slsa-framework · ianlewis · Jun 14, 2022 · Jun 14, 2022 · Jun 14, 2022 · Jun 14, 2022
@@ -1,4 +1,4 @@
-name: Generic (Bazel) push main default SLSA2
+name: Generic (Bazel) push main default SLSA3
 
 on:
   schedule:
@@ -18,7 +18,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       - run: ./.github/workflows/scripts/e2e-push.sh
 
   build:
@@ -72,7 +72,7 @@ jobs:
     needs: [build, provenance]
     if: github.event_name == 'push' && github.event.head_commit.message == github.workflow
     steps:
-      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
         with:
           name: ${{ needs.build.outputs.binary-name }}
@@ -92,13 +92,13 @@ jobs:
     needs: [build, provenance, verify]
     if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success'
     steps:
-      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       - run: ./.github/workflows/scripts/e2e-report-success.sh
 
   if-failed:
     runs-on: ubuntu-latest
     needs: [build, provenance, verify]
     if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure')
     steps:
-      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       - run: ./.github/workflows/scripts/e2e-report-failure.sh
@@ -1,4 +1,4 @@
-name: Generic (Bazel) schedule main default SLSA2
+name: Generic (Bazel) schedule main default SLSA3
 
 on:
   schedule:

@@ -19,7 +19,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       - id: create
         # Note: we use v21.x.y
         run: ./.github/workflows/scripts/e2e-create-release.sh
@@ -30,7 +30,7 @@ jobs:
     outputs:
       continue: ${{ steps.verify.outputs.continue }}
     steps:
-      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       - id: verify
         run: ./.github/workflows/scripts/e2e-verify-release.sh
 
@@ -86,7 +86,7 @@ jobs:
     needs: [shim, build, provenance]
     if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
     steps:
-      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
         with:
           name: ${{ needs.build.outputs.binary-name }}
@@ -106,13 +106,13 @@ jobs:
     needs: [shim, build, verify]
     if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success'
     steps:
-      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       - run: ./.github/workflows/scripts/e2e-report-success.sh
 
   if-failed:
     runs-on: ubuntu-latest
     needs: [shim, build, verify]
     if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure')
     steps:
-      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       - run: ./.github/workflows/scripts/e2e-report-failure.sh
@@ -1,4 +1,4 @@
-name: Generic (Bazel) workflow_dispatch main default SLSA2
+name: Generic (Bazel) workflow_dispatch main default SLSA3
 
 "on":
   schedule:

@@ -0,0 +1,128 @@
+name: Generic push branch1 default SLSA3
+
+on:
+  schedule:
+    - cron: "0 3 * * *"
+  workflow_dispatch:
+  push:
+    branches: [branch1]
+
+permissions: read-all
+
+env:
+  GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }}
+  ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
+
+jobs:
+  push:
+    runs-on: ubuntu-latest
+    if: github.ref_name == 'main' && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch')
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+      - run: ./.github/workflows/scripts/e2e-push.sh
+
+  shim:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'push'
+    outputs:
+      continue: ${{ steps.verify.outputs.continue }}
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+      - id: verify
+        run: |
+          set -euo pipefail
+
+          source "./.github/workflows/scripts/e2e-utils.sh"
+
+          THIS_FILE=$(e2e_this_file)
+          BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4)
+          if [[ "$BRANCH" == "$GITHUB_REF_NAME" ]]; then
+            echo "::set-output name=continue::yes"
+          fi
+
+  build:
+    needs: [shim]
+    if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow
+    outputs:
+      binary-name: ${{ steps.build.outputs.binary-name }}
+      digest: ${{ steps.hash.outputs.digest }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+      - name: Setup Go
+        uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0
+        with:
+          go-version: "1.18"
+      - name: Build artifact
+        id: build
+        run: |
+          go mod vendor
+
+          go build -mod=vendor -o hello .
+
+          echo "::set-output name=binary-name::hello"
+      - name: Upload binary
+        uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1
+        with:
+          name: ${{ steps.build.outputs.binary-name }}
+          path: ${{ steps.build.outputs.binary-name }}
+          if-no-files-found: error
+          retention-days: 5
+      - name: Generate hash
+        shell: bash
+        id: hash
+        env:
+          BINARY_NAME: ${{ steps.build.outputs.binary-name }}
+        run: |
+          set -euo pipefail
+          echo "::set-output name=digest::$(sha256sum $BINARY_NAME | base64 -w0)"
+
+  provenance:
+    needs: [shim, build]
+    if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow
+    permissions:
+      id-token: write
+      contents: read
+      actions: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
+    with:
+      base64-subjects: "${{ needs.build.outputs.digest }}"
+
+  verify:
+    needs: [shim, build, provenance]
+    runs-on: ubuntu-latest
+    if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: ${{ needs.build.outputs.binary-name }}
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: ${{ needs.provenance.outputs.attestation-name }}
+      - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0
+        with:
+          go-version: "1.18"
+      - env:
+          BINARY: ${{ needs.build.outputs.binary-name }}
+          PROVENANCE: ${{ needs.provenance.outputs.attestation-name }}
+        run: ./.github/workflows/scripts/e2e.generic.default.verify.sh
+
+  if-succeeded:
+    runs-on: ubuntu-latest
+    needs: [shim, build, provenance, verify]
+    if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success'
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+      - run: ./.github/workflows/scripts/e2e-report-success.sh
+
+  if-failed:
+    runs-on: ubuntu-latest
+    needs: [shim, build, provenance, verify]
+    if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure')
+    steps:
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
+      - run: ./.github/workflows/scripts/e2e-report-failure.sh
@@ -1,4 +1,4 @@
-name: Generic push main default SLSA2
+name: Generic push main default SLSA3
 
 on:
   schedule:
@@ -7,6 +7,8 @@ on:
   push:
     branches: [main]
 
+permissions: read-all
+
 env:
   GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }}
   ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
@@ -18,7 +20,7 @@ jobs:
     permissions:
       contents: write
     steps:
-      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       - run: ./.github/workflows/scripts/e2e-push.sh
 
   build:
@@ -74,7 +76,7 @@ jobs:
     needs: [build, provenance]
     if: github.event_name == 'push' && github.event.head_commit.message == github.workflow
     steps:
-      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
         with:
           name: ${{ needs.build.outputs.binary-name }}
@@ -94,13 +96,13 @@ jobs:
     needs: [build, provenance, verify]
     if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success'
     steps:
-      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       - run: ./.github/workflows/scripts/e2e-report-success.sh
 
   if-failed:
     runs-on: ubuntu-latest
     needs: [build, provenance, verify]
     if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure')
     steps:
-      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
+      - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
       - run: ./.github/workflows/scripts/e2e-report-failure.sh
@@ -1,4 +1,4 @@
-name: Generic schedule main default SLSA2
+name: Generic schedule main default SLSA3
 
 on:
   schedule: