Skip to content

Build CI

Build CI #98

Workflow file for this run

name: Build CI
on:
pull_request_target:
branches: [ main ]
workflow_dispatch:
env:
MY_SECRET: ${{ secrets.MY_SECRET }}
GITHUB_PAT: ${{ secrets.GH_PAT }}
PR_ID: ${{github.event.number}}
XY_PRJ_NAME: LGV-GH-${{ github.event.repository.name }}
PIPELINE: ${{ github.event.repository.name }}
PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
KEY_PASSWD: ${{ secrets.KEY_PASSWD }}
API_KEY: ${{ secrets.XYGENI_TOKEN }}
OTRA_VAR: "hola"
jobs:
prt_build_and_upload:
runs-on: ubuntu-latest
steps:
- name: Checking out PR code
uses: actions/checkout@v4
if: ${{ github.event_name == 'pull_request_target' }}
with:
# Number of commits to fetch. 0 indicates all history for all branches and tags.
# Default: 1
fetch-depth: '0'
# This is to get the PR code instead of the repo code
ref: ${{ github.event.pull_request.head.sha }}
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v4
name: Checking out main code
if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
with:
# Number of commits to fetch. 0 indicates all history for all branches and tags.
# Default: 1
fetch-depth: '0'
- name: Building ...
run: |
mkdir ./bin
touch ./bin/mybin.exe
echo "${{github.event.pull_request.title}}" > ./bin/PR_TITLE.txt
echo "$PR_ID" > ./bin/PR_ID.txt
java -version
mvn -version
#apt-get update ; apt-get install maven default-jdk -y ; update-alternatives --config javac
#mvn clean package
#ls -l target/*.war
#cp target/JavaVulnerableLab.war ./bin
#env:
# PR_TITLE: ${{github.event.pull_request.title}}
- name: Download SALT
run: |
#!/usr/bin/env bash
echo Downloading SALT ....
curl -sLO https://get.xygeni.io/latest/salt/salt.zip
unzip salt.zip -d ./salt_pro
shopt -s expand_aliases
alias salt=$PWD/salt_pro/xygeni_salt/salt
env:
GITHUB_PAT: ${{ secrets.GH_PAT }}
- name: Calc SHA for bin and add as zip to the artifact
run: |
#!/usr/bin/env bash
#pwd
#ls -l
#cd bin
#ls -l
#sha256sum <(find . -type f -exec sha256sum {} \; | sort)
#zip -r ./bin.zip ./bin
#cp ./bin.zip ./bin
#SHA_SUM=$(sha256sum ./bin.zip | cut -f1 -d ' ')
#echo $SHA_SUM
- name: Generating attestation (JVL)
env:
GITHUB_PAT: ${{ secrets.GH_PAT }}
run: |
#!/usr/bin/env bash
shopt -s expand_aliases
alias salt=$PWD/salt_pro/xygeni_salt/salt
echo " "
echo "-----------"
echo "Intiating the attestation with attestors git and env ..."
#/home/luisgarcia/LGV/xygeni_salt/salt attestation init
salt attestation init \
--pipeline ${PIPELINE}_cli \
--basedir ${GITHUB_WORKSPACE} \
--attestor environment \
--attestor git
echo " "
echo "-----------"
echo "Adding materials [src/$SRC_FILE] to attestation ..."
salt attestation add \
--pipeline ${PIPELINE}_cli \
--basedir ${GITHUB_WORKSPACE} \
--name=my_top_material --type material --file ./src
echo " "
echo "-----------"
echo "REMOVING binaries ... -------------------"
rm -rf ${GITHUB_WORKSPACE}/bin
#cp ./AddPage_mod.java ./src/main/java/org/cysecurity/cspf/jvl/controller/AddPage.java
echo " "
echo "----------- "
echo "Compiling ... -------------------"
mkdir ${GITHUB_WORKSPACE}/bin
salt attestation run \
--step=compile \
--pipeline ${PIPELINE}_cli \
--pretty-print \
--name my_sources --type material --file ${GITHUB_WORKSPACE}/src \
--name my_product --type product --file ${GITHUB_WORKSPACE}/target/JavaVulnerableLab.war \
-- mvn clean package
#-- /usr/bin/gcc ${GITHUB_WORKSPACE}/src/*.c \
# -o ${GITHUB_WORKSPACE}/bin/hello
#-- ${WORKSPACE}/salt_examples/provenance/provider/compila.sh
#--type material --file /usr/bin/gcc \
echo " "
echo "-----------"
echo "Adding product [bin/$BIN_FILE] to attestation ..."
cp target/JavaVulnerableLab.war ./bin
salt attestation add \
--pipeline ${PIPELINE}_cli \
--basedir ${GITHUB_WORKSPACE}/target \
--name=my_product --type product --file JavaVulnerableLab.war
echo $PRIVATE_KEY | base64 > kk.txt
cat kk.txt
echo " "
echo "------------"
echo "Commiting the drafted attestation using provided keys ..."
salt attestation commit \
--project SALT \
--pipeline ${PIPELINE}_cli \
