From cead76b043d3553195da13ff5e4cf6a0a14d5677 Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Wed, 7 Sep 2022 17:20:28 -0500 Subject: [PATCH 1/5] update Signed-off-by: Asra Ali --- .../e2e.container.push.main.default.slsa3.yml | 7 +- .../workflows/scripts/e2e-verify.common.sh | 74 +++++++++++-------- .../scripts/e2e.container.default.verify.sh | 36 +++++++++ 3 files changed, 87 insertions(+), 30 deletions(-) create mode 100644 .github/workflows/scripts/e2e.container.default.verify.sh diff --git a/.github/workflows/e2e.container.push.main.default.slsa3.yml b/.github/workflows/e2e.container.push.main.default.slsa3.yml index 0898221444..e545537ece 100644 --- a/.github/workflows/e2e.container.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.container.push.main.default.slsa3.yml @@ -124,7 +124,12 @@ jobs: # TODO: use --enforce-sct # TODO: add cue policy for further validation. COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type slsaprovenance "${IMAGE_NAME}@${IMAGE_DIGEST}" - # TODO(github.com/slsa-framework/slsa-verifier/issues/92): Add step to verify using slsa-verifier + - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + with: + go-version: "1.18" + - env: + CONTAINER: "${IMAGE_NAME}@${IMAGE_DIGEST}" + run: ./.github/workflows/scripts/e2e.container.default.verify.sh if-succeeded: runs-on: ubuntu-latest diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh index f309e553be..7785051845 100755 --- a/.github/workflows/scripts/e2e-verify.common.sh +++ b/.github/workflows/scripts/e2e-verify.common.sh @@ -79,14 +79,17 @@ verify_provenance_authenticity() { local annotated_tags annotated_tags=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep annotated || true) - # TODO: Currently we only support $BINARY artifacts, not containers. verifierCmd="$verifier" + # After version 1.3.0, we split into subcommands for artifacts and images if [[ "$tag" == HEAD ]] || version_gt "$tag" "v1.3.0"; then - verifierCmd="$verifier verify-artifact" + if [[ -n $BINARY ]]; then + verifierCmd="$verifier verify-artifact" + elif [[ -n $CONTAINER ]] + verifierCmd="$verifier verify-image" + fi fi # This transforms the argument name depending on the verifier tag. read -ra argr <<<"$(e2e_verifier_arg_transformer "$tag")" - read -ra artifactArg <<<"$($argr "artifact-path")" read -ra provenanceArg <<<"$($argr "provenance")" read -ra sourceArg <<<"$($argr "source")" read -ra tagArg <<<"$($argr "tag")" @@ -94,6 +97,12 @@ verify_provenance_authenticity() { read -ra vTagArg <<<"$($argr "versioned-tag")" read -ra workflowInputArg <<<"$($argr "workflow-input")" + # Only versions 1.3.0+ of the verifier can verify containers. + if [[ -n $CONTAINER ]] && version_lt "$tag" "v1.3.0"; then + echo " INFO: container verification at $tag: skipping due to lack of support" + return 0 + fi + if version_le "$tag" "v1.0.0"; then if [[ "$GITHUB_EVENT_NAME" == "release" ]]; then echo " INFO: release trigger at v1.0.0: skipping authenticity verification due to lack of support (https://github.com/slsa-framework/slsa-verifier/pull/89)" @@ -107,23 +116,30 @@ verify_provenance_authenticity() { return 0 fi + # Assemble artifact args: if $BINARY is defined, then this is an artifact, otherwise an image. + if [[ -n $BINARY ]]; then + read -ra artifactArg <<<"$($argr "artifact-path") "$BINARY"" + else + read -ra artifactArg <<<"$CONTAINER" + fi + # Default parameters. # After v1.2.0, branch verification is optional, so we can always verify, # regardless of the branch value. # https://github.com/slsa-framework/slsa-verifier/pull/192 if [[ "$tag" == "HEAD" ]] || version_gt "$tag" "v1.2.0"; then echo " **** Default parameters (annotated tags) *****" - $verifierCmd "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "not main default parameters" elif [[ -z "$annotated_tags" ]]; then # Until v1.2.0, we verified the default branch as "main". if [[ "$BRANCH" == "main" ]]; then echo " **** Default parameters (main) *****" - $verifierCmd "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "main default parameters" else echo " **** Default parameters *****" - $verifierCmd "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "not main default parameters" fi fi @@ -144,34 +160,34 @@ verify_provenance_authenticity() { workflow_inputs=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep workflow_inputs) if [[ -n "$workflow_inputs" ]] && version_gt "$tag" "v1.2.0"; then echo " **** Correct Workflow Inputs *****" - $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" "${workflowInputArg[@]}" test=true + $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" "${workflowInputArg[@]}" test=true e2e_assert_eq "$?" "0" "should be workflow inputs" echo " **** Wrong Workflow Inputs *****" - $verifierCmd "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" "${workflowInputArg[@]}" test=false + $verifierCmd "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" "${workflowInputArg[@]}" test=false e2e_assert_not_eq "$?" "0" "wrong workflow inputs" fi # Correct branch. echo " **** Correct branch *****" - $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "should be branch $BRANCH" # Wrong branch echo " **** Wrong branch *****" - $verifierCmd "${branchArg[@]}" "not-$GITHUB_REF_NAME" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchArg[@]}" "not-$GITHUB_REF_NAME" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "wrong branch" # Wrong tag echo " **** Wrong tag *****" - $verifierCmd "${tagArg[@]}" v1.2.3 "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${tagArg[@]}" v1.2.3 "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "wrong tag" echo " **** Wrong payload *****" local BAD_PROV BAD_PROV="$(mktemp -t slsa-e2e.XXXXXXXX)" e2e_set_payload "$PROVENANCE" '{"foo": "bar"}' >"$BAD_PROV" - $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$BAD_PROV" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "${provenanceArg[@]}" "$BAD_PROV" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "wrong payload" if [[ "$GITHUB_REF_TYPE" == "tag" ]]; then @@ -194,82 +210,82 @@ verify_provenance_authenticity() { # Correct vM.N.P echo " **** Correct vM.N.P *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR.$PATCH" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "$MAJOR.$MINOR.$PATCH versioned-tag vM.N.P ($MAJOR.$MINOR.$PATCH) should be correct" # Correct vM.N echo " **** Correct vM.N *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "$MAJOR.$MINOR versioned-tag vM.N ($MAJOR.$MINOR) should be correct" # Correct vM echo " **** Correct vM *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "$MAJOR versioned-tag vm ($MAJOR) should be correct" # Incorrect v(M-1) echo " **** Incorrect v(M-1) *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_LESS_ONE" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_LESS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR_LESS_ONE versioned-tag should be incorrect" # Incorrect v(M-1).N echo " **** Incorrect v(M-1).N *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_LESS_ONE.$MINOR" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_LESS_ONE.$MINOR" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR_LESS_ONE.$MINOR versioned-tag should be incorrect" # Incorrect v(M-1).N.P echo " **** Incorrect v(M-1).N.P *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_LESS_ONE.$MINOR.$PATCH" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_LESS_ONE.$MINOR.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR_LESS_ONE.$MINOR.$PATCH versioned-tag should be incorrect" # Incorrect vM.(N-1) echo " **** Incorrect vM.(N-1) *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_LESS_ONE" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_LESS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_LESS_ONE versioned-tag should be incorrect" # Incorrect vM.(N-1).P echo " **** Incorrect vM.(N-1).P *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_LESS_ONE.$PATCH" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_LESS_ONE.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_LESS_ONE.$PATCH versioned-tag should be incorrect" # Incorrect vM.N.(P-1) echo " **** Incorrect vM.N.(P-1) *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR.$PATCH_LESS_ONE" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR.$PATCH_LESS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR.$PATCH_LESS_ONE versioned-tag should be incorrect" # Incorrect v(M+1) echo " **** Incorrect v(M+1) *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_PLUS_ONE" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_PLUS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR_PLUS_ONE versioned-tag should be incorrect" # Incorrect v(M+1).N echo " **** Incorrect v(M+1).N *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_PLUS_ONE.$MINOR" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_PLUS_ONE.$MINOR" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR_PLUS_ONE.$MINOR versioned-tag should be incorrect" # Incorrect v(M+1).N.P echo " **** Incorrect v(M+1).N.P *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_PLUS_ONE.$MINOR.$PATCH" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_PLUS_ONE.$MINOR.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR_PLUS_ONE.$MINOR.$PATCH versioned-tag should be incorrect" # Incorrect vM.(N+1) echo " **** Incorrect vM.(N+1) *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_PLUS_ONE" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_PLUS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_PLUS_ONE versioned-tag should be incorrect" # Incorrect vM.(N+1).P echo " **** Incorrect vM.(N+1).P *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_PLUS_ONE.$PATCH" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_PLUS_ONE.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_PLUS_ONE.$PATCH versioned-tag should be incorrect" # Incorrect vM.N.(P+1) echo " **** Incorrect vM.N.(P+1) *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR.$PATCH_PLUS_ONE" "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR.$PATCH_PLUS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR.