Provenances: update ent logic to work with wildcards (project-oak#4995)

* Provenances: update ent logic to work with wildcards Change-Id: I2b56ad5764b6ce08c195bf155f2a0b076338add3 * merge steps, so we don't have to deal with the nightmare of passing variables with variable names between them Change-Id: Id558460f2f1279a12686d425de5e12f03cc1fa4c * add log in case it's not a file Change-Id: Ied9c56164f40ae6811c49fb43f15a84fc557e8c1
thmsbinder · Apr 5, 2024 · 0d5cdc6 · 0d5cdc6
1 parent 80cb018
commit 0d5cdc6
Showing 1 changed file with 19 additions and 32 deletions.
diff --git a/.github/workflows/reusable_provenance.yaml b/.github/workflows/reusable_provenance.yaml
@@ -128,50 +128,37 @@ jobs:
         run: ls -R
         working-directory: downloads
 
-      - name: Upload binary to Ent
+      - name: Upload binary, provenance, signed tag to Ent
         id: ent_upload_binary
         working-directory: downloads
-        run: |
-          set -o errexit
-          set -o nounset
-          set -o xtrace
-          set -o pipefail
-          file="${{ needs.get_inputs.outputs.artifact-path }}"
-          digest="$(ent put --digest-format=human --porcelain "${file}")"
-          echo "binary_digest=${digest}" >> $GITHUB_OUTPUT
-
-      - name: Upload provenance to Ent
-        id: ent_upload_provenance
-        working-directory: downloads
         # The output on any trigger other than "pull_request" has an additional
         # ".sigstore" suffix. However, that suffix appears to be ".build.slsa".
         # See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker#workflow-outputs
+        # The artifact path may be a wildcard that resolves to multiple files.
         run: |
           set -o errexit
           set -o nounset
           set -o xtrace
           set -o pipefail
-          file="attestation.intoto"
+          provenance_file="attestation.intoto"
           if [[ "${{ github.event_name }}" != "pull_request" ]]; then
-            file="${file}.build.slsa"
+            provenance_file="${provenance_file}.build.slsa"
           fi
-          digest="$(ent put --digest-format=human --porcelain "${file}")"
-          echo "provenance_digest=${digest}" >> $GITHUB_OUTPUT
-
-      - name: Upload signed tag to Ent
-        run: |
-          set -o errexit
-          set -o nounset
-          set -o xtrace
-          set -o pipefail
-          file="${{ needs.get_inputs.outputs.artifact-path }}"
-          binary_name="$(basename "${file}")"
-          ent tag set --public-key=${{ inputs.ent-public-key }} \
-            --label="artifact_${GITHUB_SHA}_${binary_name}" \
-            --target=${{ steps.ent_upload_binary.outputs.binary_digest }}
-          ent tag set --public-key=${{ inputs.ent-public-key }} \
-            --label="provenance_${GITHUB_SHA}_${binary_name}" \
-            --target=${{ steps.ent_upload_provenance.outputs.provenance_digest }}
+          provenance_digest="$(ent put --digest-format=human --porcelain "${provenance_file}")"
+          for file in ${{ needs.get_inputs.outputs.artifact-path }}; do
+              if [[ -f "${file}" ]]; then
+                  binary_name="$(basename "${file}")"
+                  binary_digest="$(ent put --digest-format=human --porcelain "${file}")"
+                  ent tag set --public-key=${{ inputs.ent-public-key }} \
+                    --label="artifact_${GITHUB_SHA}_${binary_name}" \
+                    --target="${binary_digest}"
+                  ent tag set --public-key=${{ inputs.ent-public-key }} \
+                    --label="provenance_${GITHUB_SHA}_${binary_name}" \
+                    --target=${{ steps.ent_upload_provenance.outputs.provenance_digest }}
+              else
+                  echo "Warning: Input '${file}' is not a file."
+              fi
+          done
 
   # Debug step similar to `upload_provenance`, but runs on pull-request events.
   # Differs from `upload_provenance` in that it does not publish the binary