mirror of
https://github.com/slsa-framework/slsa-verifier.git
synced 2026-05-20 15:32:52 +00:00
218 lines
7.6 KiB
YAML
218 lines
7.6 KiB
YAML
name: verifier action
|
|
on:
|
|
# Daily run.
|
|
schedule:
|
|
- cron: "0 4 * * *"
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
type: string
|
|
description: The version to to test for pre-release.
|
|
required: false
|
|
|
|
permissions: read-all
|
|
|
|
env:
|
|
GH_TOKEN: ${{ github.token }}
|
|
ISSUE_REPOSITORY: ${{ github.repository }}
|
|
MINIMUM_INSTALLER_VERSION: v2.0.1
|
|
|
|
jobs:
|
|
list-verifiers:
|
|
runs-on: ubuntu-latest
|
|
outputs:
|
|
# NOTE: version output is a JSON list of version numbers.
|
|
# https://github.blog/changelog/2020-04-15-github-actions-new-workflow-features/#new-fromjson-method-in-expressions
|
|
# https://docs.github.com/en/actions/learn-github-actions/expressions#fromjson
|
|
version: ${{ steps.generate-versions.outputs.version }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
with:
|
|
# NOTE: the example-package needs to be checked out in the default workspace.
|
|
repository: slsa-framework/example-package
|
|
ref: main
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
with:
|
|
path: __THIS_REPO__
|
|
|
|
- name: Generate verifier list
|
|
if: inputs.version == ''
|
|
id: generate-list
|
|
run: ./__THIS_REPO__/.github/workflows/scripts/schedule.actions/verifier-installer.sh
|
|
|
|
- name: Generate pre-release list
|
|
if: inputs.version != ''
|
|
id: generate-prerelease
|
|
env:
|
|
PRE_RELEASE_VERSION: ${{ inputs.version }}
|
|
run: echo "version=[\"$PRE_RELEASE_VERSION\"]" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Generate pre-release list
|
|
id: generate-versions
|
|
env:
|
|
PRE_RELEASE_VERSION: ${{ steps.generate-prerelease.outputs.version }}
|
|
LIST_VERSION: ${{ steps.generate-list.outputs.version }}
|
|
run: |
|
|
if [[ -n $PRE_RELEASE_VERSION ]]; then
|
|
echo "version=$PRE_RELEASE_VERSION" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "version=$LIST_VERSION" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
verifier-run:
|
|
needs: list-verifiers
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
version: ${{ fromJson(needs.list-verifiers.outputs.version) }}
|
|
steps:
|
|
- name: Debug
|
|
env:
|
|
VERSION: ${{ matrix.version }}
|
|
run: echo "version is '$VERSION'"
|
|
|
|
- name: Checkout this repository
|
|
# Skip release candidates unless specified explicitly.
|
|
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
|
|
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
|
|
with:
|
|
ref: ${{ matrix.version }}
|
|
|
|
# Install at tag.
|
|
# ==============
|
|
- name: Run the Action at tag
|
|
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
|
|
env:
|
|
SLSA_VERIFIER_CI_ACTION_REF: ${{ matrix.version }}
|
|
uses: ./actions/installer
|
|
|
|
- name: Verify the version
|
|
env:
|
|
VERSION: ${{ matrix.version }}
|
|
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
|
|
run: |
|
|
version=$(slsa-verifier version 2>&1 | grep GitVersion | cut -d ':' -f2 | tr -d "[:space:]")
|
|
slsa-verifier version
|
|
echo "version: $version"
|
|
echo "VERSION: $VERSION"
|
|
# NOTE: the version reported by the slsa-verifier does not contain the leading `v`.
|
|
[ "$version" == "${VERSION:1}" ]
|
|
|
|
- name: Delete the binary
|
|
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
|
|
run: |
|
|
binary_path=$(which slsa-verifier)
|
|
echo "binary_path: $binary_path"
|
|
rm -rf "$binary_path"
