From 2c0c350e02280b99ef275ecc17b257f6410bace1 Mon Sep 17 00:00:00 2001
From: Tom Binder <tbinder@google.com>
Date: Mon, 13 May 2024 14:41:03 +0000
Subject: [PATCH] Matrix provenances

---
 .github/workflows/provenance4.yaml | 78 ++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 .github/workflows/provenance4.yaml

diff --git a/.github/workflows/provenance4.yaml b/.github/workflows/provenance4.yaml
new file mode 100644
index 00000000000..ffc8cc357e2
--- /dev/null
+++ b/.github/workflows/provenance4.yaml
@@ -0,0 +1,78 @@
+name: Matrix Provenances
+
+on:
+  push:
+    branches:
+      - "stage0verify"
+  workflow_dispatch:
+    inputs:
+      build-config-path:
+        required: true
+        type: string
+
+jobs:
+  build_attest_all:
+    strategy:
+      fail-fast: false
+      matrix:
+        buildconfig:
+          - buildconfigs/key_xor_test_app.toml
+          - buildconfigs/oak_echo_raw_enclave_app.toml
+
+    permissions:
+      actions: read
+      id-token: write
+      attestations: write
+      contents: read
+    runs-on: ubuntu-20.04
+
+    steps:
+      - name: Mount main branch
+        uses: actions/checkout@v4
+
+      - name: Parse buildconfig
+        id: parse
+        run: |
+          set -o errexit
+          set -o nounset
+          set -o xtrace
+          set -o pipefail
+          source ./scripts/common
+          artifact_path="$(tail -1 ${{ matrix.buildconfig }} | grep -oP 'artifact_path = \K(.*)')"
+          package_name="$(basename ${{ matrix.buildconfig }} .toml)"
+          builder_digest="$(echo "${DOCKER_IMAGE_REPO_DIGEST}" | cut -d'@' -f2)"
+          echo "artifact-path=${artifact_path}" >> $GITHUB_OUTPUT
+          echo "package-name=${package_name}" >> $GITHUB_OUTPUT
+          echo "builder-digest=${builder_digest}" >> $GITHUB_OUTPUT
+
+      - name: Show values
+        run: |
+          echo "${{ steps.parse.outputs.artifact-path }}"
+          echo "${{ steps.parse.outputs.package-name }}"
+          echo "${{ steps.parse.outputs.builder-digest }}"
+
+      # Use slsa-github-generator for build only. We ignore the provenance it produces.
+      - name: Build
+        id: build
+        uses: slsa-framework/slsa-github-generator/.github/workflows/builder_container-based_slsa3.yml@v2.0.0
+        with:
+          builder-image: europe-west2-docker.pkg.dev/oak-ci/oak-development/oak-development
+          builder-digest: ${{ steps.parse.outputs.builder-digest }}
+          config-path: ${{ matrix.buildconfig }}
+          compile-builder: true
+
+      - name: Show build artifact
+        run: |
+          echo "${{ steps.parse.outputs.artifact-path }}"
+          ls -la "${{ steps.parse.outputs.artifact-path }}"
+
+      - name: Attest
+        id: attest
+        uses: actions/attest-build-provenance@v1.1.1
+        with:
+          subject-path: ${{ steps.parse.outputs.artifact-path }}
+
+      - name: Show Bundle
+        run: |
+          echo "${{ steps.attest.outputs.bundle-path }}"
+          ls -la "${{ steps.attest.outputs.bundle-path }}"