Skip to content

Try out new provenance workflow - DO NOT MERGE #2

Try out new provenance workflow - DO NOT MERGE

Try out new provenance workflow - DO NOT MERGE #2

name: Build Provenances
on:
workflow_dispatch:
inputs:
build-config-path:
required: true
type: string
secrets:
GCP_SERVICE_ACCOUNT_KEY_JSON:
required: true
jobs:
get_inputs:
outputs:
# Resolves to a single file which is passed to the SLSA provenance
# generator.
artifact-path: ${{ steps.parse-build-config.outputs.artifact-path }}
# The name of the internal TR package. This must coincide with the
# basename of the buildconfig.
package-name: ${{ steps.parse-build-config.outputs.package-name }}
builder-digest: ${{ steps.builder-digest.outputs.builder-digest }}
runs-on: ubuntu-20.04
steps:
- name: Mount main branch
uses: actions/checkout@v4
- name: Parse build config
id: parse-build-config
run: |
set -o errexit
set -o nounset
set -o xtrace
set -o pipefail
artifact_path="$(tail -1 ${{ inputs.build-config-path }} | grep -oP 'artifact_path = \K(.*)')"
package_name="$(basename ${{ inputs.build-config-path }} .toml)"
echo "artifact-path=${artifact_path}" >> $GITHUB_OUTPUT
echo "package-name=${package_name}" >> $GITHUB_OUTPUT
- name: Get builder image info
id: builder-digest
run: |
set -o errexit
set -o nounset
set -o xtrace
set -o pipefail
source ./scripts/common
digest="$(echo "${DOCKER_IMAGE_REPO_DIGEST}" | cut -d'@' -f2)"
echo "builder-digest=${digest}" >> $GITHUB_OUTPUT
- name: Print values
run: |
echo "${{ steps.parse-build-config.outputs.artifact-path }}"
echo "${{ steps.parse-build-config.outputs.package-name }}"
echo "${{ steps.builder-digest.outputs.builder-digest }}"
generate_provenance:
needs: [get_inputs]
permissions:
id-token: write
attestations: write
contents: read
uses: actions/attest-build-provenance@v1

Check failure on line 65 in .github/workflows/reusable_provenance2.yaml

View workflow run for this annotation

GitHub Actions / .github/workflows/reusable_provenance2.yaml

Invalid workflow file

invalid value workflow reference: references to workflows must be rooted in '.github/workflows'
with:
subject-path: ${{ needs.get_inputs.outputs.artifact-path }}
# Uploads the provenance generated in the previous step to GCS.
upload_provenance:
if: |
github.event_name != 'pull_request' || contains(github.event.pull_request.labels.*.name, 'provenance:force-run')
needs: [get_inputs, generate_provenance]
runs-on: ubuntu-20.04
permissions:
# Allow the job to update the repo with the latest provenance info and index.
contents: write
steps:
- name: 'Authenticate to Google Cloud'
uses: 'google-github-actions/auth@v2'
with:
credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
- name: 'Set up Google Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
- name: 'Google Cloud info'
run: |
set -o errexit
set -o nounset
set -o xtrace
set -o pipefail
gcloud --version
gsutil --version
- name: Download the built artifact
uses: actions/download-artifact@v4
with:
name: ${{ needs.generate_provenance.outputs.build-outputs-name }}
path: downloads
- name: Download the DSSE document
uses: actions/download-artifact@v4
with:
name:
${{ needs.generate_provenance.outputs.attestations-download-name }}
path: downloads
- name: Debug step - Display structure of downloaded files
run: ls --recursive
working-directory: downloads
- name: Upload binary and provenance
id: upload_binary
working-directory: downloads
# The output on any trigger other than "pull_request" has an additional
# ".sigstore" suffix. However, that suffix appears to be ".build.slsa".
# See https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker#workflow-outputs
# The artifact path may be a wildcard that resolves to multiple files.
run: |
set -o errexit
set -o nounset
set -o xtrace
set -o pipefail
bucket_name=oak-bins
provenance_file="attestation.intoto"
if [[ "${{ github.event_name }}" != "pull_request" ]]; then
provenance_file="${provenance_file}.build.slsa"
fi
package_name=${{ needs.get_inputs.outputs.package-name }}
binary_file=${{ needs.get_inputs.outputs.artifact-path }}
binary_digest="$(ent put --digest-format=human --porcelain "${binary_file}")"
provenance_digest="$(ent put --digest-format=human --porcelain "${provenance_file}")"
# Upload the file directly to a dedicated GCS bucket.
binary_path="binary/${GITHUB_SHA}/${package_name}/$(basename ${binary_file})"
gsutil cp "${binary_file}" "gs://${bucket_name}/${binary_path}"
binary_url="https://storage.googleapis.com/${bucket_name}/${binary_path}"
# Index the file via http://static.space so that, regardless of the GCS bucket and path,
# it may be easily located by its digest.
curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${binary_url}\" }" \
https://api.static.space/v1/snapshot
provenance_path="provenance/${GITHUB_SHA}/${package_name}/$(basename ${provenance_file})"
gsutil cp "${provenance_file}" "gs://${bucket_name}/${provenance_path}"
provenance_url="https://storage.googleapis.com/${bucket_name}/${provenance_path}"
curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${provenance_url}\" }" \
https://api.static.space/v1/snapshot
# Debug step similar to `upload_provenance`, but runs on pull-request events.
# Differs from `upload_provenance` in that it does not publish anything.
debug_provenance:
if: github.event_name == 'pull_request'
needs: [get_inputs, generate_provenance]
runs-on: ubuntu-20.04
steps:
- name: Download the built artifact
uses: actions/download-artifact@v4
with:
name: ${{ needs.generate_provenance.outputs.build-outputs-name }}
path: downloads
- name: Download the DSSE document
uses: actions/download-artifact@v4
with:
name:
${{ needs.generate_provenance.outputs.attestations-download-name }}
path: downloads
- name: Display structure after downloading the files (debug step)
run: ls --recursive
working-directory: downloads
- name: Print binary digest
working-directory: downloads
run: echo "$(sha256sum ${{ needs.get_inputs.outputs.artifact-path }})"
- name: Print provenance digest
working-directory: downloads
run: |
echo "$(sha256sum attestation.intoto)"