Verifier releaser #885
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Verifier releaser | |
on: | |
# For manual tests. | |
workflow_dispatch: | |
push: | |
tags: | |
- "*" # triggers only if push new tag version, like `0.8.4`. | |
# Run daily as a dry-run/test. | |
schedule: | |
- cron: "0 1 * * *" | |
permissions: read-all | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
ISSUE_REPOSITORY: slsa-framework/slsa-verifier | |
# In case daily runs fail, the label for filing the issue | |
HEADER: release | |
jobs: | |
# Generate ldflags dynamically. | |
args: | |
runs-on: ubuntu-latest | |
outputs: | |
version: ${{ steps.ldflags.outputs.version }} | |
steps: | |
- id: checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- id: ldflags | |
run: | | |
echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> "$GITHUB_OUTPUT" | |
builder: | |
name: builder-${{matrix.os}}-${{matrix.arch}} | |
needs: [args] | |
strategy: | |
matrix: | |
os: | |
- linux | |
- windows | |
- darwin | |
arch: | |
- amd64 | |
- arm64 | |
permissions: | |
actions: read # For the detection of GitHub Actions environment. | |
id-token: write # For signing. | |
contents: write # For asset uploads. | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # always use a tag @X.Y.Z for for slsa builders, not SHA! | |
with: | |
go-version-file: "go.mod" | |
config-file: .slsa-goreleaser/${{matrix.os}}-${{matrix.arch}}.yml | |
compile-builder: true | |
evaluated-envs: "VERSION:${{needs.args.outputs.version}}" | |
verification: | |
needs: [builder] | |
runs-on: ubuntu-latest | |
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch' | |
permissions: read-all | |
steps: | |
- name: Install the verifier | |
uses: slsa-framework/slsa-verifier/actions/installer@eb7007070baa04976cb9e25a0d8034f8db030a86 # v2.5.1 | |
- name: Download assets | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
ATT_FILE_NAME: "${{ needs.builder.outputs.go-binary-name }}.intoto.jsonl" | |
ARTIFACT: ${{ needs.builder.outputs.go-binary-name }} | |
run: | | |
set -euo pipefail | |
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p $ARTIFACT | |
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME" | |
- name: Verify assets | |
env: | |
ARTIFACT: ${{ needs.builder.outputs.go-binary-name }} | |
ATT_FILE_NAME: "${{ needs.builder.outputs.go-binary-name }}.intoto.jsonl" | |
run: | | |
set -euo pipefail | |
echo "Verifying $ARTIFACT using $ATT_FILE_NAME" | |
slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \ | |
--source-uri "github.com/$GITHUB_REPOSITORY" \ | |
--source-tag "$GITHUB_REF_NAME" \ | |
"$ARTIFACT" | |
if-succeed: | |
needs: [args, builder] | |
runs-on: ubuntu-latest | |
# We use `== 'failure'` instead of ` != 'success'` because we want to ignore skipped jobs, if there are any. | |
if: github.event_name == 'schedule' && needs.args.result != 'failure' && needs.builder.result != 'failure' | |
permissions: | |
contents: read | |
issues: write | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
repository: slsa-framework/example-package | |
ref: main | |
- run: ./.github/workflows/scripts/e2e-report-success.sh | |
if-failed: | |
needs: [args, builder] | |
runs-on: ubuntu-latest | |
if: always() && github.event_name == 'schedule' && (needs.args.result == 'failure' || needs.builder.result == 'failure') | |
permissions: | |
contents: read | |
issues: write | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
repository: slsa-framework/example-package | |
ref: main | |
- run: ./.github/workflows/scripts/e2e-report-failure.sh |