reusable_full_provenance.yaml

# Uses the container-based SLSA3 generator to build the binary and its
# provenance. Does not upload provenances to ENT, as to the existing logic for
# importing provenances as part of transparent release, which does not yet
# support mulitple subjects and expects specific ENT tag names.
# TODO: b/333745447 - Merge with .github/workflows/reusable_provenance.yaml
name: Build Full SLSA3 Provenance

on:
  workflow_call:
    inputs:
      build-config-path:
        required: true
        type: string

jobs:
  get_inputs:
    outputs:
      builder-digest: ${{ steps.builder-digest.outputs.builder-digest }}

    runs-on: ubuntu-20.04

    steps:
      - name: Mount main branch
        uses: actions/checkout@v3

      - name: Get builder image info
        id: builder-digest
        run: |
          set -o errexit
          set -o nounset
          set -o xtrace
          set -o pipefail
          source ./scripts/common
          digest="$(echo "${DOCKER_IMAGE_REPO_DIGEST}" | cut -d'@' -f2)"
          echo "builder-digest=${digest}" >> $GITHUB_OUTPUT

      - name: Print values
        run: |
          echo "${{ steps.builder-digest.outputs.builder-digest }}"

  generate_provenance:
    needs: [get_inputs]
    permissions:
      actions: read
      id-token: write
      contents: write
    # We are a pre-release of the slsa-github-generator. This is because the
    # current release does not include fix for the action deadlocking.
    # Ref: https://github.com/slsa-framework/slsa-github-generator/issues/3571
    # TODO: b/335461780 - Switch to using a released tag once there is one that includes the fix.
    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_container-based_slsa3.yml@v2.0.0
    with:
      builder-image: 'europe-west2-docker.pkg.dev/oak-ci/oak-development/oak-development'
      builder-digest: ${{ needs.get_inputs.outputs.builder-digest }}
      config-path: ${{ inputs.build-config-path }}
      provenance-name: attestation.intoto
      compile-builder: true