test: add a debug workflow

ramonpetgrave64 · ramonpetgrave64 · commit e9e062a4f0c9 · 2025-02-11T14:22:11.000-05:00
Signed-off-by: Ramon Petgrave &lt;ramon.petgrave64@gmail.com&gt;
diff --git a/.github/workflows/debug-bundle.yml b/.github/workflows/debug-bundle.yml
@@ -0,0 +1,124 @@
+name: debug-generic-generator
+
+on:
+  push:
+
+permissions: read-all
+
+env:
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  SLSA_VERIFIER_BRANCH: sghg-go-bundle
+  TEST_SLSA_GITHUB_GENERATOR_BRANCH: ${{ github.ref }}
+
+jobs:
+  generic-build:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Build artifacts
+        run: |
+          # These are some amazing artifacts.
+          echo "foo" > artifact1
+          echo "bar" > artifact2
+      - name: Generate hashes
+        shell: bash
+        id: hash
+        run: |
+          # sha256sum generates sha256 hash for all artifacts.
+          # base64 -w0 encodes to base64 and outputs on a single line.
+          # sha256sum artifact1 artifact2 ... | base64 -w0
+          echo "hashes=$(sha256sum artifact1 artifact2 | base64 -w0)" >> "$GITHUB_OUTPUT"
+      - name: Upload artifact1
+        uses: actions/upload-artifact@v4
+        with:
+          name: artifact1
+          path: artifact1
+          if-no-files-found: error
+          retention-days: 5
+
+      - name: Upload artifact2
+        uses: actions/upload-artifact@v4
+        with:
+          name: artifact2
+          path: artifact2
+          if-no-files-found: error
+          retention-days: 5
+
+  generic-provenance:
+    needs: generic-build
+    permissions:
+      id-token: write # For signing.
+      contents: write # For asset uploads.
+      actions: read # For reading workflow info.
+    uses: ./.github/workflows/generator_generic_slsa3.yml
+    with:
+      base64-subjects: "${{ needs.generic-build.outputs.hashes }}"
+      compile-generator: true
+      provenance-name: generic-build.intoto.jsonl
+      upload-assets: true
+
+  generic-verify:
+    needs: generic-provenance
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifact1
+        uses: actions/download-artifact@v4
+        with:
+          name: artifact1
+      - name: Download artifact2
+        uses: actions/download-artifact@v4
+        with:
+          name: artifact2
+      - name: Download provenance
+        uses: actions/download-artifact@v4
+        with:
+          name: "${{ needs.generic-provenance.outputs.provenance-name }}"
+      - uses: actions/setup-go@v5
+      - name: Setup slsa-verifier
+        run: go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@${{ env.SLSA_VERIFIER_BRANCH }}
+      - name: Verify
+        run: |
+          SLSA_VERIFIER_TESTING=1 slsa-verifier verify-artifact \
+            artifact1 artifact2 \
+            --provenance-path generic-build.intoto.jsonl \
+            --source-uri github.com/slsa-framework/slsa-github-generator \
+            --source-branch ${{ env.SLSA_GITHUB_GENERATOR_BRANCH }} \
+            --print-provenance
+  go-build:
+    permissions:
+      id-token: write # To sign the provenance.
+      contents: write # To upload assets to release.
+      actions: read # To read the workflow path.
+    uses: ./.github/workflows/builder_go_slsa3.yml
+    with:
+      go-version-file: 'go.mod'
+      config-file: .github/workflows/configs-container/config-release.yml
+      compile-builder: true
+
+  go-verify:
+    needs: [generic-provenance, go-build]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: "${{ needs.go-build.outputs.go-binary-name }}"
+      - name: Download provenance
+        uses: actions/download-artifact@v4
+        with:
+          name: "${{ needs.go-build.outputs.go-provenance-name }}"
+      - uses: actions/setup-go@v5
+      - name: Setup slsa-verifier
+        run: go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@${{ env.SLSA_VERIFIER_BRANCH }}
+      - name: Verify
+        env:
+          ARTIFACT: "${{ needs.go-build.outputs.go-binary-name }}"
+          PROVENANCE: "${{ needs.go-build.outputs.go-provenance-name }}"
+        run: |
+          SLSA_VERIFIER_TESTING=1 slsa-verifier verify-artifact \
+            "$ARTIFACT" \
+            --provenance-path "$PROVENANCE" \
+            --source-uri github.com/slsa-framework/slsa-github-generator \
+            --source-branch ${{ env.SLSA_GITHUB_GENERATOR_BRANCH }} \
+            --print-provenance
