.build.outputs.artifact }}" - PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder. + PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" BUILDER_ID: "https://github.com/slsa-framework/example-trw/.github/workflows/builder_example_slsa3.yml" BUILDER_TAG: "v2.0.0" run: ./.github/workflows/scripts/e2e.delegator.default.verify.sh From bf23b745a73511a796bc5b962b799e077d440330 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 12:03:53 +0100 Subject: [PATCH 09/57] rb --- .../workflows/e2e.maven.push.main.default.slsa3.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index fc3f5396a7..5b44a58109 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -39,12 +39,12 @@ jobs: - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: "1.18" - - env: - # NOTE: We move the artifact because the verification script - # check that the subject name matches the filename. - ARTIFACT: "${{ needs.build.outputs.artifact }}" - #run: | - # mv "artifacts/${ARTIFACT}" . +# - env: +# # NOTE: We move the artifact because the verification script +# # check that the subject name matches the filename. +# ARTIFACT: "${{ needs.build.outputs.artifact }}" +# run: | +# mv "artifacts/${ARTIFACT}" . - env: BINARY: "${{ needs.build.outputs.artifact }}" PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" From 6ad6e2f148fa9584a87dc8e164e1819c16b2200c Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 12:30:52 +0100 Subject: [PATCH 10/57] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index 5b44a58109..eac945a8bb 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -6,6 +6,9 @@ on: permissions: read-all +env: + GH_TOKEN: ${{ github.token }} + jobs: bootstrap: runs-on: ubuntu-latest From 7c0796520729780924962d72089d4c45d33caa98 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 12:58:08 +0100 Subject: [PATCH 11/57] rb --- .github/workflows/scripts/e2e-verify.common.sh | 5 +++++ .github/workflows/scripts/e2e.delegator.default.verify.sh | 3 +++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh index 22e0354b54..65fe96aa1e 100755 --- a/.github/workflows/scripts/e2e-verify.common.sh +++ b/.github/workflows/scripts/e2e-verify.common.sh @@ -340,6 +340,11 @@ verify_provenance_authenticity() { if [[ "$tag" == "HEAD" ]] || version_ge "$tag" "v1.3"; then echo " **** Default parameters (annotated tags) *****" + echo "1: ${artifactAndbuilderMinArgs[@]}" + echo "2: ${provenanceArg[@]}" + echo "3: ${packageArg[@]}" + echo "4: ${sourceArg[@]}" + echo "5: github.com/$GITHUB_REPOSITORY" $verifierCmd "${artifactAndbuilderMinArgs[@]}" "${provenanceArg[@]}" "${packageArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "not main default parameters (annotated_tags)" elif [[ -z "$annotated_tags" ]]; then diff --git a/.github/workflows/scripts/e2e.delegator.default.verify.sh b/.github/workflows/scripts/e2e.delegator.default.verify.sh index e88ff0ea61..d156f7ea21 100755 --- a/.github/workflows/scripts/e2e.delegator.default.verify.sh +++ b/.github/workflows/scripts/e2e.delegator.default.verify.sh @@ -39,6 +39,9 @@ echo "DEBUG: file is $THIS_FILE" export SLSA_VERIFIER_TESTING="true" +echo "finding..................." +find . -name *.build.slsa + # Verify provenance authenticity. # TODO(233): Update to v1.8.0 tag. e2e_run_verifier_all_releases "HEAD" From d663cb2f14ae27151f4766dfe7fa8a138f8e4e02 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 13:14:16 +0100 Subject: [PATCH 12/57] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 2 +- .github/workflows/scripts/e2e.delegator.default.verify.sh | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index eac945a8bb..37274141be 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -50,7 +50,7 @@ jobs: # mv "artifacts/${ARTIFACT}" . - env: BINARY: "${{ needs.build.outputs.artifact }}" - PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" + PROVENANCE: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" BUILDER_ID: "https://github.com/slsa-framework/example-trw/.github/workflows/builder_example_slsa3.yml" BUILDER_TAG: "v2.0.0" run: ./.github/workflows/scripts/e2e.delegator.default.verify.sh diff --git a/.github/workflows/scripts/e2e.delegator.default.verify.sh b/.github/workflows/scripts/e2e.delegator.default.verify.sh index d156f7ea21..485d0d492d 100755 --- a/.github/workflows/scripts/e2e.delegator.default.verify.sh +++ b/.github/workflows/scripts/e2e.delegator.default.verify.sh @@ -41,6 +41,7 @@ export SLSA_VERIFIER_TESTING="true" echo "finding..................." find . -name *.build.slsa +find . -name "*.jar" # Verify provenance authenticity. # TODO(233): Update to v1.8.0 tag. From ca4c370f0d9e51fa554bcb38fa79c6f543b1d725 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 13:24:47 +0100 Subject: [PATCH 13/57] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index 37274141be..9db29c521a 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -49,7 +49,7 @@ jobs: # run: | # mv "artifacts/${ARTIFACT}" . - env: - BINARY: "${{ needs.build.outputs.artifact }}" + BINARY: ./target/test-java-project-0.1.19.jar PROVENANCE: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" BUILDER_ID: "https://github.com/slsa-framework/example-trw/.github/workflows/builder_example_slsa3.yml" BUILDER_TAG: "v2.0.0" From 28e6c4b3cdc3684f473ed60ce52303f7a9f58bfe Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 13:33:45 +0100 Subject: [PATCH 14/57] rb --- .github/workflows/e2e.maven.push.main.default.slsa3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.push.main.default.slsa3.yml index 9db29c521a..c643a496fa 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.push.main.default.slsa3.yml @@ -29,12 +29,12 @@ jobs: needs: [build] steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.2 + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main #v1.8.0-rc.2 with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" path: slsa-attestations - - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@v1.8.0-rc.2 + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main #v1.8.0-rc.2 with: name: target sha256: "${{ needs.build.outputs.target-download-sha256 }}" From bc78a12a02f5f450080d88b3505f844eef2d63b4 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 3 Aug 2023 11:06:21 +0100 Subject: [PATCH 15/57] add verification Signed-off-by: AdamKorcz --- ....workflow_dispatch.main.default.slsa3.yml} | 13 ++----- .github/workflows/scripts/e2e-utils.sh | 2 +- .../scripts/e2e.maven.default.verify.sh | 35 +++++++++++++++++++ 3 files changed, 39 insertions(+), 11 deletions(-) rename .github/workflows/{e2e.maven.push.main.default.slsa3.yml => e2e.maven.workflow_dispatch.main.default.slsa3.yml} (75%) create mode 100755 .github/workflows/scripts/e2e.maven.default.verify.sh diff --git a/.github/workflows/e2e.maven.push.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml similarity index 75% rename from .github/workflows/e2e.maven.push.main.default.slsa3.yml rename to .github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index c643a496fa..7db77b15ab 100644 --- a/.github/workflows/e2e.maven.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -29,12 +29,12 @@ jobs: needs: [build] steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main #v1.8.0-rc.2 + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" path: slsa-attestations - - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main #v1.8.0-rc.2 + - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main with: name: target sha256: "${{ needs.build.outputs.target-download-sha256 }}" @@ -42,15 +42,8 @@ jobs: - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: "1.18" -# - env: -# # NOTE: We move the artifact because the verification script -# # check that the subject name matches the filename. -# ARTIFACT: "${{ needs.build.outputs.artifact }}" -# run: | -# mv "artifacts/${ARTIFACT}" . - env: BINARY: ./target/test-java-project-0.1.19.jar PROVENANCE: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" - BUILDER_ID: "https://github.com/slsa-framework/example-trw/.github/workflows/builder_example_slsa3.yml" BUILDER_TAG: "v2.0.0" - run: ./.github/workflows/scripts/e2e.delegator.default.verify.sh + run: ./.github/workflows/scripts/e2e.maven.default.verify.sh diff --git a/.github/workflows/scripts/e2e-utils.sh b/.github/workflows/scripts/e2e-utils.sh index 12ed3097ac..6fd63a9186 100755 --- a/.github/workflows/scripts/e2e-utils.sh +++ b/.github/workflows/scripts/e2e-utils.sh @@ -433,7 +433,7 @@ _e2e_verify_query() { local expected="$2" local query="$3" name=$(echo -n "${attestation}" | jq -c -r "${query}") - e2e_assert_eq "${name}" "${expected}" "${query} should be ${expected}" + e2e_assert_eq "${name}" "${expected}" "${query} should be ${expected} but was ${name}" } # Returns the first 2 asset in a release. diff --git a/.github/workflows/scripts/e2e.maven.default.verify.sh b/.github/workflows/scripts/e2e.maven.default.verify.sh new file mode 100755 index 0000000000..43a0701941 --- /dev/null +++ b/.github/workflows/scripts/e2e.maven.default.verify.sh @@ -0,0 +1,35 @@ +#!