e2e.generic.schedule.main.multi-uses.slsa3.yml

on:
  schedule:
    - cron: "0 4 * * *"
  workflow_dispatch:

permissions: read-all

concurrency: "e2e.generic.schedule.main.multi-uses.slsa3"

env:
  GH_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }}
  ISSUE_REPOSITORY: slsa-framework/slsa-github-generator

jobs:
  build-one:
    outputs:
      digests: ${{ steps.hash.outputs.hashes }}
    runs-on: ubuntu-latest
    steps:
      - name: Build artifacts
        run: |
          # These are some amazing artifacts.
          echo "build 1 artifact 1" > artifact1

      - name: Upload artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: artifacts1
          if-no-files-found: error
          retention-days: 5
          path: |
            artifact1

      - name: Generate hashes
        shell: bash
        id: hash
        run: |
          # sha256sum generates sha256 hash for all artifacts.
          # base64 -w0 encodes to base64 and outputs on a single line.
          # sha256sum artifact1 artifact2 ... | base64 -w0
          echo "hashes=$(sha256sum artifact1 | base64 -w0)" >> "${GITHUB_OUTPUT}"

  provenance-one:
    needs: [build-one]
    permissions:
      id-token: write # For signing.
      contents: write # For asset uploads.
      actions: read # For the entrypoint.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
    with:
      base64-subjects: "${{ needs.build-one.outputs.digests }}"
      compile-generator: true
      provenance-name: "attestation1.intoto.jsonl"

  verify-one:
    runs-on: ubuntu-latest
    needs: [build-one, provenance-one]
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Download binary
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: artifacts1
      - name: Download provenance
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: ${{ needs.provenance-one.outputs.provenance-name }}
      - name: Setup Go
        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version: "1.24"
      - name: Verify provenance artifact1
        env:
          BINARY: artifact1
          PROVENANCE: ${{ needs.provenance-one.outputs.provenance-name }}
        run: ./.github/workflows/scripts/e2e.generic.default.verify.sh

  build-two:
    outputs:
      digests: ${{ steps.hash.outputs.hashes }}
    runs-on: ubuntu-latest
    steps:
      - name: Build artifacts
        run: |
          # These are some amazing artifacts.
          echo "build 2 artifact 1" > artifact1

      - name: Upload artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: artifacts2
          if-no-files-found: error
          retention-days: 5
          # Note: we use artifact as a binary name to verify it does not intefere with the
          # other build1 which also uses the same binary name.
          # We use a different artifact name to differentiate the two (name: artifacts2).
          path: |
            artifact1

      - name: Generate hashes
        shell: bash
        id: hash
        run: |
          # sha256sum generates sha256 hash for all artifacts.
          # base64 -w0 encodes to base64 and outputs on a single line.
          # sha256sum artifact1 artifact2 ... | base64 -w0
          echo "hashes=$(sha256sum artifact1 | base64 -w0)" >> "${GITHUB_OUTPUT}"

  provenance-two:
    needs: [build-two]
    permissions:
      id-token: write # For signing.
      contents: write # For asset uploads.
      actions: read # For the entrypoint.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
    with:
      base64-subjects: "${{ needs.build-two.outputs.digests }}"
      compile-generator: true
      provenance-name: "attestation2.intoto.jsonl"

  verify-two:
    runs-on: ubuntu-latest
    needs: [build-two, provenance-two]
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Download binary
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: artifacts2
      - name: Download provenance
        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
        with:
          name: ${{ needs.provenance-two.outputs.provenance-name }}
      - name: Setup Go
        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
        with:
          go-version: "1.24"
      - name: Verify provenance artifact2
        env:
          BINARY: artifact1
          PROVENANCE: ${{ needs.provenance-two.outputs.provenance-name }}
        run: ./.github/workflows/scripts/e2e.generic.default.verify.sh

  if-succeeded:
    runs-on: ubuntu-latest
    needs:
      [
        build-one,
        provenance-one,
        verify-one,
        build-two,
        provenance-two,
        verify-two,
      ]
    # NOTE: The workflow is allowed to run for other event types but don't post
    # to issues unless it's a schedule event.
    if: github.event_name == 'schedule' && needs.build-one.result == 'success' && needs.provenance-one.result == 'success' && needs.verify-one.result == 'success' && needs.build-two.result == 'success' && needs.provenance-two.result == 'success' && needs.verify-two.result == 'success'
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - run: ./.github/workflows/scripts/e2e-report-success.sh

  if-failed:
    runs-on: ubuntu-latest
    needs:
      [
        build-one,
        provenance-one,
        verify-one,
        build-two,
        provenance-two,
        verify-two,
      ]
    # NOTE: The workflow is allowed to run for other event types but don't post
    # to issues unless it's a schedule event.
    if: always() && github.event_name == 'schedule' && (needs.build-one.result == 'failure' || needs.provenance-one.result == 'failure' || needs.verify-one.result == 'failure' || needs.build-two.result == 'failure' || needs.provenance-two.result == 'failure' || needs.verify-two.result == 'failure')
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - run: ./.github/workflows/scripts/e2e-report-failure.sh