.github/workflows/slsa.yaml

name: slsa-provenance-create

on:
  workflow_call:
    inputs:
      image_digest:
        description: 'Fully-qualified image digest to verify (registry/image@sha256:digest)'
        required: true
        type: string
      auth_provider:
        description: 'OIDC provider ID'
        required: true
        type: string
      auth_user:
        description: 'OIDC user ID'
        required: true
        type: string
      cosign_version:
        description: 'The version of cosign to use'
        required: true
        type: string

permissions:
  contents: read

jobs:

  conf:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
      image: ${{ steps.conf.outputs.image }}
      digest: ${{ steps.conf.outputs.digest }}
    steps:
    - name: Export Config
      id: conf
      run: |
        echo "image=$(echo ${{ inputs.image_digest }} | cut -d@ -f1)" >> $GITHUB_OUTPUT
        echo "digest=$(echo ${{ inputs.image_digest }} | cut -d@ -f2)" >> $GITHUB_OUTPUT

  provenance:
    needs:
    - conf
    permissions:
      actions: read
      id-token: write
      packages: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.7.0
    with:
      image: ${{ needs.conf.outputs.image }}
      digest: ${{ needs.conf.outputs.digest }}
      registry-username: ${{ github.actor }}
      gcp-workload-identity-provider: ${{ inputs.auth_provider }}
      gcp-service-account: ${{ inputs.auth_user }}

  verify:
    needs:
    - provenance
    runs-on: ubuntu-latest
    permissions:
      actions: read
      id-token: write
    steps:

    - name: Checkout Code
      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3

    - id: auth
      name: Auth GCP
      uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033  # v1.1.1
      with:
        token_format: "access_token"
        workload_identity_provider: ${{ inputs.auth_provider }}
        service_account: ${{ inputs.auth_user }}

    - uses: slsa-framework/slsa-verifier/actions/installer@c9abffe4d2ab2ffa0b2ea9b2582b84164f390adc  # v2.0.1

    # SLSA provenance verification using slsa-verifier.
    - name: Verify SLSA Provenance
      run: |-
        slsa-verifier version
        slsa-verifier verify-image ${{ inputs.image_digest }} \
          --source-uri "github.com/$GITHUB_REPOSITORY" \
          --source-tag "$GITHUB_REF_NAME"