/usr/bin/env bash + +# shellcheck source=/dev/null +source "./.github/workflows/scripts/e2e-verify.common.sh" + +RUNNER_DEBUG=${RUNNER_DEBUG:-} +if [[ -n "${RUNNER_DEBUG}" ]]; then + set -x +fi + +go env -w GOFLAGS=-mod=mod + +verify_provenance_content() { + e2e_verify_predicate_subject_name "${ATTESTATION}" "test-java-project-0.1.19.jar" + e2e_verify_predicate_v1_runDetails_builder_id "${ATTESTATION}" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@refs/heads/main" + e2e_verify_predicate_v1_buildDefinition_buildType "${ATTESTATION}" "https://github.com/slsa-framework/slsa-github-generator/delegator-generic@v0" +} + +THIS_FILE=$(e2e_this_file) +BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) +echo "branch is $BRANCH" +echo "GITHUB_REF_NAME: $GITHUB_REF_NAME" +echo "GITHUB_REF_TYPE: $GITHUB_REF_TYPE" +echo "GITHUB_REF: $GITHUB_REF" +echo "DEBUG: file is $THIS_FILE" +echo "PROVENANCE is: ${PROVENANCE}" + +ATTESTATION=$(jq -r '.dsseEnvelope.payload' "${PROVENANCE}" | base64 -d) +export ATTESTATION + +export SLSA_VERIFIER_TESTING="true" + +# Verify provenance content. +echo "verify_provenance_content:" +verify_provenance_content From da28dfbbd3520059b3c904eb528d35a6959d3fa1 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 4 Aug 2023 11:02:21 +0100 Subject: [PATCH 16/57] Update .github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .../workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 7db77b15ab..893de34597 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -17,6 +17,7 @@ jobs: steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - run: mv e2e/maven/pom.xml ./ && cp -r e2e/maven/src ./ && rm -r e2e/maven/src + build: #runs-on: ubuntu-latest permissions: From 9a54dd88f97b18eef1c150e98d85f926a8ab9b8d Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 4 Aug 2023 11:02:36 +0100 Subject: [PATCH 17/57] Update .github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .../workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 893de34597..7c77e57538 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -1,4 +1,3 @@ -name: Maven e2e test - simple on: schedule: - cron: "0 6 * * *" From a9fd88765d576233d204b05192ee4374a349d79c Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 4 Aug 2023 11:02:44 +0100 Subject: [PATCH 18/57] Update .github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .../workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 7c77e57538..700059a162 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -24,6 +24,7 @@ jobs: contents: read # For repo checkout of private repos. actions: read # For getting workflow run on private repos. uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@main + verify: runs-on: ubuntu-latest needs: [build] From f729db4e0ad0ae1b4d311579d7ab844b6466448d Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Fri, 4 Aug 2023 11:25:35 +0100 Subject: [PATCH 19/57] cleanup Signed-off-by: AdamKorcz --- .../workflows/scripts/e2e-verify.common.sh | 5 - .../scripts/e2e.delegator.default.verify.sh | 4 - .../scripts/e2e.maven.default.verify.sh | 20 +-- pom.xml | 163 ------------------ src/main/java/hello/Greeter.java | 7 - src/main/java/hello/HelloWorld.java | 8 - 6 files changed, 10 insertions(+), 197 deletions(-) delete mode 100644 pom.xml delete mode 100644 src/main/java/hello/Greeter.java delete mode 100644 src/main/java/hello/HelloWorld.java diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh index 65fe96aa1e..22e0354b54 100755 --- a/.github/workflows/scripts/e2e-verify.common.sh +++ b/.github/workflows/scripts/e2e-verify.common.sh @@ -340,11 +340,6 @@ verify_provenance_authenticity() { if [[ "$tag" == "HEAD" ]] || version_ge "$tag" "v1.3"; then echo " **** Default parameters (annotated tags) *****" - echo "1: ${artifactAndbuilderMinArgs[@]}" - echo "2: ${provenanceArg[@]}" - echo "3: ${packageArg[@]}" - echo "4: ${sourceArg[@]}" - echo "5: github.com/$GITHUB_REPOSITORY" $verifierCmd "${artifactAndbuilderMinArgs[@]}" "${provenanceArg[@]}" "${packageArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "not main default parameters (annotated_tags)" elif [[ -z "$annotated_tags" ]]; then diff --git a/.github/workflows/scripts/e2e.delegator.default.verify.sh b/.github/workflows/scripts/e2e.delegator.default.verify.sh index 485d0d492d..e88ff0ea61 100755 --- a/.github/workflows/scripts/e2e.delegator.default.verify.sh +++ b/.github/workflows/scripts/e2e.delegator.default.verify.sh @@ -39,10 +39,6 @@ echo "DEBUG: file is $THIS_FILE" export SLSA_VERIFIER_TESTING="true" -echo "finding..................." -find . -name *.build.slsa -find . -name "*.jar" - # Verify provenance authenticity. # TODO(233): Update to v1.8.0 tag. e2e_run_verifier_all_releases "HEAD" diff --git a/.github/workflows/scripts/e2e.maven.default.verify.sh b/.github/workflows/scripts/e2e.maven.default.verify.sh index 43a0701941..58e898f402 100755 --- a/.github/workflows/scripts/e2e.maven.default.verify.sh +++ b/.github/workflows/scripts/e2e.maven.default.verify.sh @@ -11,23 +11,23 @@ fi go env -w GOFLAGS=-mod=mod verify_provenance_content() { - e2e_verify_predicate_subject_name "${ATTESTATION}" "test-java-project-0.1.19.jar" - e2e_verify_predicate_v1_runDetails_builder_id "${ATTESTATION}" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@refs/heads/main" - e2e_verify_predicate_v1_buildDefinition_buildType "${ATTESTATION}" "https://github.com/slsa-framework/slsa-github-generator/delegator-generic@v0" + local attestation + attestation=$(jq -r '.dsseEnvelope.payload' "${PROVENANCE}" | base64 -d) + + e2e_verify_predicate_subject_name "${attestation}" "test-java-project-0.1.19.jar" + e2e_verify_predicate_v1_runDetails_builder_id "${attestation}" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@refs/heads/main" + e2e_verify_predicate_v1_buildDefinition_buildType "${attestation}" "https://github.com/slsa-framework/slsa-github-generator/delegator-generic@v0" } -THIS_FILE=$(e2e_this_file) -BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) -echo "branch is $BRANCH" +this_file=$(e2e_this_file) +branch=$(echo "$this_file" | cut -d '.' -f4) +echo "branch is $branch" echo "GITHUB_REF_NAME: $GITHUB_REF_NAME" echo "GITHUB_REF_TYPE: $GITHUB_REF_TYPE" echo "GITHUB_REF: $GITHUB_REF" -echo "DEBUG: file is $THIS_FILE" +echo "DEBUG: file is $this_file" echo "PROVENANCE is: ${PROVENANCE}" -ATTESTATION=$(jq -r '.dsseEnvelope.payload' "${PROVENANCE}" | base64 -d) -export ATTESTATION - export SLSA_VERIFIER_TESTING="true" # Verify provenance content. diff --git a/pom.xml b/pom.xml deleted file mode 100644 index 1a25343adb..0000000000 --- a/pom.xml +++ /dev/null @@ -1,163 +0,0 @@ - - - 4.0.0 - io.github.adamkorcz - test-java-project - 0.1.19 - jar - Adams test java project - A test java project. - https://github.com/AdamKorcz/test-java-project - - 1.8 - 1.8 - - - - ossrh - https://s01.oss.sonatype.org/content/repositories/snapshots - - - ossrh - https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ - - - - - MIT License - http://www.opensource.org/licenses/mit-license.php - - - - - Adam K - Adam@adalogics.com - Ada Logics - http://www.adalogics.com - - - - scm:git:git://github.com/adamkorcz/test-java-project.git - scm:git:ssh://github.com:simpligility/test-java-project.git - http://github.com/adamkorcz/test-java-project/tree/main - - - - - org.apache.maven.plugins - maven-source-plugin - 2.2.1 - - - attach-sources - package - - jar-no-fork - - - - - - org.apache.maven.plugins - maven-javadoc-plugin - 2.9.1 - - ${java.home}/bin/javadoc - - - - attach-javadocs - - jar - - - - - - org.apache.maven.plugins - maven-shade-plugin - 3.2.4 - - - package - - shade - - - - - hello.HelloWorld - - - - - - - - org.sonatype.plugins - nexus-staging-maven-plugin - 1.6.7 - true - - ossrh - https://s01.oss.sonatype.org/ - false - - - - org.apache.maven.plugins - maven-gpg-plugin - 3.1.0 - - - sign-artifacts - verify - - sign - - - - - - --pinentry-mode - loopback - - - - - org.apache.maven.plugins - maven-deploy-plugin - 3.1.1 - - - deploy-file - deploy - - deploy-file - - - textfile.txt - https://s01.oss.sonatype.org/ - io.github.adamkorcz - - - - - - io.github.slsa-framework.slsa-github-generator - hash-maven-plugin - 0.0.1 - - - - hash-jarfile - - - - - ${SLSA_OUTPUTS_ARTIFACTS_FILE} - - - - - diff --git a/src/main/java/hello/Greeter.java b/src/main/java/hello/Greeter.java deleted file mode 100644 index f92a442354..0000000000 --- a/src/main/java/hello/Greeter.java +++ /dev/null @@ -1,7 +0,0 @@ -package hello; - -public class Greeter { - public String sayHello() { - return "Hello world!"; - } -} diff --git a/src/main/java/hello/HelloWorld.java b/src/main/java/hello/HelloWorld.java deleted file mode 100644 index 1626b45cbd..0000000000 --- a/src/main/java/hello/HelloWorld.java +++ /dev/null @@ -1,8 +0,0 @@ -package hello; - -public class HelloWorld { - public static void main(String[] args) { - Greeter greeter = new Greeter(); - System.out.println(greeter.sayHello()); - } -} From 5e6d548aff52dff38515ee9b37bc44eec96ddbae Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 4 Aug 2023 11:31:30 +0100 Subject: [PATCH 20/57] Update .github/workflows/scripts/e2e.maven.default.verify.sh Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .github/workflows/scripts/e2e.maven.default.verify.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/scripts/e2e.maven.default.verify.sh b/.github/workflows/scripts/e2e.maven.default.verify.sh index 58e898f402..72eaac1c2e 100755 --- a/.github/workflows/scripts/e2e.maven.default.verify.sh +++ b/.github/workflows/scripts/e2e.maven.default.verify.sh @@ -3,6 +3,10 @@ # shellcheck source=/dev/null source "./.github/workflows/scripts/e2e-verify.common.sh" +# Input variables +PROVENANCE=${PROVENANCE:-} +GITHUB_REF_NAME=${GITHUB_REF_NAME:-} +GITHUB_REF=${GITHUB_REF:-} RUNNER_DEBUG=${RUNNER_DEBUG:-} if [[ -n "${RUNNER_DEBUG}" ]]; then set -x From 5ff3ad08614cb1eb41b8ca1a015d859016ea4a40 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 4 Aug 2023 15:29:46 +0100 Subject: [PATCH 21/57] Update e2e.maven.default.verify.sh Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .github/workflows/scripts/e2e.maven.default.verify.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/e2e.maven.default.verify.sh b/.github/workflows/scripts/e2e.maven.default.verify.sh index 72eaac1c2e..3be4e8e967 100755 --- a/.github/workflows/scripts/e2e.maven.default.verify.sh +++ b/.github/workflows/scripts/e2e.maven.default.verify.sh @@ -18,7 +18,7 @@ verify_provenance_content() { local attestation attestation=$(jq -r '.dsseEnvelope.payload' "${PROVENANCE}" | base64 -d) - e2e_verify_predicate_subject_name "${attestation}" "test-java-project-0.1.19.jar" + e2e_verify_predicate_subject_name "${attestation}" "${BINARY}" e2e_verify_predicate_v1_runDetails_builder_id "${attestation}" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@refs/heads/main" e2e_verify_predicate_v1_buildDefinition_buildType "${attestation}" "https://github.com/slsa-framework/slsa-github-generator/delegator-generic@v0" } From 4a380dc2ca18006cd30793442ed77af1c59c909a Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 4 Aug 2023 15:30:12 +0100 Subject: [PATCH 22/57] Update e2e.maven.workflow_dispatch.main.default.slsa3.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .../e2e.maven.workflow_dispatch.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 700059a162..5bba56cbfb 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -44,7 +44,7 @@ jobs: with: go-version: "1.18" - env: - BINARY: ./target/test-java-project-0.1.19.jar + BINARY: "test-java-project-0.1.19.jar" PROVENANCE: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" BUILDER_TAG: "v2.0.0" run: ./.github/workflows/scripts/e2e.maven.default.verify.sh From ca17076b64e456a964dd73cd27bd0fd5398093b7 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Fri, 4 Aug 2023 11:31:30 +0100 Subject: [PATCH 23/57] Update .github/workflows/scripts/e2e.maven.default.verify.sh Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- ....maven.workflow_dispatch.main.default.slsa3.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 5bba56cbfb..dc12fc7f07 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -1,8 +1,10 @@ +name: Maven e2e test - simple on: - schedule: - - cron: "0 6 * * *" - workflow_dispatch: - + - workflow_dispatch +# schedule: +# - cron: "0 6 * * *" +# workflow_dispatch: +# permissions: read-all env: @@ -23,7 +25,9 @@ jobs: id-token: write # For signing. contents: read # For repo checkout of private repos. actions: read # For getting workflow run on private repos. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@main + uses: AdamKorcz/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@maven-builder-test-updates + with: + directory: ./e2e/maven verify: runs-on: ubuntu-latest From 0fea0b2edf5652eb64ceb06e90c65bd70b923ba0 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Fri, 4 Aug 2023 15:22:01 +0100 Subject: [PATCH 24/57] specify root directory for builder Signed-off-by: AdamKorcz --- ...n.workflow_dispatch.main.default.slsa3.yml | 25 ++++- .github/workflows/scripts/e2e-maven-push.sh | 101 ++++++++++++++++++ .../scripts/e2e.maven.default.verify.sh | 3 +- e2e/maven/pom.xml | 2 +- 4 files changed, 123 insertions(+), 8 deletions(-) create mode 100755 .github/workflows/scripts/e2e-maven-push.sh diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index dc12fc7f07..5dfc31f867 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -1,6 +1,7 @@ -name: Maven e2e test - simple +name: Maven e2e test - simple # TODO: Remove name on: - workflow_dispatch +# TODO: Un-comment this # schedule: # - cron: "0 6 * * *" # workflow_dispatch: @@ -13,11 +14,25 @@ env: jobs: bootstrap: runs-on: ubuntu-latest + if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' permissions: contents: write + outputs: + artifact-version: ${{ steps.maven-push.outputs.artifact-version }} steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - run: mv e2e/maven/pom.xml ./ && cp -r e2e/maven/src ./ && rm -r e2e/maven/src + - env: + PACKAGE_DIR: ./e2e/maven + id: maven-push + run: ./.github/workflows/scripts/e2e-maven-push.sh + + if-bootstrap-failed: + runs-on: ubuntu-latest + needs: [bootstrap] + if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - run: ./.github/workflows/scripts/e2e-report-failure.sh build: #runs-on: ubuntu-latest @@ -31,7 +46,7 @@ jobs: verify: runs-on: ubuntu-latest - needs: [build] + needs: [build, bootstrap] steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main @@ -48,7 +63,7 @@ jobs: with: go-version: "1.18" - env: - BINARY: "test-java-project-0.1.19.jar" - PROVENANCE: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}/test-java-project-0.1.19.jar.build.slsa" + ARTIFACT_VERSION: ${{ needs.bootstrap.outputs.artifact-version}} + PROVENANCE: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}/test-java-project-${{ needs.bootstrap.outputs.artifact-version}}.jar.build.slsa" BUILDER_TAG: "v2.0.0" run: ./.github/workflows/scripts/e2e.maven.default.verify.sh diff --git a/.github/workflows/scripts/e2e-maven-push.sh b/.github/workflows/scripts/e2e-maven-push.sh new file mode 100755 index 0000000000..cdbc3e6f0a --- /dev/null +++ b/.github/workflows/scripts/e2e-maven-push.sh @@ -0,0 +1,101 @@ +#!