.github/workflows/e2e.go.push.main.config-noldflags.slsa3.yml #25734
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| schedule: | |
| - cron: "0 4 * * *" | |
| workflow_dispatch: | |
| push: | |
| tags: | |
| - "v[0-9]+.[0-9]+.[0-9]+" # triggers only if push new tag version, like `v0.8.4` or else | |
| permissions: read-all | |
| concurrency: "e2e.container-based.tag.main.default.slsa3" | |
| env: | |
| # TODO: Replace this token. | |
| GH_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }} | |
| ISSUE_REPOSITORY: slsa-framework/slsa-github-generator | |
| PROVENANCE_NAME: attestation.intoto | |
| DEFAULT_VERSION: v35.0.0 | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - run: ./.github/workflows/scripts/e2e-create-release.sh | |
| shim: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref_type == 'tag' | |
| outputs: | |
| continue: ${{ steps.verify.outputs.continue }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - id: verify | |
| run: ./.github/workflows/scripts/e2e-verify-release.sh | |
| build: | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' | |
| needs: shim | |
| permissions: | |
| id-token: write # For signing | |
| actions: read | |
| contents: write # For asset uploads | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/builder_container-based_slsa3.yml@main | |
| with: | |
| builder-image: "bash" | |
| builder-digest: "sha256:9e2ba52487d945504d250de186cb4fe2e3ba023ed2921dd6ac8b97ed43e76af9" | |
| config-path: ".github/configs-docker/config.toml" | |
| provenance-name: attestation.intoto | |
| compile-builder: true | |
| verify: | |
| runs-on: ubuntu-latest | |
| needs: [shim, build] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: ${{ needs.build.outputs.build-outputs-name }} | |
| path: outputs | |
| - name: Get build artifact | |
| id: build | |
| run: | | |
| name=$(find outputs/ -type f | head -1) | |
| cp "${name}" . | |
| echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}" | |
| - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: ${{ needs.build.outputs.attestations-download-name }} | |
| path: attestations | |
| - name: Get attestation | |
| id: att | |
| env: | |
| FOLDER: attestations | |
| run: | | |
| name=$(find "${FOLDER}"/ -type f | head -1) | |
| cp "${name}" . | |
| echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}" | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: "1.24" | |
| - env: | |
| BINARY: ${{ steps.build.outputs.name }} | |
| PROVENANCE: ${{ steps.att.outputs.name }} | |
| run: ./.github/workflows/scripts/e2e.container-based.default.verify.sh | |
| if-succeeded: | |
| runs-on: ubuntu-latest | |
| needs: [shim, build, verify] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.verify.result == 'success' | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - run: ./.github/workflows/scripts/e2e-report-success.sh | |
| if-failed: | |
| runs-on: ubuntu-latest | |
| needs: [shim, build, verify] | |
| if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.verify.result == 'failure') | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - run: ./.github/workflows/scripts/e2e-report-failure.sh |