forked from slsa-framework/slsa-github-generator
-
Notifications
You must be signed in to change notification settings - Fork 0
645 lines (591 loc) · 28.1 KB
/
builder_container-based_slsa3.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
# Copyright 2023 SLSA Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Copyright The GOSST team.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: SLSA Container-based builder
permissions:
contents: read
env:
# Builder.
BUILDER_BINARY: slsa-builder-docker-linux-amd64 # Name of the binary in the release assets.
BUILDER_DIR: internal/builders/docker # Source directory if we compile the builder.
# SLSA outputs folder.
OUTPUT_FOLDER: slsa-outputs
defaults:
run:
shell: bash
###################################################################
# #
# Input and output argument definitions #
# #
###################################################################
on:
workflow_call:
secrets:
registry-username:
description: >
Username to log into the container registry. This should only be used for high
entropy values.
See https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/docker/README.md#workflow-inputs
registry-password:
description: "Password to log in the container registry."
inputs:
builder-image:
description: >
The OCI image name of the builder image responsible for
creating the artifact. This must not include a tag or digest.
required: true
type: string
builder-digest:
description: >
The OCI image digest of the builder-image.
This must be specified in order to fully specify the builder
image. The image digest is of the form '<alg>:<digest>'
required: true
type: string
config-path:
description: >
Path to a configuration file relative to the root of the repository
containing a command that the builder image should be invoked with and
the path to the output artifacts.
required: true
type: string
compile-builder:
description: "Build the builder from source. This increases build time by ~2m."
required: false
type: boolean
default: false
rekor-log-public:
description: >
In case of a private GitHub repository, allow publication of your repository
name on the public Rekor log"
required: false
type: boolean
default: false
provenance-name:
description: >
The artifact name of the signed provenance. The file must have the .intoto
extension.
Defaults to <filename>.intoto for single artifact or multiple.intoto.jsonl
for multiple artifacts.
required: false
type: string
upload-assets:
description: >
Uploads the artifact and provenance to a GitHub release.
If the `upload-tag-name` was provided, then the assets are uploaded to the provided
input tag. This can be used for workflow_dispatch events. Otherwise, if a new tag triggered
the workflow, then the assets are uploaded to the triggering tag.
required: false
type: boolean
default: true
upload-tag-name:
description: >
If non-empty and `upload-assets` is set to true, the provenance is uploaded to the GitHub
release identified by the tag name. If a workflow is run on a new tag and `upload-tag-name`
is non-empty, the new tag is ignored and the value of `upload-tag-name` is used instead to upload
the assets.
type: string
default: ""
required: false
prerelease:
description: "If true, GitHub Release is created as a pre-release."
required: false
type: boolean
default: false
registry-username:
description: "Username to log into the container registry."
type: string
required: false
gcp-workload-identity-provider:
description: >
The full identifier of the Workload Identity Provider, including the project
number, pool name, and provider name.
required: false
type: string
default: ""
gcp-service-account:
description: >
Email address or unique identifier of the Google Cloud service account for
which to generate credentials.
required: false
type: string
default: ""
draft-release:
description: "If true, the release is created as a draft. Defaults to false."
required: false
type: boolean
default: false
outputs:
build-outputs-name:
description: "The name of the artifact where the generated artifacts are uploaded to the artifact registry."
value: ${{ jobs.build.outputs.build-outputs-name }}
attestations-download-name:
description: >
Name of the artifact to download all the attestations.
When run on a `pull_request` trigger, attestations are not signed and have an ".intoto" extension.
