Test CI #102

Summary
Jobs
- deploy
Run details
- Usage
- Workflow file

Workflow file for this run

	name: Test CI

	on:
	workflow_run:
	workflows: [ 'Build CI' ]
	types: [completed]

	env:
	MY_SECRET: ${{ secrets.MY_SECRET }}
	GITHUB_PAT: ${{ secrets.GH_PAT }}


	jobs:
	deploy:
	runs-on: ubuntu-latest
	if: ${{ github.event.workflow_run.conclusion == 'success' }}
	steps:
	- name: Alive
	run: \|
	echo "I am alive"

	# By default, checks out base code (not PR code)
	- name: Checkout repository
	uses: actions/checkout@v4

	#- name: Echoing runtests.sh after downloading artifact
	# run: \|
	# ls -lR
	# echo cat runtests.sh
	# cat runtests.sh

	- name: 'Download artifact'
	uses: actions/github-script@v6
	with:
	script: \|
	let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
	owner: context.repo.owner,
	repo: context.repo.repo,
	run_id: context.payload.workflow_run.id,
	});
	let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
	return artifact.name == "archive-bin"
	})[0];
	let download = await github.rest.actions.downloadArtifact({
	owner: context.repo.owner,
	repo: context.repo.repo,
	artifact_id: matchArtifact.id,
	archive_format: 'zip',
	});
	let fs = require('fs');
	fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/myartifact.zip`, Buffer.from(download.data));

	- name: 'Unzip artifact'
	run: \|
	pwd
	unzip -o myartifact.zip
	echo "XXXXXXXXXXXXXXXXXXXXXXX"
	cat att.id

	- name: Calc SHA for bin and unzippin artifact to get the zip
	run: \|
	#!/usr/bin/env bash
	pwd
	ls -l
	unzip -o myartifact.zip -d bin
	ls -l
	#sha256sum <(find . -type f -exec sha256sum {} \; \| sort)
	SHA_SUM=$(sha256sum ./JavaVulnerableLab.war\| cut -f1 -d ' ')
	echo $SHA_SUM

	- name: 'Verifying the attestation'
	run: \|
	#!/usr/bin/bash
	echo " "
	echo "-------"
	echo "Calculating sha256sum for binary $ARTIFACTS_LOCATION/$BIN_FILE) ..."
	ATT_ID=$(cat att.id)
	echo "CCCCCCCCCCCCCCCCCCCCCCCCC"
	echo ATT_ID=$ATT_ID


	echo Downloading SALT ....
	curl -sLO https://get.xygeni.io/latest/salt/salt.zip
	unzip salt.zip -d ./salt_pro
	shopt -s expand_aliases
	alias salt=$PWD/salt_pro/xygeni_salt/salt


	#pwd
	#ls -l
	SHA_SUM=$(sha256sum ./JavaVulnerableLab.war \| cut -f1 -d ' ')
	echo $SHA_SUM
	ATT_ID=$(echo $(salt -q registry search --digest sha256:$SHA_SUM --format json) \| jq -r .[-1].gitoidSha256)
	echo "ATT_ID: $ATT_ID"


	echo " "
	echo "-------"
	# Download the provenance attestation
	echo "Downloading the provenance attestation ..."
	salt -q reg get --id=$ATT_ID --format=json > ${GITHUB_WORKSPACE}/provenance_kk.signed.json
	#cat ${GITHUB_WORKSPACE}/provenance_kk.signed.json

	# this is for provenance
	#WFR=$(jq -r .payload ${GITHUB_WORKSPACE}/provenance_kk.signed.json \|base64 -d \| jq -r .predicate.buildDefinition.internalParameters.environment.GITHUB_WORKFLOW_REF)

	# this is for attestation
	WFR=$(jq -r .payload ${GITHUB_WORKSPACE}/provenance_kk.signed.json \|base64 -d \| jq -r .predicate.attestations[1].predicate.variables.GITHUB_WORKFLOW_REF)

	echo "WFR-------"$WFR"--------"
	echo $WFR \| grep cicd_top10_3_salt\/.github\/workflows\/build.yml
	RES=$?
	echo "RES-------"$RES"--------"

