@@ -93,21 +93,19 @@ jobs:
9393 fetch-depth : 0 # needed for flake.nix to resolve self.shortRev
9494 persist-credentials : false
9595
96- - name : In-Toto Provenance record start
97- uses : docker://ghcr.io/l3montree-dev/devguard/scanner:v1.0.0
98- with :
99- args : devguard-scanner intoto start --step=build --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }}
100- continue-on-error : true
101-
10296 - uses : cachix/install-nix-action@v31
10397 with :
10498 extra_nix_config : |
10599 experimental-features = nix-command flakes
106100 ${{ inputs.nix-cache-substituter != '' && format('substituters = https://cache.nixos.org {0}', inputs.nix-cache-substituter) || '' }}
107101 ${{ inputs.nix-cache-public-key != '' && format('trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= {0}', inputs.nix-cache-public-key) || '' }}
108102
109- - name : Install crane
110- run : nix profile install nixpkgs#crane
103+ - name : Install crane and devguard-scanner
104+ run : nix profile install nixpkgs#crane .#devguardScanner
105+
106+ - name : In-Toto Provenance record start
107+ run : devguard-scanner intoto start --step=build --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }}
108+ continue-on-error : true
111109
112110 - name : Write Nix cache secret key
113111 if : ${{ inputs.nix-cache-s3-endpoint != '' }}
@@ -148,20 +146,16 @@ jobs:
148146
149147 - name : Set image tag
150148 id : set-image-tag
151- uses : docker://ghcr.io/l3montree-dev/devguard/scanner:main-latest
152- with :
153- args : >
154- sh -c "
155- devguard-scanner generate-tag
156- --imagePath='${{ inputs.image-name }}'
157- --ref='${{ github.ref_name }}'
158- --architecture='${{ inputs.arch }}'
159- >> image-tag-env.txt
160- IMAGE_TAG=$(grep '^IMAGE_TAG=' image-tag-env.txt | cut -d= -f2-)
161- echo \"\$IMAGE_TAG\" > image-tag.txt
162- echo \"image_tag=\$IMAGE_TAG\" >> \"\$GITHUB_OUTPUT\"
163- echo \"IMAGE_TAG=\$IMAGE_TAG\" >> \"\$GITHUB_ENV\"
164- "
149+ run : |
150+ devguard-scanner generate-tag \
151+ --imagePath='${{ inputs.image-name }}' \
152+ --ref='${{ github.ref_name }}' \
153+ --architecture='${{ inputs.arch }}' \
154+ >> image-tag-env.txt
155+ IMAGE_TAG=$(grep '^IMAGE_TAG=' image-tag-env.txt | cut -d= -f2-)
156+ echo "$IMAGE_TAG" > image-tag.txt
157+ echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
158+ echo "IMAGE_TAG=$IMAGE_TAG" >> "$GITHUB_ENV"
165159
166160 - name : Upload image-tag artifact
167161 uses : actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 - https://github.com/actions/upload-artifact/releases/tag/v4.6.2
@@ -199,9 +193,7 @@ jobs:
199193 path : artifact-purl-safe.txt
200194
201195 - name : In-Toto Provenance record stop
202- uses : docker://ghcr.io/l3montree-dev/devguard/scanner:v1.0.0
203- with :
204- args : devguard-scanner intoto stop --step=build --products=image-digest.txt --products=image-tag.txt --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }} --generateSlsaProvenance
196+ run : devguard-scanner intoto stop --step=build --products=image-digest.txt --products=image-tag.txt --token=${{ secrets.devguard-token }} --apiUrl=${{ inputs.api-url }} --assetName=${{ inputs.asset-name }} --supplyChainId=${{ github.sha }} --generateSlsaProvenance
205197 continue-on-error : true
206198
207199 - name : Upload SLSA Provenance
0 commit comments