Skip to content

Update actions/checkout action to v4.2.2 #612

Update actions/checkout action to v4.2.2

Update actions/checkout action to v4.2.2 #612

name: Run conftest-unittests.sh
on: [push, pull_request]
# Declare default permissions as read only.
permissions: read-all
jobs:
conftest:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Conftest
uses: redhat-cop/github-actions/confbatstest@1a584131f8a335296e866d1fb0988870ca83aefb # v4.3
with:
tests: _test/conftest-unittests.sh
policies: '[]' # An empty array is provided as the policies are already cloned via source.
- name: Tar and Generate hashes
shell: bash
id: hash
run: |
tar cvf policy.tar policy/
echo "hashes=$(sha256sum policy.tar | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload policy.tar
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: policy.tar
path: policy.tar
if-no-files-found: error
retention-days: 5
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
provenance:
needs: [conftest]
if: startsWith(github.ref, 'refs/tags/')
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0
with:
base64-subjects: "${{ needs.conftest.outputs.hashes }}"
upload-assets: true
release:
needs: [conftest, provenance]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
permissions:
contents: write
steps:
- name: Download policy.tar
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: policy.tar
- name: Upload assets to release
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
with:
files: |
policy.tar