Skip to content

verifier action

verifier action #724

name: verifier action
on:
# Daily run.
schedule:
- cron: "0 4 * * *"
workflow_dispatch:
inputs:
version:
type: string
description: The version to to test for pre-release.
required: false
permissions: read-all
env:
GH_TOKEN: ${{ github.token }}
ISSUE_REPOSITORY: ${{ github.repository }}
MINIMUM_INSTALLER_VERSION: v2.0.1
jobs:
list-verifiers:
runs-on: ubuntu-latest
outputs:
# NOTE: version output is a JSON list of version numbers.
# https://github.blog/changelog/2020-04-15-github-actions-new-workflow-features/#new-fromjson-method-in-expressions
# https://docs.github.com/en/actions/learn-github-actions/expressions#fromjson
version: ${{ steps.generate-versions.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
# NOTE: the example-package needs to be checked out in the default workspace.
repository: slsa-framework/example-package
ref: main
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: __THIS_REPO__
- name: Generate verifier list
if: inputs.version == ''
id: generate-list
run: ./__THIS_REPO__/.github/workflows/scripts/schedule.actions/verifier-installer.sh
- name: Generate pre-release list
if: inputs.version != ''
id: generate-prerelease
env:
PRE_RELEASE_VERSION: ${{ inputs.version }}
run: echo "version=[\"$PRE_RELEASE_VERSION\"]" >> "$GITHUB_OUTPUT"
- name: Generate pre-release list
id: generate-versions
env:
PRE_RELEASE_VERSION: ${{ steps.generate-prerelease.outputs.version }}
LIST_VERSION: ${{ steps.generate-list.outputs.version }}
run: |
if [[ -n $PRE_RELEASE_VERSION ]]; then
echo "version=$PRE_RELEASE_VERSION" >> "$GITHUB_OUTPUT"
else
echo "version=$LIST_VERSION" >> "$GITHUB_OUTPUT"
fi
verifier-run:
needs: list-verifiers
runs-on: ubuntu-latest
strategy:
matrix:
version: ${{ fromJson(needs.list-verifiers.outputs.version) }}
steps:
- name: Debug
env:
VERSION: ${{ matrix.version }}
run: echo "version is '$VERSION'"
- name: Checkout this repository
# Skip release candidates unless specified explicitly.
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ matrix.version }}
# Install at tag.
# ==============
- name: Run the Action at tag
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
env:
SLSA_VERIFIER_CI_ACTION_REF: ${{ matrix.version }}
uses: ./actions/installer
- name: Verify the version
env:
VERSION: ${{ matrix.version }}
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
run: |
version=$(slsa-verifier version 2>&1 | grep GitVersion | cut -d ':' -f2 | tr -d "[:space:]")
slsa-verifier version
echo "version: $version"
echo "VERSION: $VERSION"
# NOTE: the version reported by the slsa-verifier does not contain the leading `v`.
[ "$version" == "${VERSION:1}" ]
- name: Delete the binary
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
run: |
binary_path=$(which slsa-verifier)
echo "binary_path: $binary_path"
rm -rf "$binary_path"
# Install at commit sha.
# =====================
- name: Get sha1
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
id: commit
env:
VERSION: ${{ matrix.version }}
run: |
commit_sha=$(gh api -H "Accept: application/vnd.github+json" "/repos/$GITHUB_REPOSITORY/git/ref/tags/$VERSION" | jq -r '.object.sha')
echo "commit_sha=$commit_sha" >> "$GITHUB_OUTPUT"
- name: Run the Action at commit
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
env:
SLSA_VERIFIER_CI_ACTION_REF: ${{ steps.commit.outputs.commit_sha }}
uses: ./actions/installer
- name: Verify the version
env:
VERSION: ${{ matrix.version }}
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
run: |
version=$(slsa-verifier version 2>&1 | grep GitVersion | cut -d ':' -f2 | tr -d "[:space:]")
slsa-verifier version
echo "version: $version"
echo "VERSION: $VERSION"
# NOTE: the version reported by the slsa-verifier does not contain the leading `v`.
[ "$version" == "${VERSION:1}" ]
- name: Delete the binary
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
run: |
binary_path=$(which slsa-verifier)
echo "binary_path: $binary_path"
rm -rf "$binary_path"
# Install at invalid commit.
# =========================
- name: Install invalid commit
id: invalid-commit
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
continue-on-error: true
env:
SLSA_VERIFIER_CI_ACTION_REF: 55ca6286e3e4f4fba5d0448333fa99fc5a404a73
uses: ./actions/installer
- env:
SUCCESS: ${{ steps.invalid-commit.outcome == 'failure' }}
run: |
[ "$SUCCESS" == "true" ]
# Install at non-existent tag.
# =========================
- name: Install non-existent tag
id: nonexistent-tag
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
continue-on-error: true
env:
# NOTE: actions/installer checks for valid semantic version numbers.
SLSA_VERIFIER_CI_ACTION_REF: v100.3.5
uses: ./actions/installer
- env:
SUCCESS: ${{ steps.nonexistent-tag.outcome == 'failure' }}
run: |
[ "$SUCCESS" == "true" ]
# Install at empty tag.
# =====================
- name: Install empty tag
id: empty-tag
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
continue-on-error: true
env:
SLSA_VERIFIER_CI_ACTION_REF:
uses: ./actions/installer
- env:
SUCCESS: ${{ steps.empty-tag.outcome == 'failure' }}
run: |
[ "$SUCCESS" == "true" ]
if-succeed:
needs: [verifier-run, list-verifiers]
runs-on: ubuntu-latest
# We use `== 'failure'` instead of ` != 'success'` because we want to ignore skipped jobs, if there are any.
if: inputs.version == '' && needs.verifier-run.result != 'failure' && needs.list-verifiers.result != 'failure'
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: slsa-framework/example-package
ref: main
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
needs: [verifier-run, list-verifiers]
runs-on: ubuntu-latest
if: always() && inputs.version == '' && (needs.verifier-run.result == 'failure' || needs.list-verifiers.result == 'failure')
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: slsa-framework/example-package
ref: main
- run: ./.github/workflows/scripts/e2e-report-failure.sh