-
Notifications
You must be signed in to change notification settings - Fork 128
124 lines (111 loc) · 4.62 KB
/
generator_generic_slsa3.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
# Copyright 2022 SLSA Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: SLSA provenance generator
env:
# Builder
BUILDER_BINARY: generic-builder
permissions:
contents: read
###################################################################
# #
# Input and output argument definitions #
# #
###################################################################
"on":
workflow_call:
inputs:
base64-subjects:
description: "Artifacts for which to generate provenance, formatted the same as the output of sha256sum (SHA256 NAME\\n[...]) and base64 encoded."
required: true
type: string
outputs:
attestation-name:
description: "The artifact name of the signed provenance"
value: ${{ jobs.generator.outputs.attestation-name }}
jobs:
detect-env:
outputs:
repository: ${{ steps.detect.outputs.repository }}
ref: ${{ steps.detect.outputs.ref }}
runs-on: ubuntu-latest
permissions:
id-token: write # Needed to detect the current reusable repository and ref.
steps:
- name: Detect the builder ref
id: detect
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@bbeae84f20f78877b7ba56f324b993c3ee576cf1
###################################################################
# #
# Build the generator #
# #
###################################################################
generator:
outputs:
attestation-name: ${{ steps.sign-prov.outputs.attestation-name }}
runs-on: ubuntu-latest
needs: [detect-env]
permissions:
id-token: write # Needed for keyless.
contents: read
# actions permissions are needed to read info on the workflow and
# workflow run.
actions: read
steps:
- name: Checkout the repository
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
with:
fetch-depth: 1
repository: "${{ needs.detect-env.outputs.repository }}"
ref: "${{ needs.detect-env.outputs.ref }}"
- name: Set up golang environment
uses: actions/setup-go@b22fbbc2921299758641fab08929b4ac52b32923 # v3.2.0
with:
go-version: 1.18
- name: Download dependencies
shell: bash
run: |
set -euo pipefail
#TODO(reproducible)
go mod vendor
# TODO(hermeticity) OS-level.
- name: Build slsa-github-generator
shell: bash
id: generator-gen
run: |
set -euo pipefail
# https://go.dev/ref/mod#build-commands.
go build -mod=vendor -o "$BUILDER_BINARY" github.com/slsa-framework/slsa-github-generator/internal/builders/generic
chmod a+x "$BUILDER_BINARY"
- name: Create and sign provenance
id: sign-prov
shell: bash
# NOTE: Inputs and github context are set to environment variables in
# order to avoid script injection.
# See: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections
env:
SUBJECTS: "${{ inputs.base64-subjects }}"
GITHUB_CONTEXT: "${{ toJSON(github) }}"
run: |
set -euo pipefail
# Create and sign provenance
# This sets attestation-name to the name of the signed DSSE envelope.
./"$BUILDER_BINARY" attest --subjects "${SUBJECTS}" -g attestation.intoto.jsonl
echo "::set-output name=attestation-name::attestation.intoto.jsonl"
- name: Upload the signed provenance
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
with:
name: "${{ steps.sign-prov.outputs.attestation-name }}"
path: "${{ steps.sign-prov.outputs.attestation-name }}"
if-no-files-found: error
retention-days: 5