Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add branch tests for generic workflow #50

Merged
merged 3 commits into from
Jun 14, 2022
Merged

Add branch tests for generic workflow #50

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cb46ecf
Add branch tests for generic workflow
ianlewis Jun 14, 2022
312f6dc
Fix review comments
ianlewis Jun 14, 2022
51ca587
Clean up the Go push branch1 e2e test as well
ianlewis Jun 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
128 changes: 128 additions & 0 deletions .github/workflows/e2e.generic.push.branch1.default.slsa3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
name: Generic push branch1 default SLSA2

on:
schedule:
- cron: "0 3 * * *"
workflow_dispatch:
push:
branches: [main, branch1]

permissions: read-all

env:
GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator

jobs:
push:
runs-on: ubuntu-latest
if: github.ref_name == 'main' && (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch')
permissions:
contents: write
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- run: ./.github/workflows/scripts/e2e-push.sh

shim:
runs-on: ubuntu-latest
if: github.event_name == 'push'
outputs:
continue: ${{ steps.verify.outputs.continue }}
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- id: verify
run: |
set -euo pipefail

source "./.github/workflows/scripts/e2e-utils.sh"

THIS_FILE=$(e2e_this_file)
BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4)
if [[ "$BRANCH" == "${{ github.ref_name }}" ]]; then
echo "::set-output name=continue::yes"
fi

build:
needs: [shim]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow
outputs:
binary-name: ${{ steps.build.outputs.binary-name }}
digest: ${{ steps.hash.outputs.digest }}
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Go
uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0
with:
go-version: "1.18"
- name: Build artifact
id: build
run: |
go mod vendor

go build -mod=vendor -o hello .

echo "::set-output name=binary-name::hello"
- name: Upload binary
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1
with:
name: ${{ steps.build.outputs.binary-name }}
path: ${{ steps.build.outputs.binary-name }}
if-no-files-found: error
retention-days: 5
- name: Generate hash
shell: bash
id: hash
env:
BINARY_NAME: ${{ steps.build.outputs.binary-name }}
run: |
set -euo pipefail
echo "::set-output name=digest::$(sha256sum $BINARY_NAME | base64 -w0)"

provenance:
needs: [shim, build]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow
permissions:
id-token: write
contents: read
actions: read
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
with:
base64-subjects: "${{ needs.build.outputs.digest }}"

verify:
needs: [shim, build, provenance]
runs-on: ubuntu-latest
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: ${{ needs.build.outputs.binary-name }}
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: ${{ needs.provenance.outputs.attestation-name }}
- uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0
with:
go-version: "1.18"
- env:
BINARY: ${{ needs.build.outputs.binary-name }}
PROVENANCE: ${{ needs.provenance.outputs.attestation-name }}
run: ./.github/workflows/scripts/e2e.generic.default.verify.sh

if-succeeded:
runs-on: ubuntu-latest
needs: [shim, build, provenance, verify]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- run: ./.github/workflows/scripts/e2e-report-success.sh

if-failed:
runs-on: ubuntu-latest
needs: [shim, build, provenance, verify]
if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure')
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- run: ./.github/workflows/scripts/e2e-report-failure.sh
10 changes: 6 additions & 4 deletions .github/workflows/e2e.generic.push.main.default.slsa3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ on:
push:
branches: [main]

permissions: read-all

env:
GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
Expand All @@ -18,7 +20,7 @@ jobs:
permissions:
contents: write
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- run: ./.github/workflows/scripts/e2e-push.sh

build:
Expand Down Expand Up @@ -74,7 +76,7 @@ jobs:
needs: [build, provenance]
if: github.event_name == 'push' && github.event.head_commit.message == github.workflow
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: ${{ needs.build.outputs.binary-name }}
Expand All @@ -94,13 +96,13 @@ jobs:
needs: [build, provenance, verify]
if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- run: ./.github/workflows/scripts/e2e-report-success.sh

if-failed:
runs-on: ubuntu-latest
needs: [build, provenance, verify]
if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure')
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- run: ./.github/workflows/scripts/e2e-report-failure.sh
123 changes: 123 additions & 0 deletions .github/workflows/e2e.generic.tag.branch1.default.slsa3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
name: Generic tag branch1 default SLSA2

