Skip to content

Verifier releaser

Verifier releaser #908

Workflow file for this run

name: Verifier releaser
on:
# For manual tests.
workflow_dispatch:
push:
tags:
- "*" # triggers only if push new tag version, like `0.8.4`.
# Run daily as a dry-run/test.
schedule:
- cron: "0 1 * * *"
permissions: read-all
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-verifier
# In case daily runs fail, the label for filing the issue
HEADER: release
jobs:
# Generate ldflags dynamically.
args:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.ldflags.outputs.version }}
steps:
- id: checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- id: ldflags
run: |
echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> "$GITHUB_OUTPUT"
builder:
name: builder-${{matrix.os}}-${{matrix.arch}}
needs: [args]
strategy:
matrix:
os:
- linux
- windows
- darwin
arch:
- amd64
- arm64
permissions:
actions: read # For the detection of GitHub Actions environment.
id-token: write # For signing.
contents: write # For asset uploads.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # always use a tag @X.Y.Z for for slsa builders, not SHA!
with:
go-version-file: "go.mod"
config-file: .slsa-goreleaser/${{matrix.os}}-${{matrix.arch}}.yml
compile-builder: true
evaluated-envs: "VERSION:${{needs.args.outputs.version}}"
verification:
needs: [builder]
runs-on: ubuntu-latest
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/installer@eb7007070baa04976cb9e25a0d8034f8db030a86 # v2.5.1
- name: Download assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ATT_FILE_NAME: "${{ needs.builder.outputs.go-binary-name }}.intoto.jsonl"
ARTIFACT: ${{ needs.builder.outputs.go-binary-name }}
run: |
set -euo pipefail
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p $ARTIFACT
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
- name: Verify assets
env:
ARTIFACT: ${{ needs.builder.outputs.go-binary-name }}
ATT_FILE_NAME: "${{ needs.builder.outputs.go-binary-name }}.intoto.jsonl"
run: |
set -euo pipefail
echo "Verifying $ARTIFACT using $ATT_FILE_NAME"
slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME" \
"$ARTIFACT"
if-succeed:
needs: [args, builder]
runs-on: ubuntu-latest
# We use `== 'failure'` instead of ` != 'success'` because we want to ignore skipped jobs, if there are any.
if: github.event_name == 'schedule' && needs.args.result != 'failure' && needs.builder.result != 'failure'
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: slsa-framework/example-package
ref: main
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
needs: [args, builder]
runs-on: ubuntu-latest
if: always() && github.event_name == 'schedule' && (needs.args.result == 'failure' || needs.builder.result == 'failure')
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: slsa-framework/example-package
ref: main
- run: ./.github/workflows/scripts/e2e-report-failure.sh