Skip to content
on:
schedule:
- cron: "0 2 * * *"
workflow_dispatch:
release:
types: [created]
permissions: read-all
concurrency: "e2e.delegator-lowperms.release.main.default.slsa3"
env:
GH_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
# BEWARE: Updateing this version requires updating the hardcoded
# v43 in the workflow.
DEFAULT_VERSION: v43.0.0
jobs:
# Bootstrap
################################################################################
bootstrap:
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
permissions:
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
# Bumps the package version pushes, creates a git tag, and pushes the tag.
- run: ./.github/workflows/scripts/e2e-bootstrap.sh
if-bootstrap-failed:
runs-on: ubuntu-latest
needs: [bootstrap]
if: always() && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && needs.bootstrap.result != 'success'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-failure.sh
# Main workflow
################################################################################
# Shim determines if the rest of the workflow should run.
# NOTE: it should only use the `if` to determine this and all downstream jobs
# should depend on this job.
shim:
# NOTE: this must be kept in sync with the if-failed job.
if: github.event_name == 'release' && startsWith(github.ref, 'refs/tags/v43')
runs-on: ubuntu-latest
steps:
- run: |
echo "event: ${GITHUB_EVENT_NAME}"
echo "ref: ${GITHUB_REF}"
build:
needs: [shim]
permissions:
id-token: write # For signing
contents: write # For asset uploads
actions: read
uses: slsa-framework/example-trw/.github/workflows/builder_low-perms_slsa3.yml@v2.0.0
with:
artifact: my-artifact
content: "hello world delegator_generic_slsa3"
secrets:
# NOTE: this password is set to 'delegator-password'.
password: ${{ secrets.DELEGATOR_PASSWORD }}
verify:
runs-on: ubuntu-latest
needs: [build]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: slsa-framework/slsa-github-generator/actions/delegator/secure-download-folder@main
with:
name: "${{ needs.build.outputs.artifact-download-name }}" # NOTE: This is randomized 'my-artifact'.
sha256: "${{ needs.build.outputs.artifact-download-sha256 }}"
path: "."
- uses: slsa-framework/example-trw/low-perms/actions/download/attestation@v2.0.0
with:
name: "${{ needs.build.outputs.provenance-download-name }}"
sha256: "${{ needs.build.outputs.provenance-download-sha256 }}"
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
- env:
# NOTE: We move the artifact because the verification script
# check that the subject name matches the filename.
ARTIFACT: "${{ needs.build.outputs.artifact }}"
run: |
mv "artifacts/${ARTIFACT}" .
- env:
BINARY: "${{ needs.build.outputs.artifact }}"
PROVENANCE: "${{ needs.build.outputs.provenance-download-name }}/${{ needs.build.outputs.artifact }}.build.slsa" # This is defined by the builder.
BUILDER_ID: "https://github.com/slsa-framework/example-trw/.github/workflows/builder_low-perms_slsa3.yml@v2.0.0"
run: ./.github/workflows/scripts/e2e.delegator.default.verify.sh
if-succeeded:
runs-on: ubuntu-latest
needs: [build, verify]
if: needs.build.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
runs-on: ubuntu-latest
needs: [build, verify]
if: always() && github.event_name == 'release' && startsWith(github.ref, 'refs/tags/v43') && (needs.build.result != 'success' || needs.verify.result != 'success')
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-failure.sh