Test CI #101
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Test CI | |
on: | |
workflow_run: | |
workflows: [ 'Build CI' ] | |
types: [completed] | |
env: | |
MY_SECRET: ${{ secrets.MY_SECRET }} | |
GITHUB_PAT: ${{ secrets.GH_PAT }} | |
jobs: | |
deploy: | |
runs-on: ubuntu-latest | |
if: ${{ github.event.workflow_run.conclusion == 'success' }} | |
steps: | |
- name: Alive | |
run: | | |
echo "I am alive" | |
# By default, checks out base code (not PR code) | |
- name: Checkout repository | |
uses: actions/checkout@v4 | |
#- name: Echoing runtests.sh after downloading artifact | |
# run: | | |
# ls -lR | |
# echo cat runtests.sh | |
# cat runtests.sh | |
- name: 'Download artifact' | |
uses: actions/github-script@v6 | |
with: | |
script: | | |
let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
run_id: context.payload.workflow_run.id, | |
}); | |
let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { | |
return artifact.name == "archive-bin" | |
})[0]; | |
let download = await github.rest.actions.downloadArtifact({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
artifact_id: matchArtifact.id, | |
archive_format: 'zip', | |
}); | |
let fs = require('fs'); | |
fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/myartifact.zip`, Buffer.from(download.data)); | |
- name: 'Unzip artifact' | |
run: | | |
pwd | |
unzip -o myartifact.zip | |
echo "XXXXXXXXXXXXXXXXXXXXXXX" | |
cat att.id | |
- name: Calc SHA for bin and unzippin artifact to get the zip | |
run: | | |
#!/usr/bin/env bash | |
pwd | |
ls -l | |
unzip -o myartifact.zip -d bin | |
ls -l | |
#sha256sum <(find . -type f -exec sha256sum {} \; | sort) | |
SHA_SUM=$(sha256sum ./JavaVulnerableLab.war| cut -f1 -d ' ') | |
echo $SHA_SUM | |
- name: 'Verifying the attestation' | |
run: | | |
#!/usr/bin/bash | |
echo " " | |
echo "-------" | |
echo "Calculating sha256sum for binary $ARTIFACTS_LOCATION/$BIN_FILE) ..." | |
ATT_ID=$(cat att.id) | |
echo "CCCCCCCCCCCCCCCCCCCCCCCCC" | |
echo ATT_ID=$ATT_ID | |
echo Downloading SALT .... | |
curl -sLO https://get.xygeni.io/latest/salt/salt.zip | |
unzip salt.zip -d ./salt_pro | |
shopt -s expand_aliases | |
alias salt=$PWD/salt_pro/xygeni_salt/salt | |
#pwd | |
#ls -l | |
SHA_SUM=$(sha256sum ./JavaVulnerableLab.war | cut -f1 -d ' ') | |
echo $SHA_SUM | |
ATT_ID=$(echo $(salt -q registry search --digest sha256:$SHA_SUM --format json) | jq -r .[-1].gitoidSha256) | |
echo "ATT_ID: $ATT_ID" | |
echo " " | |
echo "-------" | |
# Download the provenance attestation | |
echo "Downloading the provenance attestation ..." | |
salt -q reg get --id=$ATT_ID --format=json > ${GITHUB_WORKSPACE}/provenance_kk.signed.json | |
#cat ${GITHUB_WORKSPACE}/provenance_kk.signed.json | |
# this is for provenance | |
#WFR=$(jq -r .payload ${GITHUB_WORKSPACE}/provenance_kk.signed.json |base64 -d | jq -r .predicate.buildDefinition.internalParameters.environment.GITHUB_WORKFLOW_REF) | |
# this is for attestation | |
WFR=$(jq -r .payload ${GITHUB_WORKSPACE}/provenance_kk.signed.json |base64 -d | jq -r .predicate.attestations[1].predicate.variables.GITHUB_WORKFLOW_REF) | |