/usr/bin/env bash +set -euo pipefail + +# shellcheck source=/dev/null +source "./.github/workflows/scripts/e2e-utils.sh" + +# This script bumps the maven package's version number, commits it, and pushes to +# the repository. + +branch=$(e2e_this_branch) + +echo "GITHUB_REPOSITORY: ${GITHUB_REPOSITORY}" +gh repo clone "${GITHUB_REPOSITORY}" -- -b maven-e2e-temp2 +repo_name=$(echo "$GITHUB_REPOSITORY" | cut -d '/' -f2) +cd ./"$repo_name" + +git config --global user.name github-actions +git config --global user.email github-actions@github.com + +# Set the remote url to authenticate using the token. +git remote set-url origin "https://github-actions:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" + +package_dir="${PACKAGE_DIR}" # specified in the e2e test yaml + +cd "${package_dir}" +current_tag=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout) +if [ "${current_tag}" = "1.19.6-SNAPSHOT" ]; then + next_tag="1.19.7-SNAPSHOT" +else + next_tag="1.19.6-SNAPSHOT" +fi + +# Output the artifact name +echo "artifact-version=${current_tag}" >> $GITHUB_OUTPUT + +tag=$(mvn versions:set -DnewVersion=$next_tag) +cd - + +# Commit the new version. +git commit -m "${GITHUB_WORKFLOW}" "${package_dir}/pom.xml" "${package_dir}/pom.xml" + +# If this is an e2e test for a tag, then tag the commit and push it. +this_event=$(e2e_this_event) +echo "this_event: ${this_event}" +if [ "${this_event}" == "tag" ] || [ "${this_event}" == "create" ]; then + git tag "${tag}" +fi + +git remote -v +git branch +pwd +if [ "${branch}" != "main" ]; then + # Reset branch1 and push the new version. + # git branch -D "$branch" + git checkout -b "$branch" + if [ "${this_event}" == "tag" ] || [ "${this_event}" == "create" ]; then + git push --set-upstream origin "${branch}" "${tag}" -f + else + git push --set-upstream origin "$branch" -f + fi + git checkout main + + # Update a dummy file to avoid https://github.com/slsa-framework/example-package/issues/44 + date >./e2e/dummy + git add ./e2e/dummy + git commit -m "sync'ing branch1 - $(cat ./e2e/dummy)" + git push origin main +else + if [ "${this_event}" == "tag" ] || [ "${this_event}" == "create" ]; then + # TODO(#213): push tag separately until bug is fixed. + # NOTE: If there is a concurrent update to main we want it to fail here + # without pushing the tag because we will lose the changes to main. + git push origin main + git push origin "${tag}" + else + git push origin maven-e2e-temp2 # TODO: CHANGE to main!!!!!!!!!! + fi +fi + +# If this is a test for a release event, create the release. +if [ "${this_event}" == "release" ]; then + this_file=$(e2e_this_file) + data_file=$(mktemp) + cat <"${data_file}" +**E2E release creation**: +Tag: ${tag} +Branch: ${branch} +Commit: ${GITHUB_SHA} +Caller file: ${this_file} +EOF + + gh release create "${tag}" --notes-file "${data_file}" --target "${branch}" +fi + +if [ "${this_event}" == "workflow_dispatch" ]; then + this_file=$(e2e_this_file) + curl -s -X POST -H "Accept: application/vnd.github.v3+json" \ + "https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/workflows/${this_file}/dispatches" \ + -d "{\"ref\":\"${branch}\",\"inputs\":{\"trigger_build\": true}}" \ + -H "Authorization: token ${GH_TOKEN}" +fi diff --git a/.github/workflows/scripts/e2e.maven.default.verify.sh b/.github/workflows/scripts/e2e.maven.default.verify.sh index 3be4e8e967..6b556d7862 100755 --- a/.github/workflows/scripts/e2e.maven.default.verify.sh +++ b/.github/workflows/scripts/e2e.maven.default.verify.sh @@ -18,7 +18,7 @@ verify_provenance_content() { local attestation attestation=$(jq -r '.dsseEnvelope.payload' "${PROVENANCE}" | base64 -d) - e2e_verify_predicate_subject_name "${attestation}" "${BINARY}" + e2e_verify_predicate_subject_name "${attestation}" "test-java-project-${ARTIFACT_VERSION}.jar" e2e_verify_predicate_v1_runDetails_builder_id "${attestation}" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@refs/heads/main" e2e_verify_predicate_v1_buildDefinition_buildType "${attestation}" "https://github.com/slsa-framework/slsa-github-generator/delegator-generic@v0" } @@ -35,5 +35,4 @@ echo "PROVENANCE is: ${PROVENANCE}" export SLSA_VERIFIER_TESTING="true" # Verify provenance content. -echo "verify_provenance_content:" verify_provenance_content diff --git a/e2e/maven/pom.xml b/e2e/maven/pom.xml index 1a25343adb..81f45246cb 100644 --- a/e2e/maven/pom.xml +++ b/e2e/maven/pom.xml @@ -3,7 +3,7 @@ 4.0.0 io.github.adamkorcz test-java-project - 0.1.19 + 1.19.7-SNAPSHOT jar Adams test java project A test java project. From 0de588f54948a5c0432b55db9b42b738fdc6fb85 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Mon, 7 Aug 2023 11:45:28 +0100 Subject: [PATCH 25/57] Multiple updates Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- ...n.workflow_dispatch.main.default.slsa3.yml | 32 ++++++++- .github/workflows/scripts/e2e-maven-push.sh | 65 ++++++++++++++++--- .../scripts/e2e.maven.default.verify.sh | 6 ++ e2e/maven/pom.xml | 2 +- 4 files changed, 94 insertions(+), 11 deletions(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 5dfc31f867..0839f3372b 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -29,10 +29,24 @@ jobs: if-bootstrap-failed: runs-on: ubuntu-latest needs: [bootstrap] - if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success' + if: always() && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)) && needs.bootstrap.result != 'success' steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh + + # Main workflow + ################################################################################ + # Shim determines if the rest of the workflow should run. + # NOTE: it should only use the `if` to determine this and all downstream jobs + # should depend on this job. + shim: + # NOTE: this must be kept in sync with the if-failed job. + if: github.event_name == 'workflow_dispatch' && inputs.trigger_build + runs-on: ubuntu-latest + steps: + - run: | + echo "event: ${GITHUB_EVENT_NAME}" + echo "ref: ${GITHUB_REF}" build: #runs-on: ubuntu-latest @@ -66,4 +80,20 @@ jobs: ARTIFACT_VERSION: ${{ needs.bootstrap.outputs.artifact-version}} PROVENANCE: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}/test-java-project-${{ needs.bootstrap.outputs.artifact-version}}.jar.build.slsa" BUILDER_TAG: "v2.0.0" + EXPECTED_ARTIFACT_OUTPUT: "Hello world!" run: ./.github/workflows/scripts/e2e.maven.default.verify.sh + if-succeeded: + runs-on: ubuntu-latest + needs: [build, verify] + if: needs.build.result == 'success' && needs.publish.result == 'success' && needs.verify.result == 'success' + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - run: ./.github/workflows/scripts/e2e-report-success.sh + + if-failed: + runs-on: ubuntu-latest + needs: [build, verify] + if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.publish.result != 'success' || needs.verify.result != 'success') + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/scripts/e2e-maven-push.sh b/.github/workflows/scripts/e2e-maven-push.sh index cdbc3e6f0a..95a2e4c037 100755 --- a/.github/workflows/scripts/e2e-maven-push.sh +++ b/.github/workflows/scripts/e2e-maven-push.sh @@ -10,7 +10,7 @@ source "./.github/workflows/scripts/e2e-utils.sh" branch=$(e2e_this_branch) echo "GITHUB_REPOSITORY: ${GITHUB_REPOSITORY}" -gh repo clone "${GITHUB_REPOSITORY}" -- -b maven-e2e-temp2 +gh repo clone "${GITHUB_REPOSITORY}" -- -b maven-e2e-temp repo_name=$(echo "$GITHUB_REPOSITORY" | cut -d '/' -f2) cd ./"$repo_name" @@ -23,15 +23,62 @@ git remote set-url origin "https://github-actions:${GH_TOKEN}@github.com/${GITHU package_dir="${PACKAGE_DIR}" # specified in the e2e test yaml cd "${package_dir}" -current_tag=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout) -if [ "${current_tag}" = "1.19.6-SNAPSHOT" ]; then - next_tag="1.19.7-SNAPSHOT" -else - next_tag="1.19.6-SNAPSHOT" -fi + +# Get the new version +artifact_tag=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout) + +# version_major prints the major version number. +# Expects a string like '1.19.7' +# version_major returns "1" if the input is '1.19.7' +version_major() { + VER=$(echo $1 | cut -d '.' -f1) + echo "$VER" +} + +# version_minor prints the minor version number. +# Expects a string like '1.19.7'. +# version_minor returns "19" if the input is '1.19.7' +version_minor() { + VER=$(echo $1 | cut -d '.' -f2) + echo "$VER" +} + +# version_patch prints the patch version number. +# Expects a string like '1.19.7-SNAPSHOT.jar' +# version_patch returns "7" if the input is '1.19.7' +version_patch() { + VER=$(echo $1 | cut -d '.' -f3) + echo "$VER" +} + +# Bumps the version +new_version() { + current_tag=$1 + release_major=$(version_major "$current_tag") + release_minor=$(version_minor "$current_tag") + release_patch=$(version_patch "$current_tag") + + # These if-statements are sorted by likelihood + if [[ $release_patch != "99" ]]; then + # Only need to bump the patch + release_patch=$((release_patch+1)) + elif [[ $release_patch = "99" && $release_minor != "99" ]]; then + # Need to bump minor + release_minor=$(($release_minor+1)) + release_patch="0" + elif [[ $release_patch = "99" && $release_minor = "99" ]]; then + # Need to bump major + release_major=$(($release_major+1)) + release_minor="0" + release_patch="0" + fi + echo $release_major.$release_minor.