chore: Add download actions to Maven builder (#2613)

AdamKorcz · web-flow · commit d24abf9079e7 · 2023-08-09T09:35:34.000-07:00
Fixes https://github.com/slsa-framework/example-package/pull/253/files#r1286136135 and https://github.com/slsa-framework/example-package/pull/253/files#r1286139565 Signed-off-by: AdamKorcz <adam@adalogics.com>
diff --git a/actions/maven/secure-download-attestations/action.yml b/actions/maven/secure-download-attestations/action.yml
@@ -0,0 +1,36 @@
+# Copyright 2023 SLSA Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "Secure attestion download for maven builder"
+description: "Download the attestations-directory produced by the Maven builder and verify its SHA256"
+inputs:
+  name:
+    description: "Name of provenance directory. This is generated by the Maven builder."
+    required: true
+  path:
+    description: "The path to download the attestations directory into. (Must be under the GITHUB_WORKSPACE)"
+    required: true
+  sha256:
+    description: "SHA256 of the file for verification. This is generated by the Maven builder"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Download the attestation directory
+      uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ inputs.path }}
+        sha256: ${{ inputs.sha256 }}
diff --git a/actions/maven/secure-download-target/action.yml b/actions/maven/secure-download-target/action.yml
@@ -0,0 +1,36 @@
+# Copyright 2023 SLSA Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: "Secure target directory download for maven builder"
+description: "Download the 'target'-directory and verify its SHA256"
+inputs:
+  name:
+    description: "Name of the target directory. The Maven builder makes this 'target'."
+    required: true
+  path:
+    description: "The path to download the target directory into. (Must be under the GITHUB_WORKSPACE)"
+    required: true
+  sha256:
+    description: "SHA256 of the file for verification."
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Download the target directory
+      uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-folder@main
+      with:
+        name: ${{ inputs.name }}
+        path: ${{ inputs.path }}
+        sha256: ${{ inputs.sha256 }}
