Skip to content
.github/workflows/e2e.generic.schedule.main.multi-uses.slsa3.yml

.github/workflows/e2e.generic.schedule.main.multi-uses.slsa3.yml #1284

Sign in to view logs

.github/workflows/e2e.generic.schedule.main.multi-uses.slsa3.yml

.github/workflows/e2e.generic.schedule.main.multi-uses.slsa3.yml #1284

Workflow file for this run

.github/workflows/e2e.generic.schedule.main.multi-uses.slsa3.yml at b689835
on:
schedule:
- cron: "0 4 * * *"
workflow_dispatch:
permissions: read-all
concurrency: "e2e.generic.schedule.main.multi-uses.slsa3"
env:
GH_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
jobs:
build-one:
outputs:
digests: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest
steps:
- name: Build artifacts
run: |
# These are some amazing artifacts.
echo "build 1 artifact 1" > artifact1
- name: Upload artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: artifacts1
if-no-files-found: error
retention-days: 5
path: |
artifact1
- name: Generate hashes
shell: bash
id: hash
run: |
# sha256sum generates sha256 hash for all artifacts.
# base64 -w0 encodes to base64 and outputs on a single line.
# sha256sum artifact1 artifact2 ... | base64 -w0
echo "hashes=$(sha256sum artifact1 | base64 -w0)" >> "${GITHUB_OUTPUT}"
provenance-one:
needs: [build-one]
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
with:
base64-subjects: "${{ needs.build-one.outputs.digests }}"
compile-generator: true
provenance-name: "attestation1.intoto.jsonl"
verify-one:
runs-on: ubuntu-latest
needs: [build-one, provenance-one]
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Download binary
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: artifacts1
- name: Download provenance
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: ${{ needs.provenance-one.outputs.provenance-name }}
- name: Setup Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: "1.24"
- name: Verify provenance artifact1
env:
BINARY: artifact1
PROVENANCE: ${{ needs.provenance-one.outputs.provenance-name }}
run: ./.github/workflows/scripts/e2e.generic.default.verify.sh
build-two:
outputs:
digests: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest
steps:
- name: Build artifacts
run: |
# These are some amazing artifacts.
echo "build 2 artifact 1" > artifact1
- name: Upload artifacts
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: artifacts2
if-no-files-found: error
retention-days: 5
# Note: we use artifact as a binary name to verify it does not intefere with the
# other build1 which also uses the same binary name.
# We use a different artifact name to differentiate the two (name: artifacts2).
path: |
artifact1
- name: Generate hashes
shell: bash
id: hash
run: |
# sha256sum generates sha256 hash for all artifacts.
# base64 -w0 encodes to base64 and outputs on a single line.
# sha256sum artifact1 artifact2 ... | base64 -w0
echo "hashes=$(sha256sum artifact1 | base64 -w0)" >> "${GITHUB_OUTPUT}"
provenance-two:
needs: [build-two]
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
with:
base64-subjects: "${{ needs.build-two.outputs.digests }}"
compile-generator: true
provenance-name: "attestation2.intoto.jsonl"
verify-two:
runs-on: ubuntu-latest
needs: [build-two, provenance-two]
steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Download binary
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: artifacts2
- name: Download provenance
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: ${{ needs.provenance-two.outputs.provenance-name }}
- name: Setup Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
with:
go-version: "1.24"
- name: Verify provenance artifact2
env:
BINARY: artifact1
PROVENANCE: ${{ needs.provenance-two.outputs.provenance-name }}
run: ./.github/workflows/scripts/e2e.generic.default.verify.sh
if-succeeded:
runs-on: ubuntu-latest
needs:
[
build-one,
provenance-one,
verify-one,
build-two,
provenance-two,
verify-two,
]
# NOTE: The workflow is allowed to run for other event types but don't post
# to issues unless it's a schedule event.
if: github.event_name == 'schedule' && needs.build-one.result == 'success' && needs.provenance-one.result == 'success' && needs.verify-one.result == 'success' && needs.build-two.result == 'success' && needs.provenance-two.result == 'success' && needs.verify-two.result == 'success'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
runs-on: ubuntu-latest
needs:
[
build-one,
provenance-one,
verify-one,
build-two,
provenance-two,
verify-two,
]
# NOTE: The workflow is allowed to run for other event types but don't post
# to issues unless it's a schedule event.
if: always() && github.event_name == 'schedule' && (needs.build-one.result == 'failure' || needs.provenance-one.result == 'failure' || needs.verify-one.result == 'failure' || needs.build-two.result == 'failure' || needs.provenance-two.result == 'failure' || needs.verify-two.result == 'failure')
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- run: ./.github/workflows/scripts/e2e-report-failure.sh