When run on other triggers, attestations are signed and have an "intoto.sigstore" extension.
value: ${{ jobs.provenance.outputs.provenance-name }}
jobs:
rng:
outputs:
value: ${{ steps.rng.outputs.random }}
runs-on: ubuntu-latest
steps:
- name: Generate random 16-byte value (32-char hex encoded)
id: rng
uses: slsa-framework/slsa-github-generator/.github/actions/rng@main
# This detects the repository and ref of the reusable workflow.
# For pull request, this gets the referenced slsa-github-generator workflow.
detect-env:
outputs:
repository: ${{ steps.detect.outputs.repository }}
ref: ${{ steps.detect.outputs.ref }}
workflow: ${{ steps.detect.outputs.workflow }}
runs-on: ubuntu-latest
permissions:
id-token: write # Needed to detect the current reusable repository and ref.
steps:
- name: Detect the builder ref
id: detect
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@main
###################################################################
# #
# Generate builder binary #
# #
###################################################################
generate-builder:
# TODO: would it be convenient to output the builderDependency?
# TODO: this is a no-op right now. Replace with final builder.
outputs:
builder-binary-sha256: ${{ steps.generate.outputs.sha256 }}
needs: [detect-env, rng]
runs-on: ubuntu-latest
steps:
- name: Generate builder binary
id: generate
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
go-version: "1.20"
# Note: This must be the non-randomized binary name, so that it can be downloaded from the release assets.
binary: "${{ env.BUILDER_BINARY }}"
compile-builder: "${{ inputs.compile-builder }}"
directory: "${{ env.BUILDER_DIR }}"
allow-private-repository: ${{ inputs.rekor-log-public }}
- name: Upload builder
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
path: "${{ env.BUILDER_BINARY }}"
if-no-files-found: error
retention-days: 5
###################################################################
# #
# Invoke the builder binary to create a buildDefinition #
# #
###################################################################
generate-build-definition:
outputs:
build-definition-name: ${{ steps.generate.outputs.build-definition-name }}
build-definition-sha256: ${{ steps.upload.outputs.sha256 }}
runs-on: ubuntu-latest
needs: [rng, detect-env, generate-builder]
steps:
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
path: __BUILDER_CHECKOUT_DIR__
- name: Download builder
uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-download-artifact
with:
name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
path: "${{ env.BUILDER_BINARY }}"
sha256: "${{ needs.generate-builder.outputs.builder-binary-sha256 }}"
set-executable: true
- name: Generate build definition
id: generate
# These are the inputs, it may be with: for an action or
# specified with these env vars.
env:
BUILDER_IMAGE: ${{ inputs.builder-image }}
BUILDER_DIGEST: ${{ inputs.builder-digest }}
CONFIG_PATH: ${{ inputs.config-path }}
run: |
set -euo pipefail
REF="@${GITHUB_REF}"
if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
REF=""
fi
# Note: this outputs information about resolved arguments, etc.
# the values are trusted because the compiler is not invoked.
echo "${GITHUB_WORKSPACE}/${BUILDER_BINARY}" dry-run \
--build-config-path "${CONFIG_PATH}" \
--build-definition-path build-definition.json \
--builder-image "${BUILDER_IMAGE}@${BUILDER_DIGEST}" \
--git-commit-digest "sha1:${GITHUB_SHA}" \
--source-repo "git+https://github.com/${GITHUB_REPOSITORY}${REF}" \
--verbose
"${GITHUB_WORKSPACE}/${BUILDER_BINARY}" dry-run \
--build-config-path "${CONFIG_PATH}" \
--build-definition-path build-definition.json \
--builder-image "${BUILDER_IMAGE}@${BUILDER_DIGEST}" \
--git-commit-digest "sha1:${GITHUB_SHA}" \
--source-repo "git+https://github.com/${GITHUB_REPOSITORY}${REF}" \
--verbose
echo "build-definition-name=build-definition.json" >> "$GITHUB_OUTPUT"
- name: Upload the build definition file
id: upload
uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-upload-artifact
with:
name: "${{ steps.generate.outputs.build-definition-name }}-${{ needs.rng.outputs.value }}"
path: "${{ steps.generate.outputs.build-definition-name }}"
###################################################################
# #
# Build the project and output subjects #
# #
###################################################################
build:
