-
Notifications
You must be signed in to change notification settings - Fork 25
Expand file tree
/
Copy pathe2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml
More file actions
100 lines (86 loc) · 3.71 KB
/
e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml
File metadata and controls
100 lines (86 loc) · 3.71 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
on:
# Only triggered manually for pre-release.
workflow_dispatch:
permissions: read-all
concurrency: "e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3"
env:
GH_TOKEN: ${{ secrets.E2E_CONTAINER_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
IMAGE_REGISTRY: ghcr.io
# NOTE: This pushes a container image to a "package" under the
# slsa-framework GitHub org.
# The image name should be of the form: slsa-framework/example-package.<test name>
IMAGE_NAME: slsa-framework/example-package.e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3
DEFAULT_VERSION: v27.0.0
jobs:
# Build the Go application into a Docker image
# Push the image to ghcr.io
build:
permissions:
contents: read # For reading repository contents.
packages: write # For writing container images.
outputs:
image: ${{ steps.image.outputs.image }}
digest: ${{ steps.build.outputs.digest }}
runs-on: ubuntu-latest
steps:
- name: Checkout the repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Authenticate Docker
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ${{ env.IMAGE_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}
- name: Build and push Docker image
uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
id: build
with:
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Output image
id: image
run: |
# NOTE: We need to use the image and digest in order to make sure
# that the image we attest has not been modified.
# NOTE: The digest output from docker/build-push-action is of the
# form "sha256:<digest>"
full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}"
echo "image=${full_image_name}" >> "${GITHUB_OUTPUT}"
# Generate SLSA provenance for the image
# Upload the provenance to ghcr.io
provenance:
needs: [build]
permissions:
id-token: write # For signing.
actions: read # For reading workflow info.
packages: write # For uploading attestations.
# uses: ianlewis/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.8.0-rc.2
# uses: laurentsimon/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0-rc.0
# uses: kpk47/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.1-rc.0
# uses: ramonpetgrave64/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0-rc.0
uses: ramonpetgrave64/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0-rc.3
with:
image: ${{ needs.build.outputs.image }}
digest: ${{ needs.build.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
if-succeeded:
runs-on: ubuntu-latest
needs: [provenance]
if: needs.provenance.result == 'success'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: |
set -euo pipefail
echo "This test should fail"
exit 1