Add tag e2e test for generic workflow

.github/workflows/e2e.generic.push.main.default.slsa2.yml

@@ -1,4 +1,5 @@
-name: Generic push main default SLSA 2
+name: Generic push main default SLSA2
+
 on:
   schedule:
     - cron: "0 3 * * *"

.github/workflows/e2e.generic.schedule.main.default.slsa2.yml

@@ -1,4 +1,5 @@
-name: Generic schedule main default SLSA 2
+name: Generic schedule main default SLSA2
+
 on:
   schedule:
     - cron: "0 3 * * *"

.github/workflows/e2e.generic.tag.main.default.slsa2.yml

@@ -0,0 +1,118 @@
+name: generic tag main default SLSA2
+
+on:
+  schedule:
+    - cron: "0 2 * * *"
+  workflow_dispatch:
+  push:
+    tags:
+      - "*" # triggers only if push new tag version, like `0.8.4` or else
+
+env:
+  GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }}
+  ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - id: create
+        # Note: we use v16.x.y
+        run: ./.github/workflows/scripts/e2e-create-release.sh
+
+  shim:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push' && github.ref_type == 'tag'
+    outputs:
+      continue: ${{ steps.verify.outputs.continue }}
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - id: verify
+        run: ./.github/workflows/scripts/e2e-verify-release.sh
+
+  build:
+    runs-on: ubuntu-latest
+    needs: [shim]
+    if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
+    outputs:
+      binary-name: ${{ steps.build.outputs.binary-name }}
+      digest: ${{ steps.hash.outputs.digest }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Setup Go
+        uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0
+        with:
+          go-version: "1.18"
+      - name: Build artifact
+        id: build
+        run: |
+          go mod vendor
+          go build -mod=vendor -o hello .
+          echo "::set-output name=binary-name::hello"
+      - name: Upload binary
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1
+        with:
+          name: ${{ steps.build.outputs.binary-name }}
+          path: ${{ steps.build.outputs.binary-name }}
+          if-no-files-found: error
+          retention-days: 5
+      - name: Generate hash
+        shell: bash
+        id: hash
+        env:
+          BINARY_NAME: ${{ steps.build.outputs.binary-name }}
+        run: |
+          set -euo pipefail
+          echo "::set-output name=digest::$(sha256sum $BINARY_NAME | base64 -w0)"
+
+  provenance:
+    needs: [shim, build]
+    if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
+    permissions:
+      id-token: write # For signing.
+      contents: write # For asset uploads.
+      actions: read # For the entrypoint.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/slsa2_provenance.yml@main
+    with:
+      base64-subjects: "${{ needs.build.outputs.digest }}"
+
+  verify:
+    runs-on: ubuntu-latest
+    needs: [shim, build, provenance]
+    if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: ${{ needs.build.outputs.binary-name }}
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: ${{ needs.provenance.outputs.attestation-name }}
+      - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0
+        with:
+          go-version: "1.17"
+      - env:
+          BINARY: ${{ needs.build.outputs.binary-name }}
+          PROVENANCE: ${{ needs.provenance.outputs.attestation-name }}
+        run: ./.github/workflows/scripts/e2e.generic.default.verify.sh
+
+  if-succeeded:
+    runs-on: ubuntu-latest
+    needs: [shim, build, verify]
+    if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success'
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - run: ./.github/workflows/scripts/e2e-report-success.sh
+
+  if-failed:
+    runs-on: ubuntu-latest
+    needs: [shim, build, verify]
+    if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure')
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - run: ./.github/workflows/scripts/e2e-report-failure.sh

.github/workflows/scripts/e2e-create-release.sh

@@ -1,26 +1,25 @@
-
 #!/usr/bin/env bash
 set -euo pipefail
 
 source "./.github/workflows/scripts/e2e-utils.sh"
 
 RELEASE_TAG=""
 
-THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3)
+THIS_FILE=$(e2e_this_file)
 echo "THIS_FILE: $THIS_FILE"
 
 # List the releases and find the latest for THIS_FILE.
 RELEASE_LIST=$(gh release list)
-while read line; do
+while read -r line; do
     TAG=$(echo "$line" | cut -f1)
     BODY=$(gh release view "$TAG" --json body | jq -r '.body')
     if [[ "$BODY" == *"$THIS_FILE"* ]]; then
         RELEASE_TAG="$TAG"
         break
     fi
-done <<< "$RELEASE_LIST"
+done <<<"$RELEASE_LIST"
 
