Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add simple test for Maven builder #253

Merged
merged 61 commits into from
Aug 14, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
61 commits
Select commit Hold shift + click to select a range
fe95490
Add simple test for Maven builder
AdamKorcz Aug 2, 2023
d82c253
move maven files to e2e/
AdamKorcz Aug 2, 2023
80d23b4
add verification
AdamKorcz Aug 3, 2023
6d78b49
rb
AdamKorcz Aug 3, 2023
84e4198
rb
AdamKorcz Aug 3, 2023
df5eca0
rb
AdamKorcz Aug 3, 2023
b314251
rb
AdamKorcz Aug 3, 2023
412cb37
rb
AdamKorcz Aug 3, 2023
bf23b74
rb
AdamKorcz Aug 3, 2023
6ad6e2f
rb
AdamKorcz Aug 3, 2023
7c07965
rb
AdamKorcz Aug 3, 2023
d663cb2
rb
AdamKorcz Aug 3, 2023
ca4c370
rb
AdamKorcz Aug 3, 2023
28e6c4b
rb
AdamKorcz Aug 3, 2023
a696381
Merge pull request #1 from AdamKorcz/maven-e2e-temp
AdamKorcz Aug 3, 2023
bc78a12
add verification
AdamKorcz Aug 3, 2023
674e208
Merge pull request #2 from AdamKorcz/maven-e2e-temp
AdamKorcz Aug 4, 2023
da28dfb
Update .github/workflows/e2e.maven.workflow_dispatch.main.default.sls…
AdamKorcz Aug 4, 2023
9a54dd8
Update .github/workflows/e2e.maven.workflow_dispatch.main.default.sls…
AdamKorcz Aug 4, 2023
a9fd887
Update .github/workflows/e2e.maven.workflow_dispatch.main.default.sls…
AdamKorcz Aug 4, 2023
f729db4
cleanup
AdamKorcz Aug 4, 2023
5e6d548
Update .github/workflows/scripts/e2e.maven.default.verify.sh
AdamKorcz Aug 4, 2023
5ff3ad0
Update e2e.maven.default.verify.sh
AdamKorcz Aug 4, 2023
4a380dc
Update e2e.maven.workflow_dispatch.main.default.slsa3.yml
AdamKorcz Aug 4, 2023
ca17076
Update .github/workflows/scripts/e2e.maven.default.verify.sh
AdamKorcz Aug 4, 2023
0fea0b2
specify root directory for builder
AdamKorcz Aug 4, 2023
d344889
Merge pull request #5 from AdamKorcz/maven-e2e-temp2
AdamKorcz Aug 5, 2023
0de588f
Multiple updates
AdamKorcz Aug 7, 2023
a8478da
Merge pull request #6 from AdamKorcz/maven-e2e-temp
AdamKorcz Aug 7, 2023
385ae38
Update e2e-maven-push.sh
AdamKorcz Aug 7, 2023
f14a028
Update e2e.maven.workflow_dispatch.main.default.slsa3.yml
AdamKorcz Aug 7, 2023
b75b336
Update .github/workflows/scripts/e2e.maven.default.verify.sh
AdamKorcz Aug 8, 2023
9797cc6
Update .github/workflows/e2e.maven.workflow_dispatch.main.default.sls…
AdamKorcz Aug 8, 2023
d5e10fd
Update .github/workflows/e2e.maven.workflow_dispatch.main.default.sls…
AdamKorcz Aug 8, 2023
d63df3e
Update .github/workflows/scripts/e2e-maven-push.sh
AdamKorcz Aug 8, 2023
4d8122f
Update .github/workflows/scripts/e2e-maven-push.sh
AdamKorcz Aug 8, 2023
19b59ba
Update .github/workflows/e2e.maven.workflow_dispatch.main.default.sls…
AdamKorcz Aug 8, 2023
1760c9a
move maven test files to dedicated workflow_dispatch folder
AdamKorcz Aug 8, 2023
b1176c7
prepend v to artifact version
AdamKorcz Aug 8, 2023
d83b27c
Update .github/workflows/scripts/e2e.maven.default.verify.sh
AdamKorcz Aug 9, 2023
00ac3d2
Make build depend on shim
AdamKorcz Aug 9, 2023
65b91af
use e2_go_token
AdamKorcz Aug 9, 2023
b1b1b5c
switch repositories to main
AdamKorcz Aug 9, 2023
9da4a2c
Remove name of workflow
AdamKorcz Aug 9, 2023
ecabf46
use public actions for download attestations and target directory
AdamKorcz Aug 9, 2023
df1c4df
use main branch
AdamKorcz Aug 10, 2023
69ff369
get artifact name and version after checking out in verify job
AdamKorcz Aug 10, 2023
dcdf6ca
Don't run bootstrap when trigger_build is true
AdamKorcz Aug 10, 2023
150b6ab
Update e2e.maven.workflow_dispatch.main.default.slsa3.yml
laurentsimon Aug 10, 2023
0f4de69
Update e2e.maven.workflow_dispatch.main.default.slsa3.yml
laurentsimon Aug 10, 2023
e889ec6
Update e2e.maven.workflow_dispatch.main.default.slsa3.yml
laurentsimon Aug 10, 2023
2d51ca5
Update e2e.maven.workflow_dispatch.main.default.slsa3.yml
laurentsimon Aug 10, 2023
3797e7b
Update e2e.maven.workflow_dispatch.main.default.slsa3.yml
laurentsimon Aug 10, 2023
c06f6f8
Update e2e.maven.workflow_dispatch.main.default.slsa3.yml
laurentsimon Aug 10, 2023
7418167
Update e2e.maven.workflow_dispatch.main.default.slsa3.yml
laurentsimon Aug 10, 2023
54260f3
Update e2e-maven-push.sh
laurentsimon Aug 10, 2023
32a7e06
Update .github/workflows/scripts/e2e.maven.default.verify.sh
AdamKorcz Aug 14, 2023
28232a8
Update .github/workflows/scripts/e2e.maven.default.verify.sh
AdamKorcz Aug 14, 2023
296e84b
Update .github/workflows/scripts/e2e.maven.default.verify.sh
AdamKorcz Aug 14, 2023
206ce1f
Update .github/workflows/scripts/e2e-maven-push.sh
AdamKorcz Aug 14, 2023
cebc3f6
Update .github/workflows/scripts/e2e-maven-push.sh
AdamKorcz Aug 14, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 106 additions & 0 deletions .github/workflows/e2e.maven.workflow_dispatch.main.default.slsa3.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
on:
schedule:
- cron: "0 6 * * *"
workflow_dispatch:
inputs:
trigger_build:
description: "internal: do not check"
required: false
default: false
type: boolean