$release_patch +} + +next_tag=$(new_version $artifact_tag) # Output the artifact name -echo "artifact-version=${current_tag}" >> $GITHUB_OUTPUT +echo "artifact-version=${artifact_tag}" >> $GITHUB_OUTPUT tag=$(mvn versions:set -DnewVersion=$next_tag) cd - @@ -73,7 +120,7 @@ else git push origin main git push origin "${tag}" else - git push origin maven-e2e-temp2 # TODO: CHANGE to main!!!!!!!!!! + git push origin maven-e2e-temp # TODO: CHANGE to main!!!!!!!!!! fi fi diff --git a/.github/workflows/scripts/e2e.maven.default.verify.sh b/.github/workflows/scripts/e2e.maven.default.verify.sh index 6b556d7862..987dcd43c5 100755 --- a/.github/workflows/scripts/e2e.maven.default.verify.sh +++ b/.github/workflows/scripts/e2e.maven.default.verify.sh @@ -18,6 +18,12 @@ verify_provenance_content() { local attestation attestation=$(jq -r '.dsseEnvelope.payload' "${PROVENANCE}" | base64 -d) + # Run the artifact and verify the output is correct + artifact_output=$(java -jar target/test-java-project-"${ARTIFACT_VERSION}".jar) + expected_artifact_output="${EXPECTED_ARTIFACT_OUTPUT}" + e2e_assert_eq "${artifact_output}" "${expected_artifact_output}" "The output from the artifact should be '${expected_artifact_output}' but was '${artifact_output}'" + + # Verify the content of the attestation e2e_verify_predicate_subject_name "${attestation}" "test-java-project-${ARTIFACT_VERSION}.jar" e2e_verify_predicate_v1_runDetails_builder_id "${attestation}" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@refs/heads/main" e2e_verify_predicate_v1_buildDefinition_buildType "${attestation}" "https://github.com/slsa-framework/slsa-github-generator/delegator-generic@v0" diff --git a/e2e/maven/pom.xml b/e2e/maven/pom.xml index 81f45246cb..689987492b 100644 --- a/e2e/maven/pom.xml +++ b/e2e/maven/pom.xml @@ -3,7 +3,7 @@ 4.0.0 io.github.adamkorcz test-java-project - 1.19.7-SNAPSHOT + 1.19.8 jar Adams test java project A test java project. From 385ae38135bbab68c53727f6fdce937f9f65afe1 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Mon, 7 Aug 2023 15:25:27 +0100 Subject: [PATCH 26/57] Update e2e-maven-push.sh Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .github/workflows/scripts/e2e-maven-push.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/scripts/e2e-maven-push.sh b/.github/workflows/scripts/e2e-maven-push.sh index 95a2e4c037..2ea156e6da 100755 --- a/.github/workflows/scripts/e2e-maven-push.sh +++ b/.github/workflows/scripts/e2e-maven-push.sh @@ -9,6 +9,10 @@ source "./.github/workflows/scripts/e2e-utils.sh" branch=$(e2e_this_branch) +# NOTE: We can't simply push from $branch because it is occaisonally reset to +# the main branch. We need to maintain the version number in pom.xml +# because you cannot overwrite a version in maven. Instead we commit to main, +# set the tag, reset $branch and push both main and $branch. echo "GITHUB_REPOSITORY: ${GITHUB_REPOSITORY}" gh repo clone "${GITHUB_REPOSITORY}" -- -b maven-e2e-temp repo_name=$(echo "$GITHUB_REPOSITORY" | cut -d '/' -f2) From f14a028117f50bbfe3fc035d97966ec36ea67da2 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Mon, 7 Aug 2023 15:25:43 +0100 Subject: [PATCH 27/57] Update e2e.maven.workflow_dispatch.main.default.slsa3.yml Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .../workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 0839f3372b..06b5502b4f 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -49,7 +49,6 @@ jobs: echo "ref: ${GITHUB_REF}" build: - #runs-on: ubuntu-latest permissions: id-token: write # For signing. contents: read # For repo checkout of private repos. From b75b3363a4efd8585f7a54c33aba6e8910c749c6 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 8 Aug 2023 21:33:46 +0100 Subject: [PATCH 28/57] Update .github/workflows/scripts/e2e.maven.default.verify.sh Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .github/workflows/scripts/e2e.maven.default.verify.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/scripts/e2e.maven.default.verify.sh b/.github/workflows/scripts/e2e.maven.default.verify.sh index 987dcd43c5..6e9ce6e8bd 100755 --- a/.github/workflows/scripts/e2e.maven.default.verify.sh +++ b/.github/workflows/scripts/e2e.maven.default.verify.sh @@ -5,6 +5,8 @@ source "./.github/workflows/scripts/e2e-verify.common.sh" # Input variables PROVENANCE=${PROVENANCE:-} +ARTIFACT_VERSION=${ARTIFACT_VERSION:-} +EXPECTED_ARTIFACT_OUTPUT=${EXPECTED_ARTIFACT_OUTPUT:-} GITHUB_REF_NAME=${GITHUB_REF_NAME:-} GITHUB_REF=${GITHUB_REF:-} RUNNER_DEBUG=${RUNNER_DEBUG:-} From 9797cc69037a5daa9afc8d2a5c42b514aa105514 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 8 Aug 2023 21:34:02 +0100 Subject: [PATCH 29/57] Update .github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .../workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 06b5502b4f..b25374af90 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -72,6 +72,7 @@ jobs: name: target sha256: "${{ needs.build.outputs.target-download-sha256 }}" path: ./ + # NOTE: To build slsa-verifier in e2e.maven.default.verify.sh - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: "1.18" From d5e10fd1fd04063804ff9f9b7155671c2adddeb1 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 8 Aug 2023 21:34:31 +0100 Subject: [PATCH 30/57] Update .github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .../e2e.maven.workflow_dispatch.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index b25374af90..b31ecc1e13 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -93,7 +93,7 @@ jobs: if-failed: runs-on: ubuntu-latest needs: [build, verify] - if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.publish.result != 'success' || needs.verify.result != 'success') + if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.verify.result != 'success') steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh From d63df3ebd361f9450cfb2c4e5138c12b19b30145 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 8 Aug 2023 21:36:18 +0100 Subject: [PATCH 31/57] Update .github/workflows/scripts/e2e-maven-push.sh Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .github/workflows/scripts/e2e-maven-push.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/e2e-maven-push.sh b/.github/workflows/scripts/e2e-maven-push.sh index 2ea156e6da..37d8e3d2a6 100755 --- a/.github/workflows/scripts/e2e-maven-push.sh +++ b/.github/workflows/scripts/e2e-maven-push.sh @@ -103,7 +103,7 @@ pwd if [ "${branch}" != "main" ]; then # Reset branch1 and push the new version. # git branch -D "$branch" - git checkout -b "$branch" + git checkout -b "${branch}" if [ "${this_event}" == "tag" ] || [ "${this_event}" == "create" ]; then git push --set-upstream origin "${branch}" "${tag}" -f else From 4d8122fd06cc36cde02b3fc0cb1a7758a045e24c Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 8 Aug 2023 21:36:27 +0100 Subject: [PATCH 32/57] Update .github/workflows/scripts/e2e-maven-push.sh Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .github/workflows/scripts/e2e-maven-push.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/e2e-maven-push.sh b/.github/workflows/scripts/e2e-maven-push.sh index 37d8e3d2a6..1a82ab8af0 100755 --- a/.github/workflows/scripts/e2e-maven-push.sh +++ b/.github/workflows/scripts/e2e-maven-push.sh @@ -107,7 +107,7 @@ if [ "${branch}" != "main" ]; then if [ "${this_event}" == "tag" ] || [ "${this_event}" == "create" ]; then git push --set-upstream origin "${branch}" "${tag}" -f else - git push --set-upstream origin "$branch" -f + git push --set-upstream origin "${branch}" -f fi git checkout main From 19b59ba5fd54e7c1ee6d01f4e9f4a932793355f6 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Tue, 8 Aug 2023 21:37:56 +0100 Subject: [PATCH 33/57] Update .github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .../e2e.maven.workflow_dispatch.main.default.slsa3.