-
Notifications
You must be signed in to change notification settings - Fork 26
80 lines (68 loc) · 2.4 KB
/
e2e.generic.schedule.main.adversarial-invalidsubjects.slsa3.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
on:
schedule:
- cron: "0 4 * * *"
workflow_dispatch:
permissions: read-all
env:
PAT_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }}
GH_TOKEN: ${{ github.token }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
jobs:
build:
outputs:
digests: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest
steps:
- name: Build artifacts
run: |
# These are some amazing artifacts.
echo "artifact1" > artifact1
echo "artifact2" > artifact2
- name: Upload artifacts
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
name: artifacts
if-no-files-found: error
retention-days: 5
path: |
artifact1
artifact2
- name: Generate hashes
shell: bash
id: hash
run: |
# sha256sum generates sha256 hash for all artifacts.
# base64 -w0 encodes to base64 and outputs on a single line.
# sha256sum artifact1 artifact2 ... | base64 -w0
echo "::set-output name=hashes::something invalid | base64 -w0)"
provenance:
needs: [build]
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
with:
base64-subjects: "${{ needs.build.outputs.digests }}"
compile-generator: true
if-failed-build:
runs-on: ubuntu-latest
needs: [build]
if: always() && needs.build.result == 'failure'
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- run: ./.github/workflows/scripts/e2e-report-failure.sh
if-failed-provenance:
runs-on: ubuntu-latest
needs: [build, provenance]
if: always() && needs.build.result == 'success' && needs.provenance.result == 'failure'
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-succeeded-provenance:
runs-on: ubuntu-latest
needs: [build, provenance]
if: always() && needs.build.result == 'success' && needs.provenance.result == 'success'
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- run: ./.github/workflows/scripts/e2e-report-failure.sh