1+ name : debug-generic-generator
2+
3+ on :
4+ pull_request :
5+
6+ permissions : read-all
7+
8+ env :
9+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
10+ SLSA_VERIFIER_BRANCH : sghg-go-bundle
11+ TEST_SLSA_GITHUB_GENERATOR_BRANCH : ${{ github.head_ref }}
12+
13+ jobs :
14+ generic-build :
15+ outputs :
16+ hashes : ${{ steps.hash.outputs.hashes }}
17+ runs-on : ubuntu-latest
18+ steps :
19+ - name : Build artifacts
20+ run : |
21+ # These are some amazing artifacts.
22+ echo "foo" > artifact1
23+ echo "bar" > artifact2
24+ name : Generate hashes
25+ shell : bash
26+ id : hash
27+ run : |
28+ # sha256sum generates sha256 hash for all artifacts.
29+ # base64 -w0 encodes to base64 and outputs on a single line.
30+ # sha256sum artifact1 artifact2 ... | base64 -w0
31+ echo "hashes=$(sha256sum artifact1 artifact2 | base64 -w0)" >> "$GITHUB_OUTPUT"
32+ name : Upload artifact1
33+ uses : actions/upload-artifact@v4
34+ with :
35+ name : artifact1
36+ path : artifact1
37+ if-no-files-found : error
38+ retention-days : 5
39+
40+ - name : Upload artifact2
41+ uses : actions/upload-artifact@v4
42+ with :
43+ name : artifact2
44+ path : artifact2
45+ if-no-files-found : error
46+ retention-days : 5
47+
48+ generic-provenance :
49+ needs : generic-build
50+ permissions :
51+ id-token : write # For signing.
52+ contents : write # For asset uploads.
53+ actions : read # For reading workflow info.
54+ uses : ./.github/workflows/generator_generic_slsa3.yml
55+ with :
56+ base64-subjects : " ${{ needs.generic-build.outputs.hashes }}"
57+ compile-generator : true
58+ provenance-name : generic-build.intoto.jsonl
59+ upload-assets : true
60+
61+ generic-verify :
62+ needs : generic-provenance
63+ runs-on : ubuntu-latest
64+ steps :
65+ - name : Download artifact1
66+ uses : actions/download-artifact@v4
67+ with :
68+ name : artifact1
69+ - name : Download artifact2
70+ uses : actions/download-artifact@v4
71+ with :
72+ name : artifact2
73+ - name : Download provenance
74+ uses : actions/download-artifact@v4
75+ with :
76+ name : " ${{ needs.generic-provenance.outputs.provenance-name }}"
77+ - uses : actions/setup-go@v5
78+ - name : Setup slsa-verifier
79+ run : go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@${{ env.SLSA_VERIFIER_BRANCH }}
80+ - name : Verify
81+ run : |
82+ SLSA_VERIFIER_TESTING=1 slsa-verifier verify-artifact \
83+ artifact1 artifact2 \
84+ --provenance-path generic-build.intoto.jsonl \
85+ --source-uri github.com/slsa-framework/slsa-github-generator \
86+ --source-branch ${{ env.SLSA_GITHUB_GENERATOR_BRANCH }} \
87+ --print-provenance
88+ go-build :
89+ permissions :
90+ id-token : write # To sign the provenance.
91+ contents : write # To upload assets to release.
92+ actions : read # To read the workflow path.
93+ uses : ./.github/workflows/builder_go_slsa3.yml
94+ with :
95+ go-version-file : ' go.mod'
96+ config-file : .github/workflows/configs-container/config-release.yml
97+ compile-builder : true
98+
99+ go-verify :
100+ needs : [generic-provenance, go-build]
101+ runs-on : ubuntu-latest
102+ steps :
103+ - name : Download artifact
104+ uses : actions/download-artifact@v4
105+ with :
106+ name : " ${{ needs.go-build.outputs.go-binary-name }}"
107+ - name : Download provenance
108+ uses : actions/download-artifact@v4
109+ with :
110+ name : " ${{ needs.go-build.outputs.go-provenance-name }}"
111+ - uses : actions/setup-go@v5
112+ - name : Setup slsa-verifier
113+ run : go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@${{ env.SLSA_VERIFIER_BRANCH }}
114+ - name : Verify
115+ env :
116+ ARTIFACT : " ${{ needs.go-build.outputs.go-binary-name }}"
117+ PROVENANCE : " ${{ needs.go-build.outputs.go-provenance-name }}"
118+ run : |
119+ SLSA_VERIFIER_TESTING=1 slsa-verifier verify-artifact \
120+ "$ARTIFACT" \
121+ --provenance-path "$PROVENANCE" \
122+ --source-uri github.com/slsa-framework/slsa-github-generator \
123+ --source-branch ${{ env.SLSA_GITHUB_GENERATOR_BRANCH }} \
124+ --print-provenance
0 commit comments