@@ -28,13 +28,24 @@ jobs:
2828 id-token : write
2929 contents : read
3030 actions : read
31+ env :
32+ CHAINLOOP_VERSION : 0.83.0
33+ CHAINLOOP_ROBOT_ACCOUNT : ${{ secrets.CHAINLOOP_ROBOT_ACCOUNT_SCORECARDS }}
3134
3235 steps :
36+ - name : Install Chainloop
37+ run : |
38+ curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s -- --version v${{ env.CHAINLOOP_VERSION }}
39+
3340name : " Checkout code"
3441 uses : actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
3542 with :
3643 persist-credentials : false
3744
45+ - name : Initialize Attestation
46+ run : |
47+ chainloop attestation init
48+
3849name : " Run analysis"
3950 uses : ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
4051 with :
5566 # of the value entered here.
5667 publish_results : true
5768
69+ - name : Add Attestation (Sarif results)
70+ run : |
71+ chainloop attestation add --name sarif-results --value results.sarif
72+
5873# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
5974 # format to the repository Actions tab.
6075 - name : " Upload artifact"
6984 uses : github/codeql-action/upload-sarif@6a28655e3dcb49cb0840ea372fd6d17733edd8a4 # v2.21.8
7085 with :
7186 sarif_file : results.sarif
87+
88+ - name : Finish and Record Attestation
89+ if : ${{ success() }}
90+ run : |
91+ chainloop attestation status --full
92+ chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY
93+ env :
94+ CHAINLOOP_SIGNING_PASSWORD : ${{ secrets.COSIGN_PASSWORD }}
95+ CHAINLOOP_SIGNING_KEY : ${{ secrets.COSIGN_KEY }}
96+
97+ - name : Mark attestation as failed
98+ if : ${{ failure() }}
99+ run : |
100+ chainloop attestation reset
101+
102+ name : Mark attestation as cancelled
103+ if : ${{ cancelled() }}
104+ run : |
105+ chainloop attestation reset --trigger cancellation
0 commit comments