-if [[ -z "$RELEASE_TAG" ]]; then 
+if [[ -z "$RELEASE_TAG" ]]; then
     echo "Tag not found for $THIS_FILE"
     exit 3
 fi
@@ -39,7 +38,7 @@ TAG="$NEW_RELEASE_TAG"
 
 echo "New release tag used: $TAG"
 
-cat << EOF > DATA
+cat <<EOF >DATA
 **E2e release creation**:
 Tag: $TAG
 Branch: $BRANCH

.github/workflows/scripts/e2e-utils.sh

@@ -4,6 +4,12 @@
 
 source "./.github/workflows/scripts/e2e-assert.sh"
 
+# Gets the name of the currently running workflow file.
+# Note: this requires GH_TOKEN to be set in the workflows.
+e2e_this_file() {
+    gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3
+}
+
 # Converter from yaml to JSON.
 #sudo apt-get install jc
 
@@ -44,7 +50,7 @@ e2e_verify_predicate_builder_id() {
     _e2e_verify_query "$1" "$2" '.predicate.builder.id'
 }
 
-e2e_verify_predicate_builderType() {
+e2e_verify_predicate_buildType() {
     _e2e_verify_query "$1" "$2" '.predicate.buildType'
 }
 
@@ -69,7 +75,8 @@ e2e_verify_predicate_buildConfig_step_command() {
 # $3: expected value.
 e2e_verify_predicate_buildConfig_step_env() {
     local attestation="$2"
-    local expected="$(echo -n "$3" | jq -c '.| sort')"
+    local expected
+    expected="$(echo -n "$3" | jq -c '.| sort')"
 
     if [[ "${expected}" == "[]" ]]; then
         _e2e_verify_query "${attestation}" "null" ".predicate.buildConfig.steps[$1].env"

.github/workflows/scripts/e2e-verify-release.sh

@@ -3,7 +3,7 @@ set -euo pipefail
 
 source "./.github/workflows/scripts/e2e-utils.sh"
 
-THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3)
+THIS_FILE=$(e2e_this_file)
 echo "THIS_FILE: $THIS_FILE"
 
 if [[ "$GITHUB_REF_TYPE" != "tag" ]]; then
@@ -14,7 +14,7 @@ fi
 # 1- Verify the branch
 # WARNING: GITHUB_BASE_REF is empty on tag releases.
 BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4)
-ENV_BRANCH=$(cat "$GITHUB_EVENT_PATH" | jq -r '.base_ref')
+ENV_BRANCH=$(jq -r '.base_ref' <"$GITHUB_EVENT_PATH")
 
 if [[ "$ENV_BRANCH" != "refs/heads/$BRANCH" ]]; then
     echo "mismatch branch: file contains refs/heads/$BRANCH; GitHub env contains $ENV_BRANCH"
@@ -26,7 +26,5 @@ fi
 TAG="$GITHUB_REF_NAME"
 BODY=$(gh release view "$TAG" --json body | jq -r '.body')
 if [[ "$BODY" == *"$THIS_FILE"* ]]; then
-    RELEASE_TAG="$TAG"
     echo "::set-output name=continue::yes"
 fi
-

