Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: Add the workflow #15

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
106 changes: 106 additions & 0 deletions .github/workflows/slsa3.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
name: SLSA3 Builder

permissions: {}

on:
workflow_call:
# NOTE: You need to maintain the defaults here as well as your main
# action.yml
inputs:
# TODO: Update the inputs for your workflow.
# In most cases, thes should mirror your action's inputs.
message:
required: false
type: string
description: 'The message'
default: 'Hello World!'
file:
required: false
type: string
description: 'File name to write the message to.'
default: 'message.txt'
version:
required: false
type: string
description: 'Version of figure to use.'
default: 'v0.0.2'

# NOTE: the additional inputs below are to support additional
# functionality of the workflow.
rekor-log-public:
description: 'Allow publication of your repository name on the public Rekor log'
required: false
type: boolean
default: false

# TODO: Add secrets if necessary.
# secrets:
# hoge:
# required: true
# description: "lorem ipsum"

jobs:
slsa-setup:
permissions:
id-token: write # For token creation.
outputs:
slsa-token: ${{ steps.generate.outputs.slsa-token }}
runs-on: ubuntu-latest
steps:
- name: Generate the token
id: generate
# TODO(github.com/ianlewis/slsa-byob-template/issues/11): Update version once released.
uses: slsa-framework/slsa-github-generator/actions/delegator/setup-token@main
with:
slsa-workflow-recipient: 'delegator_generic_slsa3.yml'
slsa-rekor-log-public: ${{ inputs.rekor-log-public }}
slsa-runner-label: 'ubuntu-latest'
slsa-build-action-path: './internal/action-wrapper'
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1575): mask sensitive fields.
slsa-workflow-inputs: ${{ toJson(inputs) }}

slsa-run:
needs: [slsa-setup]
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
# actions: read # For the entrypoint.
packages: write # For publishing to GitHub packages.
uses: slsa-framework/slsa-github-generator/.github/workflows/delegator_generic_slsa3.yml@main
with:
slsa-token: ${{ needs.slsa-setup.outputs.slsa-token }}
# TODO: Set secrets if necessary.
# secrets:
# secret1: ${{ secrets.github-token }}
# secret2: ${{ secrets.mysecret }}

slsa-publish:
needs: [slsa-run]
if: startsWith(github.ref, 'refs/tags/')
permissions:
contents: write # For asset uploads. Optional
runs-on: ubuntu-latest
steps:
- name: Download attestations
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ needs.slsa-run.outputs.attestations-download-name }}

- name: Download artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ inputs.file }}

# TODO(github.com/ianlewis/slsa-byob-template/issues/10): verify the attestation before upload.
- name: Verify attestations
env:
SLSA_ATTESTATION_DOWNLOAD_NAME: ${{ needs.slsa-run.outputs.attestations-download-name }}
run: |
echo "download from $SLSA_ATTESTATION_DOWNLOAD_NAME"

- name: Upload artifact and provenance
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
files: |
${{ inputs.file }}
*.sigstore