	SHA_ATT_MATERIAL=$(jq -r .payload ${GITHUB_WORKSPACE}/provenance_kk.signed.json \| base64 -d \| jq -r .predicate.attestations[0].predicate.materials[].digest[])
	SHA_STEP_MATERIAL=$(jq -r .payload ${GITHUB_WORKSPACE}/provenance_kk.signed.json \| base64 -d \| jq -r .predicate.attestations[3].predicate.materials[0].digest[])
	echo "SHA_ATT_MATERIAL $SHA_ATT_MATERIAL"
	echo "SHA_STEP_MATERIAL $SHA_STEP_MATERIAL"
	if [ "$SHA_ATT_MATERIAL" == "$SHA_STEP_MATERIAL" ]; then
	echo " "
	else

	echo Salt - Attestations FAILED !!
	echo Salt - Materials are different !!
	exit 1
	fi

	echo " "
	echo "-------"
	echo "Verifying provenance ..."
	# This should pass (the certificate is the same, and the file digest matches)
	salt verify \
	--basedir ${GITHUB_WORKSPACE} \
	--attestation=${GITHUB_WORKSPACE}/provenance_kk.signed.json \
	--public-key=${GITHUB_WORKSPACE}/Test1_public.pem \
	--file ./JavaVulnerableLab.war

	#--basedir $ARTIFACTS_LOCATION \
	#--public-key=${WORKSPACE}/cert_${JOB_BASE_NAME}.pem \


	# Runs tests
	- name: Running tests ...
	id : run_tests
	run: \|
	exit 0
	echo Running tests..
	chmod +x runtests.sh
	cat runtests.sh
	#./runtests.sh "${{ github.event.pull_request.user.login }}" "${{ github.workflow }}"
	bash ./runtests.sh "${{ github.event.workflow_run.actor.name }}" "${{ github.workflow }}"
	export ret_value=$?
	echo ret_value $ret_value
	cat runtests.out
	echo Tests executed.
	echo "run_tests=OK" >> $GITHUB_OUTPUT

	#
	# For demo purposes, the check merge condition will always be set to FALSE (avoiding to merge)
	#
	- name: pr_check_conditions_to_merge
	id: check_pr
	run: \|
	echo "check_conditions_to_merge"
	PR_ID=$(<PR_ID.txt)
	PR_TITLE=$(<PR_TITLE.txt)
	echo "Checking conditions to merge PR with id $PR_ID and Title $PR_TITLE"
	echo "Checking conditions to merge PR with id $PR_ID and Title $(<PR_TITLE.txt)"
	echo "merge=false" >> $GITHUB_OUTPUT

	- name: pr_merge_pr_false
	if: steps.check_pr.outputs.merge == 'false'
	run: \|
	echo "The merge check was ${{ steps.check_pr.outputs.merge }}"
	echo "Merge conditions NOT MEET!!!"


	- name: pr_merge_pr_true
	if: steps.check_pr.outputs.merge == 'true' && steps.run_tests.outputs.run_tests == 'OK'
	run: \|
	echo "The merge check was ${{ steps.check_pr.outputs.merge }}"
	echo "Merge conditions successfully MEET!!!"
	echo "Merging .."
	PR_ID=$(<PR_ID.txt)
	curl -L \
	-X PUT \
	-H "Accept: application/vnd.github+json" \
	-H "Authorization: Bearer $GITHUB_PAT" \
	-H "X-GitHub-Api-Version: 2022-11-28" \
	https://api.github.com/repos/lgvorg1/"${{github.event.repository.name}}"/pulls/"$PR_ID"/merge \
	-d '{"commit_title":"Expand enum","commit_message":"Add a new value to the merge_method enum"}'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Test CI #102

Workflow file

Test CI #102

Jobs

Run details

Workflow file for this run