echo "WFR-------"$WFR"--------" | |
echo $WFR | grep cicd_top10_3_salt\/.github\/workflows\/build.yml | |
RES=$? | |
echo "RES-------"$RES"--------" | |
SHA_ATT_MATERIAL=$(jq -r .payload ${GITHUB_WORKSPACE}/provenance_kk.signed.json | base64 -d | jq -r .predicate.attestations[0].predicate.materials[].digest[]) | |
SHA_STEP_MATERIAL=$(jq -r .payload ${GITHUB_WORKSPACE}/provenance_kk.signed.json | base64 -d | jq -r .predicate.attestations[3].predicate.materials[0].digest[]) | |
echo "SHA_ATT_MATERIAL $SHA_ATT_MATERIAL" | |
echo "SHA_STEP_MATERIAL $SHA_STEP_MATERIAL" | |
if [ "\$SHA_ATT_MATERIAL" = "\$SHA_STEP_MATERIAL" ]; then | |
echo " " | |
else | |
echo Salt - Attestations FAILED !! | |
echo Salt - Materials are different !! | |
exit 1 | |
fi | |
echo " " | |
echo "-------" | |
echo "Verifying provenance ..." | |
# This should pass (the certificate is the same, and the file digest matches) | |
salt verify \ | |
--basedir ${GITHUB_WORKSPACE} \ | |
--attestation=${GITHUB_WORKSPACE}/provenance_kk.signed.json \ | |
--public-key=${GITHUB_WORKSPACE}/Test1_public.pem \ | |
--file ./JavaVulnerableLab.war | |
#--basedir $ARTIFACTS_LOCATION \ | |
#--public-key=${WORKSPACE}/cert_${JOB_BASE_NAME}.pem \ | |
# Runs tests | |
- name: Running tests ... | |
id : run_tests | |
run: | | |
exit 0 | |
echo Running tests.. | |
chmod +x runtests.sh | |
cat runtests.sh | |
#./runtests.sh "${{ github.event.pull_request.user.login }}" "${{ github.workflow }}" | |
bash ./runtests.sh "${{ github.event.workflow_run.actor.name }}" "${{ github.workflow }}" | |
export ret_value=$? | |
echo ret_value $ret_value | |
cat runtests.out | |
echo Tests executed. | |
echo "run_tests=OK" >> $GITHUB_OUTPUT | |
# | |
# For demo purposes, the check merge condition will always be set to FALSE (avoiding to merge) | |
# | |
- name: pr_check_conditions_to_merge | |
id: check_pr | |
run: | | |
echo "check_conditions_to_merge" | |
PR_ID=$(<PR_ID.txt) | |
PR_TITLE=$(<PR_TITLE.txt) | |
echo "Checking conditions to merge PR with id $PR_ID and Title $PR_TITLE" | |
echo "Checking conditions to merge PR with id $PR_ID and Title $(<PR_TITLE.txt)" | |
echo "merge=false" >> $GITHUB_OUTPUT | |
- name: pr_merge_pr_false | |
if: steps.check_pr.outputs.merge == 'false' | |
run: | | |
echo "The merge check was ${{ steps.check_pr.outputs.merge }}" | |
echo "Merge conditions NOT MEET!!!" | |
- name: pr_merge_pr_true | |
if: steps.check_pr.outputs.merge == 'true' && steps.run_tests.outputs.run_tests == 'OK' | |
run: | | |
echo "The merge check was ${{ steps.check_pr.outputs.merge }}" | |
echo "Merge conditions successfully MEET!!!" | |
echo "Merging .." | |
PR_ID=$(<PR_ID.txt) | |
curl -L \ | |
-X PUT \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer $GITHUB_PAT" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
https://api.github.com/repos/lgvorg1/"${{github.event.repository.name}}"/pulls/"$PR_ID"/merge \ | |
-d '{"commit_title":"Expand enum","commit_message":"Add a new value to the merge_method enum"}' | |