permissions: read-all

AdamKorcz marked this conversation as resolved.
Show resolved Hide resolved
concurrency: "e2e-maven-workflow_dispatch-main-default-slsa3"

env:
# TODO(#263): create dedicated token
GH_TOKEN: ${{ secrets.E2E_NODEJS_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator

jobs:
# Bootstrap
################################################################################

bootstrap:
ianlewis marked this conversation as resolved.
Show resolved Hide resolved
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)
permissions:
contents: write
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- env:
PACKAGE_DIR: ./e2e/maven/workflow_dispatch
run: ./.github/workflows/scripts/e2e-maven-push.sh

if-bootstrap-failed:
runs-on: ubuntu-latest
needs: [bootstrap]
if: always() && (github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && !inputs.trigger_build)) && needs.bootstrap.result != 'success'
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- run: ./.github/workflows/scripts/e2e-report-failure.sh

# Main workflow
################################################################################
# Shim determines if the rest of the workflow should run.
# NOTE: it should only use the `if` to determine this and all downstream jobs
# should depend on this job.
shim:
# NOTE: this must be kept in sync with the if-failed job.
if: github.event_name == 'workflow_dispatch' && inputs.trigger_build
runs-on: ubuntu-latest
steps:
- run: |
echo "event: ${GITHUB_EVENT_NAME}"
echo "ref: ${GITHUB_REF}"

build:
needs: [shim]
permissions:
AdamKorcz marked this conversation as resolved.
Show resolved Hide resolved
AdamKorcz marked this conversation as resolved.
Show resolved Hide resolved
id-token: write # For signing.
contents: read # For repo checkout of private repos.
actions: read # For getting workflow run on private repos.
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@main
with:
directory: ./e2e/maven/workflow_dispatch

verify:
runs-on: ubuntu-latest
needs: [build]
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: slsa-framework/slsa-github-generator/actions/maven/secure-download-attestations@main
with:
name: "${{ needs.build.outputs.provenance-download-name }}"
sha256: "${{ needs.build.outputs.provenance-download-sha256 }}"
path: slsa-attestations
- uses: slsa-framework/slsa-github-generator/actions/maven/secure-download-target@main
with:
name: target
sha256: "${{ needs.build.outputs.target-download-sha256 }}"
path: ./
# NOTE: To build slsa-verifier in e2e.maven.default.verify.sh
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
AdamKorcz marked this conversation as resolved.
Show resolved Hide resolved
with:
go-version: "1.18"
- env:
PROVENANCE_DIR: "slsa-attestations/${{ needs.build.outputs.provenance-download-name }}"
EXPECTED_ARTIFACT_OUTPUT: "Hello world!"
POMXML: "./e2e/maven/workflow_dispatch/pom.xml"
run: ./.github/workflows/scripts/e2e.maven.default.verify.sh
if-succeeded:
runs-on: ubuntu-latest
needs: [build, verify]
if: needs.build.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- run: ./.github/workflows/scripts/e2e-report-success.sh

if-failed:
runs-on: ubuntu-latest
needs: [build, verify]
if: always() && github.event_name == 'workflow_dispatch' && inputs.trigger_build && (needs.build.result != 'success' || needs.verify.result != 'success')
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- run: ./.github/workflows/scripts/e2e-report-failure.sh
136 changes: 136 additions & 0 deletions .github/workflows/scripts/e2e-maven-push.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,136 @@
#!/usr/bin/env bash
set -euo pipefail

