github/slsa-verifier
1
0
Fork 0
mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-07 00:56:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
62c0dfdde996b84c42e8c4ea5cf0db07b0cdaa9f
slsa-verifier/.github/workflows/release.yml
Mend Renovate 9c3152fe9f chore(deps): update github-actions (#544) 
Signed-off-by: Renovate Bot <bot@renovateapp.com>
Co-authored-by: Ian Lewis <ianlewis@google.com>
2023-04-11 02:09:29 +00:00

120 lines
3.8 KiB
YAML
Raw Blame History

name: Verifier releaser
on:
# For manual tests.
workflow_dispatch:
push:
tags:
- "*" # triggers only if push new tag version, like `0.8.4`.
# Run daily as a dry-run/test.
schedule:
- cron: "0 1 * * *"
permissions: read-all
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-verifier
# In case daily runs fail, the label for filing the issue
HEADER: release
jobs:
# Generate ldflags dynamically.
args:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.ldflags.outputs.version }}
steps:
- id: checkout
uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
fetch-depth: 0
- id: ldflags
run: |
echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> "$GITHUB_OUTPUT"
builder:
name: builder-${{matrix.os}}-${{matrix.arch}}
needs: [args]
strategy:
matrix:
os:
- linux
- windows
- darwin
arch:
- amd64
- arm64
permissions:
actions: read # For the detection of GitHub Actions environment.
id-token: write # For signing.
contents: write # For asset uploads.
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0
with:
go-version: 1.18
config-file: .slsa-goreleaser/${{matrix.os}}-${{matrix.arch}}.yml
compile-builder: true
evaluated-envs: "VERSION:${{needs.args.outputs.version}}"
verification:
needs: [builder]
runs-on: ubuntu-latest
if: github.event_name != 'schedule'
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/installer@v2.1.0
- name: Download assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ATT_FILE_NAME: "${{ needs.builder.outputs.go-binary-name }}.intoto.jsonl"
ARTIFACT: ${{ needs.builder.outputs.go-binary-name }}
run: |
set -euo pipefail
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p $ARTIFACT
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
- name: Verify assets
env:
ARTIFACT: ${{ needs.builder.outputs.go-binary-name }}
ATT_FILE_NAME: "${{ needs.builder.outputs.go-binary-name }}.intoto.jsonl"
run: |
set -euo pipefail
echo "Verifying $ARTIFACT using $ATT_FILE_NAME"
slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME" \
"$ARTIFACT"
if-succeed:
needs: [args, builder]
runs-on: ubuntu-latest
# We use `== 'failure'` instead of ` != 'success'` because we want to ignore skipped jobs, if there are any.
if: github.event_name == 'schedule' && needs.args.result != 'failure' && needs.builder.result != 'failure'
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
repository: slsa-framework/example-package
ref: main
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
needs: [args, builder]
runs-on: ubuntu-latest
if: always() && github.event_name == 'schedule' && (needs.args.result == 'failure' || needs.builder.result == 'failure')
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
repository: slsa-framework/example-package
ref: main
- run: ./.github/workflows/scripts/e2e-report-failure.sh
Reference in New Issue View Git Blame Copy Permalink