add draft-release support

.github/workflows/e2e.gcb.tag.main.annotated-build.slsa3.yml

@@ -24,7 +24,7 @@ env:
 
 jobs:
   # This should trigger the GCB build.
-  # This does not run on workflow_dispatch - we may use an input here to allow 
+  # This does not run on workflow_dispatch - we may use an input here to allow
   # retriggering the build by workflow_dispatch.
   # This was removed to avoid retriggering the build when intending to reverify provenance.
   release:

.github/workflows/e2e.go.tag.main.config-ldflags-assets-draft-tag.slsa3.yml

@@ -0,0 +1,127 @@
+on:
+  schedule:
+    - cron: "0 2 * * *"
+  workflow_dispatch:
+  push:
+    tags:
+      - "v[0-9]+.[0-9]+.[0-9]+" # # triggers only if push new tag version, like `v0.8.4` or else
+
+permissions: read-all
+
+env:
+  GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }}
+  ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
+  # WARNING: update build job if CONFIG_FILE changes.
+  CONFIG_FILE: .github/configs-go/config-ldflags-tag.yml
+  DEFAULT_VERSION: v36.0.0
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+      - id: create
+        run: |
+          set -euo pipefail
+
+          ./.github/workflows/scripts/e2e-create-release.sh
+
+  shim:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref_type == 'tag'
+    outputs:
+      continue: ${{ steps.verify.outputs.continue }}
+    steps:
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+      - id: verify
+        run: |
+          set -euo pipefail
+
+          ./.github/workflows/scripts/e2e-verify-release.sh
+
+  args:
+    needs: [shim]
+    if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
+    runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.ldflags.outputs.version }}
+      commit: ${{ steps.ldflags.outputs.commit }}
+      branch: ${{ steps.ldflags.outputs.branch }}
+    steps:
+      - id: checkout
+        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+        with:
+          fetch-depth: 0
+      - id: ldflags
+        run: |
+          set -euo pipefail
+
+          THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3)
+          BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4)
+          echo "::set-output name=version::-X main.gitVersion=v1.2.3"
+          echo "::set-output name=commit::-X main.gitCommit=abcdef"
+          echo "::set-output name=branch::-X main.gitBranch=$BRANCH"
+
+  build:
+    needs: [shim, args]
+    if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
+    permissions:
+      id-token: write # For signing.
+      contents: write # For asset uploads.
+      actions: read # For the entrypoint.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@main
+    with:
+      go-version: 1.18
+      # We cannot use ${{ env.CONFIG_FILE }} because env variables are not available.
+      config-file: .github/configs-go/config-ldflags-tag.yml
+      evaluated-envs: "VERSION:${{needs.args.outputs.version}},COMMIT:${{needs.args.outputs.commit}},BRANCH:${{needs.args.outputs.branch}}"
+      compile-builder: true
+      draft-release: true
+
+  # build:
+  #   runs-on: ubuntu-latest
+  #   steps:
+  #     - run: |
+  #         echo hello
+  #         #exit 1
+
+  verify:
+    runs-on: ubuntu-latest
+    needs: [shim, build]
+    if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
+    steps:
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+      - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b
+        with:
+          name: ${{ needs.build.outputs.go-binary-name }}
+      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
+      - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+        with:
+          go-version: "1.18"
+      - env:
+          BINARY: ${{ needs.build.outputs.go-binary-name }}
+          # NOTE: we download the artifact as `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl`,
+          # so we implictely verify that `${{ needs.build.outputs.go-binary-name }}.intoto.jsonl = ${{ needs.build.outputs.go-provenance-name }}`.
+          PROVENANCE: ${{ needs.build.outputs.go-provenance-name }}
+        run: ./.github/workflows/scripts/e2e.go.default.verify.sh
+
+  if-succeeded:
+    runs-on: ubuntu-latest
+    needs: [shim, build, verify]
+    if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success'
+    steps:
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+      - run: ./.github/workflows/scripts/e2e-report-success.sh
+
+  if-failed:
+    runs-on: ubuntu-latest
+    needs: [shim, build, verify]
+    if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure')
+    steps:
+      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
+      - run: ./.github/workflows/scripts/e2e-report-failure.sh

.github/workflows/scripts/e2e-create-release.sh

@@ -24,6 +24,8 @@ fi
 
 prerelease=$(echo "$this_file" | cut -d '.' -f5 | grep prerelease || true)
 echo "prerelease: $prerelease"
+draft=$(echo "$this_file" | cut -d '.' -f5 | grep draft || true)
+echo "draft: $draft"
 
 # Here we find the latest version with the major version equal to that of
 # DEFAULT_VERSION.
@@ -100,6 +102,8 @@ else
     # See: https://github.community/t/push-from-action-does-not-trigger-subsequent-action/16854
     if [[ -n "$prerelease" ]]; then
         GH_TOKEN=$token gh release create "$tag" --notes-file ./DATA --target "$branch" --prerelease
+    elif [[ -n "$draft" ]]; then
+        GH_TOKEN=$token gh release create "$tag" --notes-file ./DATA --target "$branch" --draft
     else
         GH_TOKEN=$token gh release create "$tag" --notes-file ./DATA --target "$branch"
     fi

.github/workflows/scripts/e2e-utils.sh

@@ -435,6 +435,13 @@ e2e_is_prerelease() {
     echo "$prerelease"
 }
 
+# Checks if tag is a draft
+e2e_is_draft() {
+    local tag="$1"
+    draft=$(gh release view "$tag" --json isDraft | jq -r '.isDraft')
+    echo "$draft"
+}
+
 e2e_verify_predicate_v1_buildDefinition_externalParameters_source() {
     _e2e_verify_query "$1" "$2" '.predicate.buildDefinition.externalParameters.source'
 }

.github/workflows/scripts/e2e.go.default.verify.sh

@@ -29,6 +29,7 @@ verify_provenance_content() {
     #DIR=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep '\-dir')
     has_assets=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep -v noassets)
     is_prerelease=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep prerelease)
+    is_draft=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep draft)
     TAG=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep tag)
     # Note GO_MAIN and GO_DIR are set in the workflows as env variables.
     DIR="$PWD/__PROJECT_CHECKOUT_DIR__"
@@ -108,6 +109,7 @@ verify_provenance_content() {
     if [[ "$GITHUB_REF_TYPE" == "tag" ]]; then
         assets=$(e2e_get_release_assets_filenames "$GITHUB_REF_NAME")
         isPrerelease=$(e2e_is_prerelease "$GITHUB_REF_NAME")
+        isDraft=$(e2e_is_draft "$GITHUB_REF_NAME")
         if [[ -z "$has_assets" ]]; then
             e2e_assert_eq "$assets" "[\"null\",\"null\"]" "there should be no assets"
         else
@@ -117,6 +119,10 @@ verify_provenance_content() {
         if [[ "$is_prerelease" == "true" ]]; then
             assert_true "$isPrerelease" "expected prerelease"
         fi
+
+        if [[ "$is_draft" == "true" ]]; then
+            assert_true "$isDraft" "expected draft"
+        fi
     fi
 }
 

main.go

@@ -1,3 +1,4 @@
+// main package
 package main
 
 import (
@@ -46,7 +47,7 @@ func main() {
 
 	for _, filename := range filenameFlags {
 		fmt.Println("Writing to filename: ", filename)
-		if err := os.WriteFile(filename, []byte(*content), 0644); err != nil {
+		if err := os.WriteFile(filename, []byte(*content), 0o600); err != nil {
 			fmt.Println("error writing to file: %w", err)
 			panic(err)
 		}