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index b31ecc1e13..00f6910e15 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -8,6 +8,8 @@ on: # permissions: read-all +concurrency: "e2e-maven-workflow_dispatch-main-default-slsa3" + env: GH_TOKEN: ${{ github.token }} From 1760c9ab1bea6a5b2e5fc3142cf3a2b1ded8f94d Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Tue, 8 Aug 2023 22:19:50 +0100 Subject: [PATCH 34/57] move maven test files to dedicated workflow_dispatch folder Signed-off-by: AdamKorcz --- .../e2e.maven.workflow_dispatch.main.default.slsa3.yml | 4 ++-- e2e/maven/{ => workflow_dispatch}/pom.xml | 0 .../{ => workflow_dispatch}/src/main/java/hello/Greeter.java | 0 .../src/main/java/hello/HelloWorld.java | 0 4 files changed, 2 insertions(+), 2 deletions(-) rename e2e/maven/{ => workflow_dispatch}/pom.xml (100%) rename e2e/maven/{ => workflow_dispatch}/src/main/java/hello/Greeter.java (100%) rename e2e/maven/{ => workflow_dispatch}/src/main/java/hello/HelloWorld.java (100%) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 00f6910e15..3391d18175 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -24,7 +24,7 @@ jobs: steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - env: - PACKAGE_DIR: ./e2e/maven + PACKAGE_DIR: ./e2e/maven/workflow_dispatch id: maven-push run: ./.github/workflows/scripts/e2e-maven-push.sh @@ -57,7 +57,7 @@ jobs: actions: read # For getting workflow run on private repos. uses: AdamKorcz/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@maven-builder-test-updates with: - directory: ./e2e/maven + directory: ./e2e/maven/workflow_dispatch verify: runs-on: ubuntu-latest diff --git a/e2e/maven/pom.xml b/e2e/maven/workflow_dispatch/pom.xml similarity index 100% rename from e2e/maven/pom.xml rename to e2e/maven/workflow_dispatch/pom.xml diff --git a/e2e/maven/src/main/java/hello/Greeter.java b/e2e/maven/workflow_dispatch/src/main/java/hello/Greeter.java similarity index 100% rename from e2e/maven/src/main/java/hello/Greeter.java rename to e2e/maven/workflow_dispatch/src/main/java/hello/Greeter.java diff --git a/e2e/maven/src/main/java/hello/HelloWorld.java b/e2e/maven/workflow_dispatch/src/main/java/hello/HelloWorld.java similarity index 100% rename from e2e/maven/src/main/java/hello/HelloWorld.java rename to e2e/maven/workflow_dispatch/src/main/java/hello/HelloWorld.java From b1176c7f8c1ded8ae935b10a291e59d01a36ad14 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Tue, 8 Aug 2023 22:41:01 +0100 Subject: [PATCH 35/57] prepend v to artifact version Signed-off-by: AdamKorcz --- .github/workflows/scripts/e2e-maven-push.sh | 24 --------------------- e2e/maven/workflow_dispatch/pom.xml | 2 +- 2 files changed, 1 insertion(+), 25 deletions(-) diff --git a/.github/workflows/scripts/e2e-maven-push.sh b/.github/workflows/scripts/e2e-maven-push.sh index 1a82ab8af0..d1d1c375c2 100755 --- a/.github/workflows/scripts/e2e-maven-push.sh +++ b/.github/workflows/scripts/e2e-maven-push.sh @@ -31,30 +31,6 @@ cd "${package_dir}" # Get the new version artifact_tag=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout) -# version_major prints the major version number. -# Expects a string like '1.19.7' -# version_major returns "1" if the input is '1.19.7' -version_major() { - VER=$(echo $1 | cut -d '.' -f1) - echo "$VER" -} - -# version_minor prints the minor version number. -# Expects a string like '1.19.7'. -# version_minor returns "19" if the input is '1.19.7' -version_minor() { - VER=$(echo $1 | cut -d '.' -f2) - echo "$VER" -} - -# version_patch prints the patch version number. -# Expects a string like '1.19.7-SNAPSHOT.jar' -# version_patch returns "7" if the input is '1.19.7' -version_patch() { - VER=$(echo $1 | cut -d '.' -f3) - echo "$VER" -} - # Bumps the version new_version() { current_tag=$1 diff --git a/e2e/maven/workflow_dispatch/pom.xml b/e2e/maven/workflow_dispatch/pom.xml index 689987492b..082b2e5244 100644 --- a/e2e/maven/workflow_dispatch/pom.xml +++ b/e2e/maven/workflow_dispatch/pom.xml @@ -3,7 +3,7 @@ 4.0.0 io.github.adamkorcz test-java-project - 1.19.8 + v1.19.8 jar Adams test java project A test java project. From d83b27cf1813806d028558a82525c923b6d29475 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Wed, 9 Aug 2023 10:29:59 +0100 Subject: [PATCH 36/57] Update .github/workflows/scripts/e2e.maven.default.verify.sh Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .github/workflows/scripts/e2e.maven.default.verify.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/scripts/e2e.maven.default.verify.sh b/.github/workflows/scripts/e2e.maven.default.verify.sh index 6e9ce6e8bd..6c98388f13 100755 --- a/.github/workflows/scripts/e2e.maven.default.verify.sh +++ b/.github/workflows/scripts/e2e.maven.default.verify.sh @@ -44,3 +44,5 @@ export SLSA_VERIFIER_TESTING="true" # Verify provenance content. verify_provenance_content + +e2e_run_verifier_all_releases "2.3.0" From 00ac3d2a9aceb77f2ffdbc2e893a8125fd66dc66 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Wed, 9 Aug 2023 10:34:21 +0100 Subject: [PATCH 37/57] Make build depend on shim Signed-off-by: AdamKorcz --- .../workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 3391d18175..959a31d99e 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -51,6 +51,7 @@ jobs: echo "ref: ${GITHUB_REF}" build: + needs: [shim] permissions: id-token: write # For signing. contents: read # For repo checkout of private repos. From 65b91af5f53bd46c2c64903d41ff00cc36ff3b24 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Wed, 9 Aug 2023 10:35:38 +0100 Subject: [PATCH 38/57] use e2_go_token Signed-off-by: AdamKorcz --- .../e2e.maven.workflow_dispatch.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 959a31d99e..b3b5582e68 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -11,7 +11,7 @@ permissions: read-all concurrency: "e2e-maven-workflow_dispatch-main-default-slsa3" env: - GH_TOKEN: ${{ github.token }} + GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }} jobs: bootstrap: From b1b1b5c9c8e1c6349788a2c67cbb3a4deb37709b Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Wed, 9 Aug 2023 10:37:10 +0100 Subject: [PATCH 39/57] switch repositories to main Signed-off-by: AdamKorcz --- .../e2e.maven.workflow_dispatch.main.default.slsa3.yml | 2 +- .github/workflows/scripts/e2e-maven-push.sh | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index b3b5582e68..8bf399c9f6 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -56,7 +56,7 @@ jobs: id-token: write # For signing. contents: read # For repo checkout of private repos. actions: read # For getting workflow run on private repos. - uses: AdamKorcz/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@maven-builder-test-updates + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@main with: directory: ./e2e/maven/workflow_dispatch diff --git a/.github/workflows/scripts/e2e-maven-push.sh b/.github/workflows/scripts/e2e-maven-push.sh index d1d1c375c2..460e458364 100755 --- a/.github/workflows/scripts/e2e-maven-push.sh +++ b/.github/workflows/scripts/e2e-maven-push.sh @@ -100,7 +100,7 @@ else git push origin main git push origin "${tag}" else - git push origin maven-e2e-temp # TODO: CHANGE to main!!!!!!!!!! + git push origin main fi fi From 9da4a2cca23425c069752ba54b3578641af889cd Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Wed, 9 Aug 2023 10:41:22 +0100 Subject: [PATCH 40/57] Remove name of workflow Signed-off-by: AdamKorcz --- .../workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 8bf399c9f6..fb2e7aaf47 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -1,4 +1,3 @@ -name: Maven e2e test - simple # TODO: Remove name on: - workflow_dispatch # TODO: Un-comment this From ecabf46745f03fe74e25d86eb93297a5e64aa9ec Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Wed, 9 Aug 2023 12:01:43 +0100 Subject: [PATCH 41/57] use public actions for download attestations and target directory Signed-off-by: AdamKorcz --- .../e2e.maven.workflow_dispatch.main.default.slsa3.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index fb2e7aaf47..398cc02a08 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -64,12 +64,12 @@ jobs: needs: [build, bootstrap] steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main + - uses: slsa-framework/slsa-github-generator/actions/maven/secure-download-attestations@main with: name: "${{ needs.build.outputs.provenance-download-name }}" sha256: "${{ needs.build.outputs.provenance-download-sha256 }}" path: slsa-attestations - - uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main + - uses: slsa-framework/slsa-github-generator/actions/maven/secure-download-target@main with: name: target sha256: "${{ needs.build.outputs.target-download-sha256 }}" From df1c4dffd75cead824932e71a0dfe5d8f95fc0fb Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 10 Aug 2023 10:42:14 +0100 Subject: [PATCH 42/57] use main branch Signed-off-by: AdamKorcz --- .github/workflows/scripts/e2e-maven-push.