# shellcheck source=/dev/null
source "./.github/workflows/scripts/e2e-utils.sh"

# This script bumps the maven package's version number, commits it, and pushes to
# the repository.

branch=$(e2e_this_branch)

AdamKorcz marked this conversation as resolved.
Show resolved Hide resolved
# Script Inputs
GITHUB_OUTPUT=${GITHUB_OUTPUT:-}
GITHUB_REPOSITORY=${GITHUB_REPOSITORY:-}
GITHUB_SHA=${GITHUB_SHA:-}
GITHUB_WORKFLOW=${GITHUB_WORKFLOW:-}
GH_TOKEN=${GH_TOKEN:-}
PACKAGE_DIR=${PACKAGE_DIR:-} # specified in the e2e test yaml

# NOTE: We can't simply push from $branch because it is occaisonally reset to
# the main branch. We need to maintain the version number in pom.xml
# because you cannot overwrite a version in maven. Instead we commit to main,
# set the tag, reset $branch and push both main and $branch.
echo "GITHUB_REPOSITORY: ${GITHUB_REPOSITORY}"
AdamKorcz marked this conversation as resolved.
Show resolved Hide resolved
gh repo clone "${GITHUB_REPOSITORY}" -- -b main
repo_name=$(echo "$GITHUB_REPOSITORY" | cut -d '/' -f2)
cd ./"$repo_name"

git config --global user.name github-actions
git config --global user.email [email protected]

# Set the remote url to authenticate using the token.
git remote set-url origin "https://github-actions:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"

package_dir="${PACKAGE_DIR}" # specified in the e2e test yaml

cd "${package_dir}"

# Get the new version
artifact_tag=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)

# Bumps the version
new_version() {
current_tag=$1
release_major=$(version_major "$current_tag")
release_minor=$(version_minor "$current_tag")
release_patch=$(version_patch "$current_tag")

# These if-statements are sorted by likelihood
if [[ $release_patch != "99" ]]; then
ianlewis marked this conversation as resolved.
Show resolved Hide resolved
# Only need to bump the patch
release_patch=$((release_patch+1))
elif [[ $release_patch = "99" && $release_minor != "99" ]]; then
# Need to bump minor
release_minor=$(($release_minor+1))
release_patch="0"
elif [[ $release_patch = "99" && $release_minor = "99" ]]; then
# Need to bump major
release_major=$(($release_major+1))
release_minor="0"
release_patch="0"
fi
echo $release_major.$release_minor.$release_patch
}

next_tag=$(new_version "${artifact_tag}")

# Output the artifact name
echo "artifact-version=${artifact_tag}" >> "$GITHUB_OUTPUT"

tag=$(mvn versions:set -DnewVersion="${next_tag}")
cd -

# Commit the new version.
git commit -m "${GITHUB_WORKFLOW}" "${package_dir}/pom.xml" "${package_dir}/pom.xml"

# If this is an e2e test for a tag, then tag the commit and push it.
this_event=$(e2e_this_event)
echo "this_event: ${this_event}"
if [ "${this_event}" == "tag" ] || [ "${this_event}" == "create" ]; then
git tag "${tag}"
fi

git remote -v
git branch
pwd
if [ "${branch}" != "main" ]; then
# Reset branch1 and push the new version.
# git branch -D "$branch"
git checkout -b "${branch}"
if [ "${this_event}" == "tag" ] || [ "${this_event}" == "create" ]; then
git push --set-upstream origin "${branch}" "${tag}" -f
else
git push --set-upstream origin "${branch}" -f
fi
git checkout main

# Update a dummy file to avoid https://github.com/slsa-framework/example-package/issues/44
date >./e2e/dummy
git add ./e2e/dummy
git commit -m "sync'ing branch1 - $(cat ./e2e/dummy)"
git push origin main
else
if [ "${this_event}" == "tag" ] || [ "${this_event}" == "create" ]; then
# TODO(#213): push tag separately until bug is fixed.
# NOTE: If there is a concurrent update to main we want it to fail here
# without pushing the tag because we will lose the changes to main.
git push origin main
git push origin "${tag}"
else
git push origin main
fi
fi

