-
Notifications
You must be signed in to change notification settings - Fork 2
76 lines (62 loc) · 2.1 KB
/
Copy pathslsa.yml
File metadata and controls
76 lines (62 loc) · 2.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# SPDX-FileCopyrightText: 2026 Frans van Dorsselaer
#
# SPDX-License-Identifier: MIT
---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: SLSA
on:
workflow_dispatch:
inputs:
# checkov:skip=CKV_GHA_7: Required input for generating SLSA provenance for an existing release.
tag_name:
description: 'The existing release tag to generate provenance for (e.g., v1.2.0)'
required: true
type: string
permissions: {}
jobs:
subjects:
name: Subjects
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
hashes: ${{ steps.compute-hashes.outputs.hashes }}
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Download Existing Release Assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
RELEASE: ${{ inputs.tag_name }}
run: |
gh release download "${RELEASE}" --dir release-artifacts
- name: Fail if provenance already exists
run: |
shopt -s nullglob
PROVENANCE=(release-artifacts/*.intoto.jsonnl)
if [ ${#PROVENANCE[@]} -gt 0 ]; then
echo "Provenance file(s) already exist."
exit 1
fi
- name: Compute Hashes
id: compute-hashes
shell: bash
run: |
cd release-artifacts
ASSETS=(*)
echo "hashes=$(sha256sum -- "${ASSETS[@]}" | base64 -w0)" >> "$GITHUB_OUTPUT"
provenance:
needs: [subjects]
# This will fail, because generator_generic_slsa3 demands using version pinning, instead of hash pinning.
# Instead, use the workflow from the 'slsa' branch.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
permissions:
actions: read
id-token: write
contents: write
with:
base64-subjects: ${{ needs.subjects.outputs.hashes }}
upload-assets: true
upload-tag-name: ${{ inputs.tag_name }}