# TODO: This may require authentication for the container image.
runs-on: ubuntu-latest
outputs:
# The filename of the SLSA subject outputs file for secure download.
slsa-outputs-name: ${{ steps.build.outputs.slsa-outputs-name }}
# The digest of the SLSA subject outputs file for secure download.
slsa-outputs-sha256: ${{ steps.upload.outputs.sha256 }}
# The build outputs
build-outputs-name: ${{ steps.build.outputs.build-outputs-name }}
needs: [rng, detect-env, generate-builder]
steps:
- id: auth
name: Authenticate to Google Cloud
if: inputs.gcp-workload-identity-provider != ''
uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
with:
token_format: "access_token"
workload_identity_provider: ${{ inputs.gcp-workload-identity-provider }}
service_account: ${{ inputs.gcp-service-account }}
- name: Login
id: login
continue-on-error: true
env:
UNTRUSTED_IMAGE: "${{ inputs.builder-image }}"
UNTRUSTED_INPUT_USERNAME: "${{ inputs.registry-username }}"
UNTRUSTED_SECRET_USERNAME: "${{ secrets.registry-username }}"
UNTRUSTED_PASSWORD: "${{ secrets.registry-password }}"
GCP_ACCESS_TOKEN: "${{ steps.auth.outputs.access_token }}"
run: |
set -euo pipefail
# NOTE: Some docker images are of the form <org>/<name>
# Here we get the first part and check if it has a '.' or ':'
# character in it to see if it's a domain name.
# See: https://stackoverflow.com/questions/37861791/how-are-docker-image-names-parsed#37867949
untrusted_registry="docker.io"
# NOTE: Do not fail the script if grep does not match.
maybe_domain=$(echo "${UNTRUSTED_IMAGE}" | cut -f1 -d "/" | { grep -E "\.|:" || true; })
if [ "${maybe_domain}" != "" ]; then
untrusted_registry="${maybe_domain}"
fi
if [ "${GCP_ACCESS_TOKEN}" != "" ]; then
username="oauth2accesstoken"
password="${GCP_ACCESS_TOKEN}"
else
username="${UNTRUSTED_SECRET_USERNAME:-${UNTRUSTED_INPUT_USERNAME}}"
if [ "${username}" == "" ]; then
# This may be the case for public base images.
echo "registry-username is not provided, skipping login."
exit 0
fi
# A username is present, so a password must be provided.
password="${UNTRUSTED_PASSWORD}"
if [ "${password}" == "" ]; then
echo "registry-password is required." >&2
exit 1
fi
fi
echo "login to ${untrusted_registry}"
docker login "${untrusted_registry}" -u "${username}" -p "${password}"
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
path: __BUILDER_CHECKOUT_DIR__
- name: Download builder
uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-download-artifact
with:
name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
path: "${{ env.BUILDER_BINARY }}"
sha256: "${{ needs.generate-builder.outputs.builder-binary-sha256 }}"
set-executable: true
- name: Checkout the source repository
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 1
persist-credentials: false
path: __PROJECT_CHECKOUT_DIR__
- name: Run builder binary
id: build
working-directory: __PROJECT_CHECKOUT_DIR__
# These are the inputs, it may be with: for an action or
# specified with these env vars.
env:
BUILDER_IMAGE: ${{ inputs.builder-image }}
BUILDER_DIGEST: ${{ inputs.builder-digest }}
CONFIG_PATH: ${{ inputs.config-path }}
RNG: ${{ needs.rng.outputs.value }}
PROVENANCE_NAME: ${{ inputs.provenance-name }}
run: |
set -euo pipefail
REF="@${GITHUB_REF}"
if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
REF=""