--key="${PRIVATE_KEY}" --public-key=${GITHUB_WORKSPACE}/Test1_public.pem --key-password=${KEY_PASSWD} \
--output=${GITHUB_WORKSPACE}/${PIPELINE}_cli.signed.json \
--output-unsigned=${GITHUB_WORKSPACE}/cli_attestattion_${PIPELINE}_unsigned.json \
--pretty-print \
> ${GITHUB_WORKSPACE}/lgv.txt
#--config=$SALT_PATH/conf/salt.yaml \
#cat ${WORKSPACE}/${PIPELINE}_cli.statement.json
cat ${GITHUB_WORKSPACE}/cli_attestattion_${PIPELINE}_unsigned.json
cat ${GITHUB_WORKSPACE}/lgv.txt
echo "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
grep "registry with id" lgv.txt | awk '{print $14}' > ./bin/att.id
cat ./bin/att.id
ls -l ./bin
- name: Generating attestation (.c)
env:
GITHUB_PAT: ${{ secrets.GH_PAT }}
run: |
#!/usr/bin/env bash
exit 0
java -version
mvn -version
docker ps
exit 1
shopt -s expand_aliases
alias salt=$PWD/salt_pro/xygeni_salt/salt
echo " "
echo "-----------"
echo "Intiating the attestation with attestors git and env ..."
#/home/luisgarcia/LGV/xygeni_salt/salt attestation init
salt attestation init \
--pipeline ${PIPELINE}_cli \
--basedir ${GITHUB_WORKSPACE} \
--attestor environment \
--attestor git
echo " "
echo "-----------"
echo "Adding materials [src/$SRC_FILE] to attestation ..."
salt attestation add \
--pipeline ${PIPELINE}_cli \
--basedir ${GITHUB_WORKSPACE} \
--name=my_top_material --type material --file ./src
echo " "
echo "-----------"
echo "REMOVING binaries ... -------------------"
rm -rf ${GITHUB_WORKSPACE}/bin
echo " "
echo "----------- "
echo "Compiling ... -------------------"
mkdir ${GITHUB_WORKSPACE}/bin
salt attestation run \
--step=compile \
--pipeline ${PIPELINE}_cli \
--pretty-print \
--name my_sources --type material --file ${GITHUB_WORKSPACE}/src \
--name my_product --type product --file ${GITHUB_WORKSPACE}/bin/hello \
-- /usr/bin/gcc ${GITHUB_WORKSPACE}/src/*.c \
-o ${GITHUB_WORKSPACE}/bin/hello
#-- ${WORKSPACE}/salt_examples/provenance/provider/compila.sh
#--type material --file /usr/bin/gcc \
echo " "
echo "-----------"
echo "Adding product [bin/$BIN_FILE] to attestation ..."
salt attestation add \
--pipeline ${PIPELINE}_cli \
--basedir ${GITHUB_WORKSPACE}/bin \
--name=my_product --type product --file hello
echo " "
echo "------------"
echo "Commiting the drafted attestation using provided keys ..."
salt attestation commit \
--project SALT \
--pipeline ${PIPELINE}_cli \
--key="${PRIVATE_KEY}" --public-key=${GITHUB_WORKSPACE}/Test1_public.pem --key-password=${KEY_PASSWD} \
--output=${GITHUB_WORKSPACE}/${PIPELINE}_cli.signed.json \
--output-unsigned=${GITHUB_WORKSPACE}/cli_attestattion_${PIPELINE}_unsigned.json \
--pretty-print
#--config=$SALT_PATH/conf/salt.yaml \
#cat ${WORKSPACE}/${PIPELINE}_cli.statement.json
cat ${GITHUB_WORKSPACE}/cli_attestattion_${PIPELINE}_unsigned.json
exit 1
- name: Generating provenance
env:
GITHUB_PAT: ${{ secrets.GH_PAT }}
run: |
#!/usr/bin/env bash
exit 0
shopt -s expand_aliases
alias salt=$PWD/salt_pro/xygeni_salt/salt
mvn clean package
echo " "
echo "-----------"
echo "Generating Provenance with CLI ..."
#$SALT_PATH/salt at provenance
#salt at slsa \
# --basedir ${GITHUB_WORKSPACE} \
# --key="${PRIVATE_KEY}" --public-key=${GITHUB_WORKSPACE}/Test1_public.pem --key-password=${KEY_PASSWD} \
# --output-unsigned=${GITHUB_WORKSPACE}/cli_provenance_${PIPELINE}_unsigned.json \
# --pipeline ${PIPELINE} --pretty-print \
# --file ./bin/bin.zip \
# > ${GITHUB_WORKSPACE}/lgv.txt
salt at slsa \
--basedir ${GITHUB_WORKSPACE}/target \
--key="${PRIVATE_KEY}" --public-key=${GITHUB_WORKSPACE}/Test1_public.pem --key-password=${KEY_PASSWD} \
--output-unsigned=${GITHUB_WORKSPACE}/cli_provenance_${PIPELINE}_unsigned.json \
--pipeline ${PIPELINE} --pretty-print \
--file ./JavaVulnerableLab.war \
> ${GITHUB_WORKSPACE}/lgv.txt
cat ${GITHUB_WORKSPACE}/cli_provenance_${PIPELINE}_unsigned.json
cat ${GITHUB_WORKSPACE}/lgv.txt
echo "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
grep "registry with id" lgv.txt | awk '{print $14}' > ./bin/att.id
cat ./bin/att.id
exit 1
- name: Archive building artifacts
uses: actions/upload-artifact@v3
with:
name: archive-bin
path: |
bin