# NOTE: this file is identical to the 'main' version of this test.
# The only logic that's different is in e2e-create-release.sh

on:
schedule:
- cron: "0 2 * * *"
workflow_dispatch:
push:
tags:
- "*" # triggers only if push new tag version, like `0.8.4` or else

permissions: read-all

env:
GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator

jobs:
release:
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
permissions:
contents: write
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- id: create
# Note: we use v18.x.y
run: ./.github/workflows/scripts/e2e-create-release.sh

shim:
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref_type == 'tag'
outputs:
continue: ${{ steps.verify.outputs.continue }}
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- id: verify
run: ./.github/workflows/scripts/e2e-verify-release.sh

build:
runs-on: ubuntu-latest
needs: [shim]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
outputs:
binary-name: ${{ steps.build.outputs.binary-name }}
digest: ${{ steps.hash.outputs.digest }}
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Setup Go
uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0
with:
go-version: "1.18"
- name: Build artifact
id: build
run: |
go mod vendor
go build -mod=vendor -o hello .
echo "::set-output name=binary-name::hello"
- name: Upload binary
uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1
with:
name: ${{ steps.build.outputs.binary-name }}
path: ${{ steps.build.outputs.binary-name }}
if-no-files-found: error
retention-days: 5
- name: Generate hash
shell: bash
id: hash
env:
BINARY_NAME: ${{ steps.build.outputs.binary-name }}
run: |
set -euo pipefail
echo "::set-output name=digest::$(sha256sum $BINARY_NAME | base64 -w0)"

provenance:
needs: [shim, build]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
with:
base64-subjects: "${{ needs.build.outputs.digest }}"

verify:
runs-on: ubuntu-latest
needs: [shim, build, provenance]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: ${{ needs.build.outputs.binary-name }}
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: ${{ needs.provenance.outputs.attestation-name }}
- uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0
with:
go-version: "1.17"
- env:
BINARY: ${{ needs.build.outputs.binary-name }}
PROVENANCE: ${{ needs.provenance.outputs.attestation-name }}
run: ./.github/workflows/scripts/e2e.generic.default.verify.sh

if-succeeded:
runs-on: ubuntu-latest
needs: [shim, build, verify]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- run: ./.github/workflows/scripts/e2e-report-success.sh

if-failed:
runs-on: ubuntu-latest
needs: [shim, build, verify]
if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure')
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- run: ./.github/workflows/scripts/e2e-report-failure.sh
12 changes: 7 additions & 5 deletions .github/workflows/e2e.generic.tag.main.default.slsa3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ on:
tags:
- "*" # triggers only if push new tag version, like `0.8.4` or else

permissions: read-all

env:
GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
Expand All @@ -19,7 +21,7 @@ jobs:
permissions:
contents: write
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- id: create
# Note: we use v18.x.y
run: ./.github/workflows/scripts/e2e-create-release.sh
Expand All @@ -30,7 +32,7 @@ jobs:
outputs:
continue: ${{ steps.verify.outputs.continue }}
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- id: verify
run: ./.github/workflows/scripts/e2e-verify-release.sh

Expand Down Expand Up @@ -86,7 +88,7 @@ jobs:
needs: [shim, build, provenance]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: ${{ needs.build.outputs.binary-name }}
Expand All @@ -106,13 +108,13 @@ jobs:
needs: [shim, build, verify]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- run: ./.github/workflows/scripts/e2e-report-success.sh

if-failed:
runs-on: ubuntu-latest
needs: [shim, build, verify]
if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure')
steps:
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 #v2.4.0
- uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0
- run: ./.github/workflows/scripts/e2e-report-failure.sh
Loading