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/e2e-maven-push.sh b/.github/workflows/scripts/e2e-maven-push.sh index 460e458364..805d980b99 100755 --- a/.github/workflows/scripts/e2e-maven-push.sh +++ b/.github/workflows/scripts/e2e-maven-push.sh @@ -14,7 +14,7 @@ branch=$(e2e_this_branch) # because you cannot overwrite a version in maven. Instead we commit to main, # set the tag, reset $branch and push both main and $branch. echo "GITHUB_REPOSITORY: ${GITHUB_REPOSITORY}" -gh repo clone "${GITHUB_REPOSITORY}" -- -b maven-e2e-temp +gh repo clone "${GITHUB_REPOSITORY}" -- -b main repo_name=$(echo "$GITHUB_REPOSITORY" | cut -d '/' -f2) cd ./"$repo_name" From 69ff36995853f4adb8c6eaffa9bce63336453d1a Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 10 Aug 2023 11:36:50 +0100 Subject: [PATCH 43/57] get artifact name and version after checking out in verify job Signed-off-by: AdamKorcz --- ...aven.workflow_dispatch.main.default.slsa3.yml | 9 +++------ .../scripts/e2e.maven.default.verify.sh | 16 ++++++++++------ 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 398cc02a08..aef2bf01e5 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -18,13 +18,10 @@ jobs: if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' permissions: contents: write - outputs: - artifact-version: ${{ steps.maven-push.outputs.artifact-version }} steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - env: PACKAGE_DIR: ./e2e/maven/workflow_dispatch - id: maven-push run: ./.github/workflows/scripts/e2e-maven-push.sh if-bootstrap-failed: @@ -61,7 +58,7 @@ jobs: verify: runs-on: ubuntu-latest - needs: [build, bootstrap] + needs: [build] steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - uses: slsa-framework/slsa-github-generator/actions/maven/secure-download-attestations@main @@ -80,9 +77,9 @@ jobs: go-version: "1.18" - env: ARTIFACT_VERSION: ${{ needs.bootstrap.outputs.artifact-version}} - PROVENANCE: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}/test-java-project-${{ needs.bootstrap.outputs.artifact-version}}.jar.build.slsa" - BUILDER_TAG: "v2.0.0" + PROVENANCE_DIR: "slsa-attestations/${{ needs.build.outputs.provenance-download-name" EXPECTED_ARTIFACT_OUTPUT: "Hello world!" + POMXML: "./e2e/maven/workflow_dispatch/pom.xml" run: ./.github/workflows/scripts/e2e.maven.default.verify.sh if-succeeded: runs-on: ubuntu-latest diff --git a/.github/workflows/scripts/e2e.maven.default.verify.sh b/.github/workflows/scripts/e2e.maven.default.verify.sh index 6c98388f13..de27333ad7 100755 --- a/.github/workflows/scripts/e2e.maven.default.verify.sh +++ b/.github/workflows/scripts/e2e.maven.default.verify.sh @@ -4,9 +4,8 @@ source "./.github/workflows/scripts/e2e-verify.common.sh" # Input variables -PROVENANCE=${PROVENANCE:-} -ARTIFACT_VERSION=${ARTIFACT_VERSION:-} EXPECTED_ARTIFACT_OUTPUT=${EXPECTED_ARTIFACT_OUTPUT:-} +PROVENANCE_DIR=${PROVENANCE_DIR:-} GITHUB_REF_NAME=${GITHUB_REF_NAME:-} GITHUB_REF=${GITHUB_REF:-} RUNNER_DEBUG=${RUNNER_DEBUG:-} @@ -14,19 +13,24 @@ if [[ -n "${RUNNER_DEBUG}" ]]; then set -x fi +artifact_version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout -f "${POMXML}") +artifact_id=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.artifactId -q -DforceStdout -f "${POMXML}") +artifact_name="${artifact_id}-${artifact_version}.jar" +provenance="${PROVENANCE_DIR}/${artifact_name}.build.slsa" + go env -w GOFLAGS=-mod=mod verify_provenance_content() { local attestation - attestation=$(jq -r '.dsseEnvelope.payload' "${PROVENANCE}" | base64 -d) + attestation=$(jq -r '.dsseEnvelope.payload' "${provenance}" | base64 -d) # Run the artifact and verify the output is correct - artifact_output=$(java -jar target/test-java-project-"${ARTIFACT_VERSION}".jar) + artifact_output=$(java -jar target/"${artifact_name}") expected_artifact_output="${EXPECTED_ARTIFACT_OUTPUT}" e2e_assert_eq "${artifact_output}" "${expected_artifact_output}" "The output from the artifact should be '${expected_artifact_output}' but was '${artifact_output}'" # Verify the content of the attestation - e2e_verify_predicate_subject_name "${attestation}" "test-java-project-${ARTIFACT_VERSION}.jar" + e2e_verify_predicate_subject_name "${attestation}" "${artifact_name}" e2e_verify_predicate_v1_runDetails_builder_id "${attestation}" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@refs/heads/main" e2e_verify_predicate_v1_buildDefinition_buildType "${attestation}" "https://github.com/slsa-framework/slsa-github-generator/delegator-generic@v0" } @@ -38,7 +42,7 @@ echo "GITHUB_REF_NAME: $GITHUB_REF_NAME" echo "GITHUB_REF_TYPE: $GITHUB_REF_TYPE" echo "GITHUB_REF: $GITHUB_REF" echo "DEBUG: file is $this_file" -echo "PROVENANCE is: ${PROVENANCE}" +echo "PROVENANCE is: ${provenance}" export SLSA_VERIFIER_TESTING="true" From dcdf6caa5d7154b91528c85e577c48731690cbe0 Mon Sep 17 00:00:00 2001 From: AdamKorcz Date: Thu, 10 Aug 2023 11:47:03 +0100 Subject: [PATCH 44/57] Don't run bootstrap when trigger_build is true Signed-off-by: AdamKorcz --- .../e2e.maven.workflow_dispatch.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index aef2bf01e5..a035d38de0 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -15,7 +15,7 @@ env: jobs: bootstrap: runs-on: ubuntu-latest - if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' + if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build) permissions: contents: write steps: From 150b6ab663991d3da03f503f18935355d4a3c172 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Thu, 10 Aug 2023 14:32:38 -0700 Subject: [PATCH 45/57] Update e2e.maven.workflow_dispatch.main.default.slsa3.yml Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- .../e2e.maven.workflow_dispatch.main.default.slsa3.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index a035d38de0..7101ad46df 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -1,10 +1,8 @@ on: - - workflow_dispatch -# TODO: Un-comment this -# schedule: -# - cron: "0 6 * * *" -# workflow_dispatch: -# + schedule: + - cron: "0 6 * * *" + workflow_dispatch: + permissions: read-all concurrency: "e2e-maven-workflow_dispatch-main-default-slsa3" From 0f4de69abdb89dfbed87ed706cb628980cae2535 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Thu, 10 Aug 2023 14:33:31 -0700 Subject: [PATCH 46/57] Update e2e.maven.workflow_dispatch.main.default.slsa3.yml Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- .../workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 7101ad46df..c0916e018d 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -8,6 +8,7 @@ permissions: read-all concurrency: "e2e-maven-workflow_dispatch-main-default-slsa3" env: + # TODO(#263): create decicated token GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }} jobs: From e889ec606c91dc99c724a3f627c7913baf7dba33 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Thu, 10 Aug 2023 14:33:44 -0700 Subject: [PATCH 47/57] Update e2e.maven.workflow_dispatch.main.default.slsa3.yml Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- .../e2e.maven.workflow_dispatch.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index c0916e018d..3f031f848c 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -8,7 +8,7 @@ permissions: read-all concurrency: "e2e-maven-workflow_dispatch-main-default-slsa3" env: - # TODO(#263): create decicated token + # TODO(#263): create dedicated token GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }} jobs: From 2d51ca5a1bc2f657b5478b9f9b8cc6e5c51c7586 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Thu, 10 Aug 2023 14:38:43 -0700 Subject: [PATCH 48/57] Update e2e.maven.workflow_dispatch.main.default.slsa3.yml fix some linters Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- ...2e.maven.workflow_dispatch.main.default.slsa3.yml | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 3f031f848c..4f5bd41270 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -2,6 +2,12 @@ on: schedule: - cron: "0 6 * * *" workflow_dispatch: + inputs: + trigger_build: + description: "internal: do not check" + required: false + default: false + type: boolean permissions: read-all @@ -75,15 +81,15 @@ jobs: with: go-version: "1.18" - env: - ARTIFACT_VERSION: ${{ needs.bootstrap.outputs.artifact-version}} - PROVENANCE_DIR: "slsa-attestations/${{ needs.build.outputs.provenance-download-name" + ARTIFACT_VERSION: ${{ needs.bootstrap.outputs.artifact-version }} + PROVENANCE_DIR: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}" EXPECTED_ARTIFACT_OUTPUT: "Hello world!" POMXML: "./e2e/maven/workflow_dispatch/pom.xml" run: ./.github/workflows/scripts/e2e.maven.default.verify.sh if-succeeded: runs-on: ubuntu-latest needs: [build, verify] - if: needs.build.result == 'success' && needs.publish.result == 'success' && needs.verify.result == 'success' + if: needs.build.result == 'success' && needs.verify.result == 'success' steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - run: ./.github/workflows/scripts/e2e-report-success.sh From 3797e7bdfd3171b99b399eb4a6eeb3ccae65757f Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Thu, 10 Aug 2023 14:40:32 -0700 Subject: [PATCH 49/57] Update e2e.maven.workflow_dispatch.main.default.slsa3.yml Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- .../workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 4f5bd41270..1539f4bd99 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -81,7 +81,6 @@ jobs: with: go-version: "1.18" - env: - ARTIFACT_VERSION: ${{ needs.bootstrap.outputs.artifact-version }} PROVENANCE_DIR: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}" EXPECTED_ARTIFACT_OUTPUT: "Hello world!" POMXML: "./e2e/maven/workflow_dispatch/pom.xml" From c06f6f8953bb46b6fa3b9b78550b21763a6888cb Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Thu, 10 Aug 2023 14:45:54 -0700 Subject: [PATCH 50/57] Update e2e.maven.workflow_dispatch.main.default.slsa3.yml try fix other linter Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- ....maven.workflow_dispatch.main.default.slsa3.