verifier action #553
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: verifier action | |
on: | |
# Daily run. | |
schedule: | |
- cron: "0 4 * * *" | |
workflow_dispatch: | |
inputs: | |
version: | |
type: string | |
description: The version to to test for pre-release. | |
required: false | |
permissions: read-all | |
env: | |
GH_TOKEN: ${{ github.token }} | |
ISSUE_REPOSITORY: ${{ github.repository }} | |
MINIMUM_INSTALLER_VERSION: v2.0.1 | |
jobs: | |
list-verifiers: | |
runs-on: ubuntu-latest | |
outputs: | |
# NOTE: version output is a JSON list of version numbers. | |
# https://github.blog/changelog/2020-04-15-github-actions-new-workflow-features/#new-fromjson-method-in-expressions | |
# https://docs.github.com/en/actions/learn-github-actions/expressions#fromjson | |
version: ${{ steps.generate-versions.outputs.version }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
# NOTE: the example-package needs to be checked out in the default workspace. | |
repository: slsa-framework/example-package | |
ref: main | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
path: __THIS_REPO__ | |
- name: Generate verifier list | |
if: inputs.version == '' | |
id: generate-list | |
run: ./__THIS_REPO__/.github/workflows/scripts/schedule.actions/verifier-installer.sh | |
- name: Generate pre-release list | |
if: inputs.version != '' | |
id: generate-prerelease | |
env: | |
PRE_RELEASE_VERSION: ${{ inputs.version }} | |
run: echo "version=[\"$PRE_RELEASE_VERSION\"]" >> "$GITHUB_OUTPUT" | |
- name: Generate pre-release list | |
id: generate-versions | |
env: | |
PRE_RELEASE_VERSION: ${{ steps.generate-prerelease.outputs.version }} | |
LIST_VERSION: ${{ steps.generate-list.outputs.version }} | |
run: | | |
if [[ -n $PRE_RELEASE_VERSION ]]; then | |
echo "version=$PRE_RELEASE_VERSION" >> "$GITHUB_OUTPUT" | |
else | |
echo "version=$LIST_VERSION" >> "$GITHUB_OUTPUT" | |
fi | |
verifier-run: | |
needs: list-verifiers | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
version: ${{ fromJson(needs.list-verifiers.outputs.version) }} | |
steps: | |
- name: Debug | |
env: | |
VERSION: ${{ matrix.version }} | |
run: echo "version is '$VERSION'" | |
- name: Checkout this repository | |
# Skip release candidates unless specified explicitly. | |
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }} | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
ref: ${{ matrix.version }} | |
# Install at tag. | |
# ============== | |
- name: Run the Action at tag | |
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }} | |
env: | |
SLSA_VERIFIER_CI_ACTION_REF: ${{ matrix.version }} | |
uses: ./actions/installer | |
- name: Verify the version | |
env: | |
VERSION: ${{ matrix.version }} | |
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }} | |
run: | | |
version=$(slsa-verifier version 2>&1 | grep GitVersion | cut -d ':' -f2 | tr -d "[:space:]") | |
slsa-verifier version | |
echo "version: $version" | |
echo "VERSION: $VERSION" | |
# NOTE: the version reported by the slsa-verifier does not contain the leading `v`. | |
[ "$version" == "${VERSION:1}" ] | |
- name: Delete the binary | |
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }} | |
run: | | |
binary_path=$(which slsa-verifier) | |
echo "binary_path: $binary_path" | |
rm -rf "$binary_path" | |
# Install at commit sha. | |
# ===================== | |
- name: Get sha1 | |
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }} | |
id: commit | |
env: | |
VERSION: ${{ matrix.version }} | |
run: | | |
commit_sha=$(gh api -H "Accept: application/vnd.github+json" "/repos/$GITHUB_REPOSITORY/git/ref/tags/$VERSION" | jq -r '.object.sha') | |
echo "commit_sha=$commit_sha" >> "$GITHUB_OUTPUT" | |
- name: Run the Action at commit | |
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }} | |
env: | |
SLSA_VERIFIER_CI_ACTION_REF: ${{ steps.commit.outputs.commit_sha }} | |
uses: ./actions/installer | |
- name: Verify the version | |
env: | |
VERSION: ${{ matrix.version }} | |
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }} | |
run: | | |
version=$(slsa-verifier version 2>&1 | grep GitVersion | cut -d ':' -f2 | tr -d "[:space:]") | |
slsa-verifier version | |
echo "version: $version" | |
echo "VERSION: $VERSION" | |
# NOTE: the version reported by the slsa-verifier does not contain the leading `v`. | |
[ "$version" == "${VERSION:1}" ] | |
- name: Delete the binary | |
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }} | |
run: | | |
binary_path=$(which slsa-verifier) | |
echo "binary_path: $binary_path" | |
rm -rf "$binary_path" | |
# Install at invalid commit. | |
# ========================= | |
- name: Install invalid commit | |
id: invalid-commit | |
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }} | |
continue-on-error: true | |
env: | |
SLSA_VERIFIER_CI_ACTION_REF: 55ca6286e3e4f4fba5d0448333fa99fc5a404a73 | |
uses: ./actions/installer | |
- env: | |
SUCCESS: ${{ steps.invalid-commit.outcome == 'failure' }} | |
run: | | |
[ "$SUCCESS" == "true" ] | |
# Install at non-existent tag. | |
# ========================= | |
- name: Install non-existent tag | |
id: nonexistent-tag | |
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }} | |
continue-on-error: true | |
env: | |
# NOTE: actions/installer checks for valid semantic version numbers. | |
SLSA_VERIFIER_CI_ACTION_REF: v100.3.5 | |
uses: ./actions/installer | |
- env: | |
SUCCESS: ${{ steps.nonexistent-tag.outcome == 'failure' }} | |
run: | | |
[ "$SUCCESS" == "true" ] | |
# Install at empty tag. | |
# ===================== | |
- name: Install empty tag | |
id: empty-tag | |
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }} | |
continue-on-error: true | |
env: | |
SLSA_VERIFIER_CI_ACTION_REF: | |
uses: ./actions/installer | |
- env: | |
SUCCESS: ${{ steps.empty-tag.outcome == 'failure' }} | |
run: | | |
[ "$SUCCESS" == "true" ] | |
if-succeed: | |
needs: [verifier-run, list-verifiers] | |
runs-on: ubuntu-latest | |
# We use `== 'failure'` instead of ` != 'success'` because we want to ignore skipped jobs, if there are any. | |
if: inputs.version == '' && needs.verifier-run.result != 'failure' && needs.list-verifiers.result != 'failure' | |
permissions: | |
contents: read | |
issues: write | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
repository: slsa-framework/example-package | |
ref: main | |
- run: ./.github/workflows/scripts/e2e-report-success.sh | |
if-failed: | |
needs: [verifier-run, list-verifiers] | |
runs-on: ubuntu-latest | |
if: always() && inputs.version == '' && (needs.verifier-run.result == 'failure' || needs.list-verifiers.result == 'failure') | |
permissions: | |
contents: read | |
issues: write | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
repository: slsa-framework/example-package | |
ref: main | |
- run: ./.github/workflows/scripts/e2e-report-failure.sh |