Skip to content

Commit

Permalink
Create a release as part of generic workflow (slsa-framework#413)
Browse files Browse the repository at this point in the history 
* Add ability to upload to a release

* add release id output

Co-authored-by: laurentsimon <[email protected]>
  • Loading branch information
@ianlewis @laurentsimon
ianlewis and laurentsimon authored Jun 29, 2022
1 parent 8e5ff5c commit 2541976
Show file tree
Hide file tree
Showing 2 changed files with 71 additions and 21 deletions.
16 changes: 8 additions & 8 deletions .github/workflows/builder_go_slsa3.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ on:
required: true
type: string
upload-assets:
description: "Whether to upload assets to a GitHub release or not."
description: "If true provenance is uploaded to a GitHub release for new tags."
required: false
type: boolean
default: true
Expand All @@ -61,7 +61,7 @@ on:
required: false
type: string
compile-builder:
description: "Build the builder from source. This increases build time by ~2mn."
description: "Build the builder from source. This increases build time by ~2m."
required: false
type: boolean
default: false
Expand Down Expand Up @@ -181,7 +181,7 @@ jobs:
go-version: ${{ inputs.go-version }}

- name: Download builder
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
with:
name: "${{ env.BUILDER_BINARY }}"

Expand Down Expand Up @@ -241,7 +241,7 @@ jobs:
go-version: ${{ inputs.go-version }}

- name: Download builder
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
with:
name: "${{ env.BUILDER_BINARY }}"

Expand Down Expand Up @@ -328,7 +328,7 @@ jobs:
needs: [build, build-dry]
steps:
- name: Download generated binary
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
with:
name: "${{ env.GENERATED_BINARY_NAME }}"

Expand Down Expand Up @@ -373,7 +373,7 @@ jobs:
go-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }}
steps:
- name: Download builder
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
with:
name: "${{ env.BUILDER_BINARY }}"

Expand Down Expand Up @@ -439,7 +439,7 @@ jobs:
if: startsWith(github.ref, 'refs/tags/') && inputs.upload-assets == true
steps:
# Verify binary hash.
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
with:
name: ${{ needs.build-dry.outputs.go-binary-name }}
- name: Verify binary hash
Expand All @@ -458,7 +458,7 @@ jobs:
echo "$UNTRUSTED_BINARY_HASH $UNTRUSTED_BINARY_NAME" | sha256sum --strict --check --status || exit -2
# Verify provenance hash.
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0.
with:
name: ${{ needs.provenance.outputs.go-provenance-name }}
- name: Verify provenance hash
Expand Down
76 changes: 63 additions & 13 deletions .github/workflows/generator_generic_slsa3.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,29 +30,34 @@ env:
VERIFIER_RELEASE_BINARY_SHA256: 60c91c9d5b9a059e37ac46da316f20c81da335b5d00e1f74d03dd50f819694bd
VERIFIER_RELEASE: v1.1.1

###################################################################
# #
# Input and output argument definitions #
# #
###################################################################
on:
workflow_call:
inputs:
base64-subjects:
description: "Artifacts for which to generate provenance, formatted the same as the output of sha256sum (SHA256 NAME\\n[...]) and base64 encoded."
required: true
type: string
upload-to-release:
description: "If true provenance is uploaded to a GitHub release for new tags."
required: false
type: boolean
default: true
compile-generator:
description: "Build the generator from source. This increases build time by ~2mn."
description: "Build the generator from source. This increases build time by ~2m."
required: false
type: boolean
default: false
outputs:
release-id:
description: "The name of the release where provenance was uploaded."
value: ${{ jobs.create-release.outputs.release-id }}
attestation-name:
description: "The artifact name of the signed provenance"
value: ${{ jobs.generator.outputs.attestation-name }}

jobs:
# detect-env detects the reusable workflow's repository and ref for use later
# in the workflow.
detect-env:
outputs:
repository: ${{ steps.detect.outputs.repository }}
Expand All @@ -65,14 +70,19 @@ jobs:
id: detect
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@d995948e8d53cc639c0d3ef69db31dbc243519c4

###################################################################
# #
# Build the generator #
# #
###################################################################
# generator builds the generator binary and runs it to generate SLSA
# provenance.
#
# If `compile-generator` is true then the generator is compiled
# from source at the ref detected by `detect-env`.
#
# If `compile-generator` is false, then the generator binary is downloaded
# with the release at the ref detected by `detect-env`. This must be a tag
# reference.
generator:
outputs:
attestation-name: ${{ steps.sign-prov.outputs.attestation-name }}
attestation-sha256: ${{ steps.sign-prov.outputs.attestation-sha256 }}
runs-on: ubuntu-latest
needs: [detect-env]
permissions:
Expand Down Expand Up @@ -133,8 +143,11 @@ jobs:
set -euo pipefail
# Create and sign provenance
# This sets attestation-name to the name of the signed DSSE envelope.
./"$BUILDER_BINARY" attest --subjects "${SUBJECTS}" -g attestation.intoto.jsonl
echo "::set-output name=attestation-name::attestation.intoto.jsonl"
attestation_name="attestation.intoto.jsonl"
./"$BUILDER_BINARY" attest --subjects "${SUBJECTS}" -g $attestation_name
attestation_sha256=$(sha256sum $attestation_name | awk '{print $1}')
echo "::set-output name=attestation-name::$attestation_name"
echo "::set-output name=attestation-sha256::$attestation_sha256"
- name: Upload the signed provenance
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
Expand All @@ -143,3 +156,40 @@ jobs:
path: "${{ steps.sign-prov.outputs.attestation-name }}"
if-no-files-found: error
retention-days: 5

# create-release creates a release and uploads provenance to the release if
# `upload-to-release` is true.
create-release:
outputs:
release-id: ${{ steps.release.outputs.id }}
runs-on: ubuntu-latest
needs: [generator]
permissions:
contents: write
if: startsWith(github.ref, 'refs/tags/') && inputs.upload-to-release == true
steps:
# Verify provenance hash.
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
with:
name: ${{ needs.generator.outputs.attestation-name }}
- name: Verify provenance hash
env:
UNTRUSTED_PROVENANCE_NAME: "${{ needs.generator.outputs.attestation-name }}"
UNTRUSTED_PROVENANCE_HASH: "${{ needs.generator.outputs.attestation-sha256 }}"
run: |
set -euo pipefail
echo "hash of provenance $UNTRUSTED_PROVENANCE_NAME should be $UNTRUSTED_PROVENANCE_HASH"
COMPUTED_HASH=$(sha256sum "$UNTRUSTED_PROVENANCE_NAME" | awk '{print $1}')
echo "provenance hash computed is $COMPUTED_HASH"
# Compare hashes. Explicit exit to be safe.
echo "$UNTRUSTED_PROVENANCE_HASH $UNTRUSTED_PROVENANCE_NAME" | sha256sum --strict --check --status || exit -2
- name: Release
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14
id: release
with:
files: |
${{ needs.generator.outputs.attestation-name }}

0 comments on commit 2541976

Please sign in to comment.