feat: npm default runner support (#495)

* update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> * update Signed-off-by: laurentsimon <laurentsimon@google.com> --------- Signed-off-by: laurentsimon <laurentsimon@google.com>
2026-05-07 00:56:39 +00:00 · 2023-03-02 13:53:29 -08:00
parent 12910ea596
commit 82a12591ff
36 changed files with 2941 additions and 240 deletions
--- a/.github/workflows/scripts/e2e-cli.sh
+++ b/.github/workflows/scripts/e2e-cli.sh
@@ -1,19 +1,42 @@
 #!/bin/bash

+repo="slsa-framework/example-package"
+api_version="X-GitHub-Api-Version: 2022-11-28"
 # Verify provenance authenticity with slsa-verifier at HEAD

+download_artifact(){
+  local run_id="$1"
+  local artifact_name="$2"
+  # Get the artifact ID for 'artifact1'
+  artifact_id=$(gh api   -H "Accept: application/vnd.github+json" -H "$api_version" "/repos/$repo/actions/runs/$run_id/artifacts" | jq ".artifacts[] | select(.name == \"$artifact_name\") | .id")
+  echo "artifact_id:$artifact_id"
+
+  gh api -H "Accept: application/vnd.github+json" -H "$api_version" "/repos/$repo/actions/artifacts/$artifact_id/zip" > "$artifact_name.zip"
+  unzip "$artifact_name".zip
+}
+
+# Get workflow ID.
+workflow_id=$(gh api -H "Accept: application/vnd.github+json" -H "$api_version" "/repos/$repo/actions/workflows?per_page=100" | jq '.workflows[] | select(.path == ".github/workflows/e2e.generic.schedule.main.multi-uses.slsa3.yml") | .id')
+echo "workflow_id:$workflow_id"
+
+# Get the run ID for the most recent run.
+run_id=$(gh api -H "Accept: application/vnd.github+json" -H "$api_version" "/repos/$repo/actions/workflows/$workflow_id/runs?per_page=1" | jq '.workflow_runs[0].id')
+echo "run_id:$run_id"
+
+download_artifact "$run_id" "artifacts1"
+download_artifact "$run_id" "attestation1.intoto.jsonl"

 cd __EXAMPLE_PACKAGE__
 # shellcheck source=/dev/null
 source "./.github/workflows/scripts/e2e-verify.common.sh"

 # Set THIS_FILE to correspond with the artifact properties
-export THIS_FILE=e2e.go.workflow_dispatch.main.config-noldflags.slsa3.yml
+export THIS_FILE=e2e.generic.schedule.main.multi-uses.slsa3.yml
 export BRANCH=main

 # Set BINARY and PROVENANCE
 cd -
-export BINARY=__THIS_REPO__/cli/slsa-verifier/testdata/gha_go/v1.2.2/binary-linux-amd64-workflow_dispatch
-export PROVENANCE=__THIS_REPO__/cli/slsa-verifier/testdata/gha_go/v1.2.2/binary-linux-amd64-workflow_dispatch.intoto.jsonl
+export BINARY=artifact1
+export PROVENANCE=attestation1.intoto.jsonl

-GITHUB_REPOSITORY=slsa-framework/example-package verify_provenance_authenticity "./__THIS_REPO__/slsa-verifier" "HEAD"
+GITHUB_REPOSITORY="$repo" verify_provenance_authenticity "./__THIS_REPO__/slsa-verifier" "HEAD"