Merge pull request #27 from ianlewis/fix-perms

Fix prov-only e2e tests and permissions

.github/workflows/e2e.generic.push.main.default.slsa2.yml

@@ -9,7 +9,6 @@ on:
 env:
   GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }}
   ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
-  THIS_FILE: e2e.generic.push.main.default.slsa2.yml
 
 jobs:
   push:
@@ -68,6 +67,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      actions: read
     uses: slsa-framework/slsa-github-generator/.github/workflows/slsa2_provenance.yml@main
     with:
       subjects: "${{ needs.build.outputs.digest }}"

.github/workflows/e2e.generic.schedule.main.default.slsa2.yml

@@ -4,6 +4,10 @@ on:
     - cron: "0 3 * * *"
   workflow_dispatch:
 
+env:
+  GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }}
+  ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
+
 jobs:
   build:
     outputs:
@@ -82,15 +86,15 @@ jobs:
   if-succeeded:
     runs-on: ubuntu-latest
     needs: [build, provenance, verify]
-    if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success'
+    if: needs.build.result == 'success' && needs.verify.result == 'success'
     steps:
       - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
       - run: ./.github/workflows/scripts/e2e-report-success.sh
 
   if-failed:
     runs-on: ubuntu-latest
     needs: [build, provenance, verify]
-    if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure')
+    if: always() && (needs.build.result == 'failure' || needs.verify.result == 'failure')
     steps:
       - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
       - run: ./.github/workflows/scripts/e2e-report-failure.sh

.github/workflows/scripts/e2e-utils.sh

@@ -7,11 +7,6 @@ source "./.github/workflows/scripts/e2e-assert.sh"
 # Converter from yaml to JSON.
 #sudo apt-get install jc
 
-if [[ -z "$CONFIG_FILE" ]]; then
-    echo "env variable CONFIG_FILE not set"
-    exit 2
-fi
-
 # File is BODY in current directory.
 _create_issue_body() {
     RUN_DATE=$(date --utc)
@@ -75,19 +70,19 @@ e2e_verify_predicate_buildConfig_step_command() {
 e2e_verify_predicate_buildConfig_step_env() {
     local attestation="$2"
     local expected="$(echo -n "$3" | jq -c '.| sort')"
-    
+
     if [[ "${expected}" == "[]" ]]; then
-        _e2e_verify_query "${attestation}" "null"  ".predicate.buildConfig.steps[$1].env"
+        _e2e_verify_query "${attestation}" "null" ".predicate.buildConfig.steps[$1].env"
     else
-        _e2e_verify_query "${attestation}" "${expected}"  ".predicate.buildConfig.steps[$1].env | sort"
+        _e2e_verify_query "${attestation}" "${expected}" ".predicate.buildConfig.steps[$1].env | sort"
     fi
 }
 
 # $1: step number
 # $2: the attestation content
 # $3: expected value.
 e2e_verify_predicate_buildConfig_step_workingDir() {
-     _e2e_verify_query "$2" "$3" ".predicate.buildConfig.steps[$1].workingDir"
+    _e2e_verify_query "$2" "$3" ".predicate.buildConfig.steps[$1].workingDir"
 }
 
 e2e_verify_predicate_metadata() {

.github/workflows/scripts/e2e.generic.default.verify.sh

@@ -7,6 +7,8 @@ go env -w GOFLAGS=-mod=mod
 # Install from HEAD
 go install github.com/slsa-framework/slsa-verifier@latest
 
+THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3)
+
 BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4)
 
 echo "branch is $BRANCH"
@@ -122,10 +124,10 @@ ATTESTATION=$(jq -r '.payload' <"$PROVENANCE" | base64 -d)
 ASSETS=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep -v noassets)
 DIR="$PWD"
 e2e_verify_predicate_subject_name "$ATTESTATION" "$BINARY"
-e2e_verify_predicate_builder_id "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/heads/main"
-e2e_verify_predicate_builderType "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator-go@v1"
+e2e_verify_predicate_builder_id "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/slsa2_provenance.yml@refs/heads/main"
+e2e_verify_predicate_builderType "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator@v1"
 
-e2e_verify_predicate_invocation_configSource "$ATTESTATION" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"},\"entryPoint\":\"$GITHUB_WORKFLOW\"}"
+e2e_verify_predicate_invocation_configSource "$ATTESTATION" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"},\"entryPoint\":\".github/workflows/$THIS_FILE\"}"
 
 e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_actor" "$GITHUB_ACTOR"
 e2e_verify_predicate_invocation_environment "$ATTESTATION" "github_sha1" "$GITHUB_SHA"