|
|
|
|
# Install at commit sha.
|
|
# =====================
|
|
- name: Get sha1
|
|
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
|
|
id: commit
|
|
env:
|
|
VERSION: ${{ matrix.version }}
|
|
run: |
|
|
commit_sha=$(gh api -H "Accept: application/vnd.github+json" "/repos/$GITHUB_REPOSITORY/git/ref/tags/$VERSION" | jq -r '.object.sha')
|
|
echo "commit_sha=$commit_sha" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Run the Action at commit
|
|
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
|
|
env:
|
|
SLSA_VERIFIER_CI_ACTION_REF: ${{ steps.commit.outputs.commit_sha }}
|
|
uses: ./actions/installer
|
|
|
|
- name: Verify the version
|
|
env:
|
|
VERSION: ${{ matrix.version }}
|
|
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
|
|
run: |
|
|
version=$(slsa-verifier version 2>&1 | grep GitVersion | cut -d ':' -f2 | tr -d "[:space:]")
|
|
slsa-verifier version
|
|
echo "version: $version"
|
|
echo "VERSION: $VERSION"
|
|
# NOTE: the version reported by the slsa-verifier does not contain the leading `v`.
|
|
[ "$version" == "${VERSION:1}" ]
|
|
|
|
- name: Delete the binary
|
|
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
|
|
run: |
|
|
binary_path=$(which slsa-verifier)
|
|
echo "binary_path: $binary_path"
|
|
rm -rf "$binary_path"
|
|
|
|
# Install at invalid commit.
|
|
# =========================
|
|
- name: Install invalid commit
|
|
id: invalid-commit
|
|
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
|
|
continue-on-error: true
|
|
env:
|
|
SLSA_VERIFIER_CI_ACTION_REF: 55ca6286e3e4f4fba5d0448333fa99fc5a404a73
|
|
uses: ./actions/installer
|
|
- env:
|
|
SUCCESS: ${{ steps.invalid-commit.outcome == 'failure' }}
|
|
run: |
|
|
[ "$SUCCESS" == "true" ]
|
|
|
|
# Install at non-existent tag.
|
|
# =========================
|
|
- name: Install non-existent tag
|
|
id: nonexistent-tag
|
|
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
|
|
continue-on-error: true
|
|
env:
|
|
# NOTE: actions/installer checks for valid semantic version numbers.
|
|
SLSA_VERIFIER_CI_ACTION_REF: v100.3.5
|
|
uses: ./actions/installer
|
|
- env:
|
|
SUCCESS: ${{ steps.nonexistent-tag.outcome == 'failure' }}
|
|
run: |
|
|
[ "$SUCCESS" == "true" ]
|
|
|
|
# Install at empty tag.
|
|
# =====================
|
|
- name: Install empty tag
|
|
id: empty-tag
|
|
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
|
|
continue-on-error: true
|
|
env:
|
|
SLSA_VERIFIER_CI_ACTION_REF:
|
|
uses: ./actions/installer
|
|
- env:
|
|
SUCCESS: ${{ steps.empty-tag.outcome == 'failure' }}
|
|
run: |
|
|
[ "$SUCCESS" == "true" ]
|
|
|
|
if-succeed:
|
|
needs: [verifier-run, list-verifiers]
|
|
runs-on: ubuntu-latest
|
|
# We use `== 'failure'` instead of ` != 'success'` because we want to ignore skipped jobs, if there are any.
|
|
if: inputs.version == '' && needs.verifier-run.result != 'failure' && needs.list-verifiers.result != 'failure'
|
|
permissions:
|
|
contents: read
|
|
issues: write
|
|
steps:
|
|
- uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0
|
|
with:
|
|
repository: slsa-framework/example-package
|
|
ref: main
|
|
- run: ./.github/workflows/scripts/e2e-report-success.sh
|
|
|
|
if-failed:
|
|
needs: [verifier-run, list-verifiers]
|
|
runs-on: ubuntu-latest
|
|
if: always() && inputs.version == '' && (needs.verifier-run.result == 'failure' || needs.list-verifiers.result == 'failure')
|
|
permissions:
|
|
contents: read
|
|
issues: write
|
|
steps:
|
|
- uses: actions/checkout@dc323e67f16fb5f7663d20ff7941f27f5809e9b6 # v2.6.0
|
|
with:
|
|
repository: slsa-framework/example-package
|
|
ref: main
|
|
- run: ./.github/workflows/scripts/e2e-report-failure.sh
|