fi
# Note: this outputs information about resolved arguments, etc.
# the values are trusted because the compiler is not invoked.
echo "${GITHUB_WORKSPACE}/${BUILDER_BINARY}" build \
--build-config-path "${CONFIG_PATH}" \
--builder-image "${BUILDER_IMAGE}@${BUILDER_DIGEST}" \
--git-commit-digest "sha1:${GITHUB_SHA}" \
--source-repo "git+https://github.com/${GITHUB_REPOSITORY}${REF}" \
--subjects-path subjects.json \
--output-folder "/tmp/build-outputs-${RNG}" \
--verbose
"${GITHUB_WORKSPACE}/${BUILDER_BINARY}" build \
--build-config-path "${CONFIG_PATH}" \
--builder-image "${BUILDER_IMAGE}@${BUILDER_DIGEST}" \
--git-commit-digest "sha1:${GITHUB_SHA}" \
--source-repo "git+https://github.com/${GITHUB_REPOSITORY}${REF}" \
--subjects-path subjects.json \
--output-folder "/tmp/build-outputs-${RNG}" \
--verbose
# Construct attestation filename.
FILENAME="${PROVENANCE_NAME}"
length=$(jq length subjects.json)
if [[ -z "${FILENAME}" ]]; then
if [[ "$length" == "1" ]]; then
FILENAME=$(jq -r '.[0].name' subjects.json).intoto
else
FILENAME=multiple.intoto
fi
fi
# Validate the filename extension
if [[ "${FILENAME}" != *.intoto ]]; then
echo "expected provenance-name ${FILENAME} to have .intoto extension"
exit 1
fi
cat <<EOF >DATA
{
"version": 1,
"attestations": [
{
"name": "${FILENAME}",
"subjects": []
}
]
}
EOF
cat DATA > output-template.json
jq --argjson subjects "$(<subjects.json)" '.attestations[0].subjects += $subjects' output-template.json > "${GITHUB_WORKSPACE}"/slsa-layout.json
echo "slsa-outputs-name=slsa-layout.json" >> "$GITHUB_OUTPUT"
echo "build-outputs-name=build-outputs-${RNG}" >> "$GITHUB_OUTPUT"
- name: Upload the SLSA outputs file
id: upload
uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-upload-artifact
with:
name: "${{ steps.build.outputs.slsa-outputs-name }}-${{ needs.rng.outputs.value }}"
path: "${{ steps.build.outputs.slsa-outputs-name }}"
- name: Upload output artifacts
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a
# secure upload or verify this against the SLSA layout file.
id: upload-artifacts
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: ${{ steps.build.outputs.build-outputs-name }}
path: /tmp/build-outputs-${{ needs.rng.outputs.value }}
if-no-files-found: error
###################################################################
# #
# Generate the provenance #
# #
###################################################################
provenance:
runs-on: ubuntu-latest
needs: [rng, detect-env, build, generate-build-definition, generate-builder]
permissions:
id-token: write # Needed to create an OIDC token for keyless signing.
contents: read # Needed to check out the repository.
actions: read # Needed to read workflow info.