.github/workflows/scripts/e2e-verify.common.sh

@@ -0,0 +1,105 @@
+#!/usr/bin/env bash
+#
+# This file contains tests for common fields of Github Actions provenance.
+
+source "./.github/workflows/scripts/e2e-utils.sh"
+
+# Runs all generic SLSA checks that shouldn't change on a per-builder basis.
+# $1: the attestation content
+e2e_verify_common_all() {
+    e2e_verify_common_builder "$1"
+    e2e_verify_common_invocation "$1"
+    e2e_verify_common_metadata "$1"
+    e2e_verify_common_materials "$1"
+}
+
+# Verifies the builder for generic provenance.
+# $1: the attestation content
+e2e_verify_common_builder() {
+    :
+}
+
+# Verifies the invocation for generic provenance.
+# $1: the attestation content
+e2e_verify_common_invocation() {
+    # NOTE: We set GITHUB_WORKFLOW to the entryPoint for pull_requests.
+    # TODO(github.com/slsa-framework/slsa-github-generator/issues/131): support retrieving entryPoint in pull requests.
+    e2e_verify_predicate_invocation_configSource "$1" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"},\"entryPoint\":\".github/workflows/$(e2e_this_file)\"}"
+
+    e2e_verify_predicate_invocation_environment "$1" "github_actor" "$GITHUB_ACTOR"
+    e2e_verify_predicate_invocation_environment "$1" "github_sha1" "$GITHUB_SHA"
+    # e2e_verify_predicate_invocation_environment "$1" "os" "ubuntu20"
+    # e2e_verify_predicate_invocation_environment "$1" "arch" "X64"
+    e2e_verify_predicate_invocation_environment "$1" "github_event_name" "$GITHUB_EVENT_NAME"
+    e2e_verify_predicate_invocation_environment "$1" "github_ref" "$GITHUB_REF"
+    e2e_verify_predicate_invocation_environment "$1" "github_ref_type" "$GITHUB_REF_TYPE"
+    e2e_verify_predicate_invocation_environment "$1" "github_run_id" "$GITHUB_RUN_ID"
+    e2e_verify_predicate_invocation_environment "$1" "github_run_number" "$GITHUB_RUN_NUMBER"
+    e2e_verify_predicate_invocation_environment "$1" "github_run_attempt" "$GITHUB_RUN_ATTEMPT"
+    ACTOR_ID=$(gh api -H "Accept: application/vnd.github.v3+json" /users/"$GITHUB_ACTOR" | jq -r '.id')
+    OWNER_ID=$(gh api -H "Accept: application/vnd.github.v3+json" /users/"$GITHUB_REPOSITORY_OWNER" | jq -r '.id')
+    REPO_ID=$(gh api -H "Accept: application/vnd.github.v3+json" /repos/"$GITHUB_REPOSITORY" | jq -r '.id')
+    e2e_verify_predicate_invocation_environment "$1" "github_actor_id" "$ACTOR_ID"
+    e2e_verify_predicate_invocation_environment "$1" "github_repository_owner_id" "$OWNER_ID"
+    e2e_verify_predicate_invocation_environment "$1" "github_repository_id" "$REPO_ID"
+}
+
+# Verifies the expected metadata.
+# $1: the attestation content
+e2e_verify_common_metadata() {
+    e2e_verify_predicate_metadata "$1" "{\"buildInvocationID\":\"$GITHUB_RUN_ID-$GITHUB_RUN_ATTEMPT\",\"completeness\":{\"parameters\":true,\"environment\":false,\"materials\":false},\"reproducible\":false}"
+}
+
+# Verifies the materials include the GitHub repository.
+# $1: the attestation content
+e2e_verify_common_materials() {
+    e2e_verify_predicate_materials "$1" "{\"uri\":\"git+https://github.com/$GITHUB_REPOSITORY@$GITHUB_REF\",\"digest\":{\"sha1\":\"$GITHUB_SHA\"}}"
+}
+
+# Runs a verification command for each version of slsa-verifier.
+# $1: command to run. The command should take the verifier binary as an
+#     argument.
+e2e_run_verifier_all_releases() {
+    VERIFIER_REPOSITORY="slsa-framework/slsa-verifier"
+    VERIFIER_BINARY="slsa-verifier-linux-amd64"
+    VERIFY_COMMAND=$1
+
+    # First, verify provenance with the verifier at HEAD.
+    go env -w GOFLAGS=-mod=mod
+    go install "github.com/$VERIFIER_REPOSITORY@latest"
+    echo "**** Verifying provenance with verifier at HEAD *****"
+    verify_provenance "slsa-verifier"
+
+    # Second, retrieve all previous versions of the verifier,
+    # and verify the provenance. This is essentially regression tests.
+    RELEASE_LIST=$(gh release -R "$VERIFIER_REPOSITORY" -L 100 list)
+    echo "Releases found:"
+    echo "$RELEASE_LIST"
+    echo
+
+    while read -r line; do
+        TAG=$(echo "$line" | cut -f1)
+        echo "  *** Starting with verifier at $TAG ****"
+
+        # Always remove the binary, because `gh release download` fails if the file already exists.
+        if [[ -f "$VERIFIER_BINARY" ]]; then
+            # Note: Don't quote `$VERIFIER_BINARY*`, as it will cause new lines to be inserted and
+            # deletion will fail.
+            rm $VERIFIER_BINARY*
+        fi
+
+        gh release -R "$VERIFIER_REPOSITORY" download "$TAG" -p "$VERIFIER_BINARY*" || exit 10
+
+        # Use the compiled verifier to verify the provenance (Optional)
+        slsa-verifier --branch "main" \
+            --tag "$TAG" \
+            --artifact-path "$VERIFIER_BINARY" \
+            --provenance "$VERIFIER_BINARY.intoto.jsonl" \
+            --source "github.com/$VERIFIER_REPOSITORY" || exit 6
+
+        echo "**** Verifying provenance with verifier at $TAG ****"
+        chmod a+x "./$VERIFIER_BINARY"
+        $VERIFY_COMMAND "./$VERIFIER_BINARY"
+
+    done <<<"$RELEASE_LIST"
+}