# If this is a test for a release event, create the release.
if [ "${this_event}" == "release" ]; then
this_file=$(e2e_this_file)
data_file=$(mktemp)
cat <<EOF >"${data_file}"
**E2E release creation**:
Tag: ${tag}
Branch: ${branch}
Commit: ${GITHUB_SHA}
Caller file: ${this_file}
EOF

gh release create "${tag}" --notes-file "${data_file}" --target "${branch}"
fi

if [ "${this_event}" == "workflow_dispatch" ]; then
this_file=$(e2e_this_file)
curl -s -X POST -H "Accept: application/vnd.github.v3+json" \
"https://api.github.com/repos/${GITHUB_REPOSITORY}/actions/workflows/${this_file}/dispatches" \
-d "{\"ref\":\"${branch}\",\"inputs\":{\"trigger_build\": true}}" \
-H "Authorization: token ${GH_TOKEN}"
fi
2 changes: 1 addition & 1 deletion .github/workflows/scripts/e2e-utils.sh
Original file line number Diff line number Diff line change
Expand Up @@ -433,7 +433,7 @@ _e2e_verify_query() {
local expected="$2"
local query="$3"
name=$(echo -n "${attestation}" | jq -c -r "${query}")
e2e_assert_eq "${name}" "${expected}" "${query} should be ${expected}"
e2e_assert_eq "${name}" "${expected}" "${query} should be ${expected} but was ${name}"
}

# Returns the first 2 asset in a release.
Expand Down
54 changes: 54 additions & 0 deletions .github/workflows/scripts/e2e.maven.default.verify.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
#!/usr/bin/env bash

# shellcheck source=/dev/null
source "./.github/workflows/scripts/e2e-verify.common.sh"

# Input variables
EXPECTED_ARTIFACT_OUTPUT=${EXPECTED_ARTIFACT_OUTPUT:-}
PROVENANCE_DIR=${PROVENANCE_DIR:-}
GITHUB_REF_NAME=${GITHUB_REF_NAME:-}
GITHUB_REF=${GITHUB_REF:-}
AdamKorcz marked this conversation as resolved.
Show resolved Hide resolved
GITHUB_REF_TYPE=${GITHUB_REF_TYPE:-}
POMXML=${POMXML:-} # specified in the e2e test yaml
RUNNER_DEBUG=${RUNNER_DEBUG:-}
AdamKorcz marked this conversation as resolved.
Show resolved Hide resolved
if [[ -n "${RUNNER_DEBUG}" ]]; then
set -x
fi
AdamKorcz marked this conversation as resolved.
Show resolved Hide resolved

artifact_version=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.version -q -DforceStdout -f "${POMXML}")
artifact_id=$(mvn org.apache.maven.plugins:maven-help-plugin:3.2.0:evaluate -Dexpression=project.artifactId -q -DforceStdout -f "${POMXML}")
artifact_name="${artifact_id}-${artifact_version}.jar"
provenance="${PROVENANCE_DIR}/${artifact_name}.build.slsa"

go env -w GOFLAGS=-mod=mod

verify_provenance_content() {
local attestation
attestation=$(jq -r '.dsseEnvelope.payload' "${provenance}" | base64 -d)

# Run the artifact and verify the output is correct
artifact_output=$(java -jar target/"${artifact_name}")
expected_artifact_output="${EXPECTED_ARTIFACT_OUTPUT}"
e2e_assert_eq "${artifact_output}" "${expected_artifact_output}" "The output from the artifact should be '${expected_artifact_output}' but was '${artifact_output}'"

# Verify the content of the attestation
e2e_verify_predicate_subject_name "${attestation}" "${artifact_name}"
e2e_verify_predicate_v1_runDetails_builder_id "${attestation}" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_maven_slsa3.yml@refs/heads/main"
e2e_verify_predicate_v1_buildDefinition_buildType "${attestation}" "https://github.com/slsa-framework/slsa-github-generator/delegator-generic@v0"
AdamKorcz marked this conversation as resolved.
Show resolved Hide resolved
}

this_file=$(e2e_this_file)
branch=$(echo "$this_file" | cut -d '.' -f4)
echo "branch is $branch"
echo "GITHUB_REF_NAME: $GITHUB_REF_NAME"
echo "GITHUB_REF_TYPE: $GITHUB_REF_TYPE"
echo "GITHUB_REF: $GITHUB_REF"
echo "DEBUG: file is $this_file"
echo "PROVENANCE is: ${provenance}"

export SLSA_VERIFIER_TESTING="true"

# Verify provenance content.
verify_provenance_content
AdamKorcz marked this conversation as resolved.
Show resolved Hide resolved

e2e_run_verifier_all_releases "HEAD"
Loading