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 1539f4bd99..3b48e6fc21 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -1,8 +1,8 @@ on: - schedule: - - cron: "0 6 * * *" - workflow_dispatch: - inputs: + schedule: + - cron: "0 6 * * *" + workflow_dispatch: + inputs: trigger_build: description: "internal: do not check" required: false @@ -15,9 +15,13 @@ concurrency: "e2e-maven-workflow_dispatch-main-default-slsa3" env: # TODO(#263): create dedicated token - GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }} + GH_TOKEN: ${{ secrets.E2E_NODEJS_TOKEN }} + ISSUE_REPOSITORY: slsa-framework/slsa-github-generator jobs: + # Bootstrap + ################################################################################ + bootstrap: runs-on: ubuntu-latest if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build) From 7418167dad4ee0f4974b7bd4be34446449e811cb Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Thu, 10 Aug 2023 14:48:47 -0700 Subject: [PATCH 51/57] Update e2e.maven.workflow_dispatch.main.default.slsa3.yml Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- .../e2e.maven.workflow_dispatch.main.default.slsa3.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml index 3b48e6fc21..0efacb9484 100644 --- a/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml @@ -40,7 +40,7 @@ jobs: steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - run: ./.github/workflows/scripts/e2e-report-failure.sh - + # Main workflow ################################################################################ # Shim determines if the rest of the workflow should run. From 54260f3597a29270794066e12193f86f7dd05053 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Thu, 10 Aug 2023 14:53:09 -0700 Subject: [PATCH 52/57] Update e2e-maven-push.sh Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- .github/workflows/scripts/e2e-maven-push.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scripts/e2e-maven-push.sh b/.github/workflows/scripts/e2e-maven-push.sh index 805d980b99..3e44a7f108 100755 --- a/.github/workflows/scripts/e2e-maven-push.sh +++ b/.github/workflows/scripts/e2e-maven-push.sh @@ -55,12 +55,12 @@ new_version() { echo $release_major.$release_minor.$release_patch } -next_tag=$(new_version $artifact_tag) +next_tag=$(new_version "${artifact_tag}") # Output the artifact name echo "artifact-version=${artifact_tag}" >> $GITHUB_OUTPUT -tag=$(mvn versions:set -DnewVersion=$next_tag) +tag=$(mvn versions:set -DnewVersion="${next_tag}") cd - # Commit the new version. From 32a7e063c78f253cebba15e95ba530488e60b56e Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Mon, 14 Aug 2023 10:39:16 +0100 Subject: [PATCH 53/57] Update .github/workflows/scripts/e2e.maven.default.verify.sh Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .github/workflows/scripts/e2e.maven.default.verify.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/e2e.maven.default.verify.sh b/.github/workflows/scripts/e2e.maven.default.verify.sh index de27333ad7..034c947651 100755 --- a/.github/workflows/scripts/e2e.maven.default.verify.sh +++ b/.github/workflows/scripts/e2e.maven.default.verify.sh @@ -49,4 +49,4 @@ export SLSA_VERIFIER_TESTING="true" # Verify provenance content. verify_provenance_content -e2e_run_verifier_all_releases "2.3.0" +e2e_run_verifier_all_releases "HEAD" From 28232a886731bed5cb73dd821cb9f4a3c8023897 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Mon, 14 Aug 2023 10:39:22 +0100 Subject: [PATCH 54/57] Update .github/workflows/scripts/e2e.maven.default.verify.sh Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .github/workflows/scripts/e2e.maven.default.verify.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scripts/e2e.maven.default.verify.sh b/.github/workflows/scripts/e2e.maven.default.verify.sh index 034c947651..81ae07f717 100755 --- a/.github/workflows/scripts/e2e.maven.default.verify.sh +++ b/.github/workflows/scripts/e2e.maven.default.verify.sh @@ -8,6 +8,7 @@ EXPECTED_ARTIFACT_OUTPUT=${EXPECTED_ARTIFACT_OUTPUT:-} PROVENANCE_DIR=${PROVENANCE_DIR:-} GITHUB_REF_NAME=${GITHUB_REF_NAME:-} GITHUB_REF=${GITHUB_REF:-} +GITHUB_REF_TYPE=${GITHUB_REF_TYPE:-} RUNNER_DEBUG=${RUNNER_DEBUG:-} if [[ -n "${RUNNER_DEBUG}" ]]; then set -x From 296e84b7036001afd0fcb134d05683d7d810c375 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Mon, 14 Aug 2023 10:39:28 +0100 Subject: [PATCH 55/57] Update .github/workflows/scripts/e2e.maven.default.verify.sh Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .github/workflows/scripts/e2e.maven.default.verify.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/scripts/e2e.maven.default.verify.sh b/.github/workflows/scripts/e2e.maven.default.verify.sh index 81ae07f717..ef34fba007 100755 --- a/.github/workflows/scripts/e2e.maven.default.verify.sh +++ b/.github/workflows/scripts/e2e.maven.default.verify.sh @@ -9,6 +9,7 @@ PROVENANCE_DIR=${PROVENANCE_DIR:-} GITHUB_REF_NAME=${GITHUB_REF_NAME:-} GITHUB_REF=${GITHUB_REF:-} GITHUB_REF_TYPE=${GITHUB_REF_TYPE:-} +POMXML=${POMXML:-} # specified in the e2e test yaml RUNNER_DEBUG=${RUNNER_DEBUG:-} if [[ -n "${RUNNER_DEBUG}" ]]; then set -x From 206ce1f2b4ea8230da1cbac8afe84cc87e9ec290 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Mon, 14 Aug 2023 10:39:33 +0100 Subject: [PATCH 56/57] Update .github/workflows/scripts/e2e-maven-push.sh Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .github/workflows/scripts/e2e-maven-push.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scripts/e2e-maven-push.sh b/.github/workflows/scripts/e2e-maven-push.sh index 3e44a7f108..07663530d3 100755 --- a/.github/workflows/scripts/e2e-maven-push.sh +++ b/.github/workflows/scripts/e2e-maven-push.sh @@ -58,7 +58,7 @@ new_version() { next_tag=$(new_version "${artifact_tag}") # Output the artifact name -echo "artifact-version=${artifact_tag}" >> $GITHUB_OUTPUT +echo "artifact-version=${artifact_tag}" >> "$GITHUB_OUTPUT" tag=$(mvn versions:set -DnewVersion="${next_tag}") cd - From cebc3f65ecacf7f14579e3efdb25be122bdc7c31 Mon Sep 17 00:00:00 2001 From: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> Date: Mon, 14 Aug 2023 10:39:44 +0100 Subject: [PATCH 57/57] Update .github/workflows/scripts/e2e-maven-push.sh Co-authored-by: Ian Lewis Signed-off-by: AdamKorcz <44787359+AdamKorcz@users.noreply.github.com> --- .github/workflows/scripts/e2e-maven-push.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/scripts/e2e-maven-push.sh b/.github/workflows/scripts/e2e-maven-push.sh index 07663530d3..5ff3f9daa1 100755 --- a/.github/workflows/scripts/e2e-maven-push.sh +++ b/.github/workflows/scripts/e2e-maven-push.sh @@ -9,6 +9,14 @@ source "./.github/workflows/scripts/e2e-utils.sh" branch=$(e2e_this_branch) +# Script Inputs +GITHUB_OUTPUT=${GITHUB_OUTPUT:-} +GITHUB_REPOSITORY=${GITHUB_REPOSITORY:-} +GITHUB_SHA=${GITHUB_SHA:-} +GITHUB_WORKFLOW=${GITHUB_WORKFLOW:-} +GH_TOKEN=${GH_TOKEN:-} +PACKAGE_DIR=${PACKAGE_DIR:-} # specified in the e2e test yaml + # NOTE: We can't simply push from $branch because it is occaisonally reset to # the main branch. We need to maintain the version number in pom.xml # because you cannot overwrite a version in maven. Instead we commit to main,