outputs:
provenance-name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
provenance-sha256: ${{ steps.upload-signed.outputs.sha256 }}
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
path: __BUILDER_CHECKOUT_DIR__
- name: Download build definition
uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-download-artifact
with:
name: "${{ needs.generate-build-definition.outputs.build-definition-name }}-${{ needs.rng.outputs.value }}"
path: "${{ needs.generate-build-definition.outputs.build-definition-name }}"
sha256: "${{ needs.generate-build-definition.outputs.build-definition-sha256 }}"
###################################################################
# 1. Create the predicate #
###################################################################
- name: Create predicate
id: predicate
uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/create-container_based-predicate
with:
build-definition: "${{ needs.generate-build-definition.outputs.build-definition-name }}"
binary-sha256: "${{ needs.generate-builder.outputs.builder-binary-sha256 }}"
binary-uri: "git+https://github.com/${{ needs.detect-env.outputs.repository }}@${{ needs.detect-env.outputs.ref }}"
builder-id: "https://github.com/${{ needs.detect-env.outputs.repository }}/${{ needs.detect-env.outputs.workflow }}@${{ needs.detect-env.outputs.ref }}"
output-file: "predicate-${{ needs.rng.outputs.value }}"
###################################################################
# Generate the intoto attestations #
###################################################################
- name: Download SLSA outputs
uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-download-artifact
with:
name: "${{ needs.build.outputs.slsa-outputs-name }}-${{ needs.rng.outputs.value }}"
path: "${{ needs.build.outputs.slsa-outputs-name }}"
sha256: "${{ needs.build.outputs.slsa-outputs-sha256 }}"
- name: Create attestations
id: attestations
uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/generate-attestations
with:
slsa-layout-file: "${{ needs.build.outputs.slsa-outputs-name }}"
predicate-file: "predicate-${{ needs.rng.outputs.value }}"
predicate-type: "https://slsa.dev/provenance/v1"
output-folder: "attestations-${{ needs.rng.outputs.value }}"
- name: Upload unsigned intoto attestations file for pull request
if: ${{ github.event_name == 'pull_request' }}
id: upload-unsigned
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
path: "attestations-${{ needs.rng.outputs.value }}"
if-no-files-found: error
###################################################################
# Sign the attestation #
###################################################################
- name: Sign attestations
if: ${{ github.event_name != 'pull_request' }}
id: sign
uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/sign-attestations
with:
attestations: "attestations-${{ needs.rng.outputs.value }}"
output-folder: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
- name: Upload the signed attestations
id: upload-signed
if: ${{ github.event_name != 'pull_request' }}
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with:
name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
if-no-files-found: error
###################################################################
# #
# Upload artifacts and provenance as assets #
# #
###################################################################
upload-assets:
permissions:
contents: write # Needed to write artifacts to a release.
runs-on: ubuntu-latest
needs: [build, provenance, detect-env]
if: inputs.upload-assets && (startsWith(github.ref, 'refs/tags/') || inputs.upload-tag-name != '')
steps:
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
with:
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
path: __BUILDER_CHECKOUT_DIR__
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the SLSA
# layout files and their checksums to validate the artifacts.
- name: Download artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: "${{ needs.build.outputs.build-outputs-name }}"
path: "${{ needs.build.outputs.build-outputs-name }}"
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the
# secure-folder-download action.
- name: Download provenance
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: "${{ needs.provenance.outputs.provenance-name }}"
path: "${{ needs.provenance.outputs.provenance-name }}"
- name: Upload provenance new tag
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
if: startsWith(github.ref, 'refs/tags/') && inputs.upload-tag-name == ''
id: release-new-tags
with:
prerelease: ${{ inputs.prerelease }}
files: |
${{ needs.build.outputs.build-outputs-name }}
${{ needs.provenance.outputs.provenance-name }}
draft: ${{ inputs.draft-release }}
- name: Upload provenance tag name
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
if: inputs.upload-tag-name != ''
with:
prerelease: ${{ inputs.prerelease }}
tag_name: "${{ inputs.upload-tag-name }}"
files: |
${{ needs.build.outputs.build-outputs-name }}/*
${{ needs.provenance.outputs.provenance-name }}
draft: ${{ inputs.draft-release }}
###################################################################
# #
# Cleanup #
# #
###################################################################
cleanup:
# Deletes internal artifacts
runs-on: ubuntu-latest
needs: [rng, generate-build-definition, build, provenance]
env:
BUILD_DEFINITION_NAME: ${{ needs.generate-build-definition.outputs.build-definition-name }}
SLSA_OUTPUTS_NAME: ${{ needs.build.outputs.slsa-outputs-name }}
RNG: ${{ needs.rng.outputs.value }}
steps:
- uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
with:
name: "${{ env.BUILD_DEFINITION_NAME }}-${{ env.RNG }}"
useGlob: true
- uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
with:
name: "${{ env.SLSA_OUTPUTS_NAME }}-${{ env.RNG }}"
- uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
with:
name: "${{ env.BUILDER_BINARY }}-${{ env.RNG }}"