$PATCH_PLUS_ONE versioned-tag should be incorrect" else # Wrong versioned-tag echo " **** Wrong versioned-tag *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" v1.2.3 "${artifactArg[@]}" "$BINARY" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" v1.2.3 "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "wrong versioned-tag" fi } @@ -384,7 +400,7 @@ _new_verifier_args() { source) echo '--source-uri' ;; tag) echo '--source-tag' ;; versioned-tag) echo '--source-versioned-tag' ;; - workflow-input) echo '--build-orkflow-input' ;; + workflow-input) echo '--build-workflow-input' ;; branch) echo '--source-branch' ;; esac } diff --git a/.github/workflows/scripts/e2e.container.default.verify.sh b/.github/workflows/scripts/e2e.container.default.verify.sh new file mode 100644 index 0000000000..9703cffb99 --- /dev/null +++ b/.github/workflows/scripts/e2e.container.default.verify.sh @@ -0,0 +1,36 @@ +#!/usr/bin/env bash + +# shellcheck source=/dev/null +source "./.github/workflows/scripts/e2e-verify.common.sh" + +go env -w GOFLAGS=-mod=mod + +# verify_provenance_content verifies provenance content generated by the container generator. +verify_provenance_content() { + ATTESTATION=$(jq -r '.payload' <"$PROVENANCE" | base64 -d) + has_assets=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep assets) + annotated_tags=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep annotated || true) + + echo " **** Provenance content verification *****" + + # Verify all common provenance fields. + e2e_verify_common_all "$ATTESTATION" + + e2e_verify_predicate_subject_name "$ATTESTATION" "$CONTAINER" + e2e_verify_predicate_builder_id "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main" + e2e_verify_predicate_buildType "$ATTESTATION" "https://github.com/slsa-framework/slsa-github-generator/generic@v1" +} + +THIS_FILE=$(e2e_this_file) +BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) +echo "branch is $BRANCH" +echo "GITHUB_REF_NAME: $GITHUB_REF_NAME" +echo "GITHUB_REF_TYPE: $GITHUB_REF_TYPE" +echo "GITHUB_REF: $GITHUB_REF" +echo "DEBUG: file is $THIS_FILE" + +# Verify provenance authenticity. +e2e_run_verifier_all_releases "HEAD" + +# Verify the provenance content. +verify_provenance_content From 4dd43673fa0acae39fa92411ebb058a8344db218 Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Wed, 14 Sep 2022 13:25:24 -0500 Subject: [PATCH 2/5] update for provenance Signed-off-by: Asra Ali lint Signed-off-by: Asra Ali --- .../workflows/scripts/e2e-verify.common.sh | 27 +++++++++++++------ .../scripts/e2e.container.default.verify.sh | 10 ++++--- 2 files changed, 25 insertions(+), 12 deletions(-) diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh index 7785051845..00d708b89f 100755 --- a/.github/workflows/scripts/e2e-verify.common.sh +++ b/.github/workflows/scripts/e2e-verify.common.sh @@ -84,13 +84,12 @@ verify_provenance_authenticity() { if [[ "$tag" == HEAD ]] || version_gt "$tag" "v1.3.0"; then if [[ -n $BINARY ]]; then verifierCmd="$verifier verify-artifact" - elif [[ -n $CONTAINER ]] + elif [[ -n $CONTAINER ]]; then verifierCmd="$verifier verify-image" fi fi # This transforms the argument name depending on the verifier tag. read -ra argr <<<"$(e2e_verifier_arg_transformer "$tag")" - read -ra provenanceArg <<<"$($argr "provenance")" read -ra sourceArg <<<"$($argr "source")" read -ra tagArg <<<"$($argr "tag")" read -ra branchArg <<<"$($argr "branch")" @@ -123,6 +122,14 @@ verify_provenance_authenticity() { read -ra artifactArg <<<"$CONTAINER" fi + # Assemble the provenance args: for some containers it is attached. + # In that case, provenanceArg and $PROVENANCE are empty. + if [[ -n $PROVENANCE ]]; then + read -ra provenanceArg <<<"$($argr "provenance")" + else + read -ra provenanceArg <<<"" + fi + # Default parameters. # After v1.2.0, branch verification is optional, so we can always verify, # regardless of the branch value. @@ -183,12 +190,16 @@ verify_provenance_authenticity() { $verifierCmd "${tagArg[@]}" v1.2.3 "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "wrong tag" - echo " **** Wrong payload *****" - local BAD_PROV - BAD_PROV="$(mktemp -t slsa-e2e.XXXXXXXX)" - e2e_set_payload "$PROVENANCE" '{"foo": "bar"}' >"$BAD_PROV" - $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "${provenanceArg[@]}" "$BAD_PROV" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" - e2e_assert_not_eq "$?" "0" "wrong payload" + # Not that for containers with attached provenance, we will skip this test. + # TODO: Add a malicious container test that attaches bad provenance. + if [[ -n $PROVENANCE ]]; then + echo " **** Wrong payload *****" + local BAD_PROV + BAD_PROV="$(mktemp -t slsa-e2e.XXXXXXXX)" + e2e_set_payload "$PROVENANCE" '{"foo": "bar"}' >"$BAD_PROV" + $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "${provenanceArg[@]}" "$BAD_PROV" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + e2e_assert_not_eq "$?" "0" "wrong payload" + fi if [[ "$GITHUB_REF_TYPE" == "tag" ]]; then #TODO: try several versioned-tags and tags. diff --git a/.github/workflows/scripts/e2e.container.default.verify.sh b/.github/workflows/scripts/e2e.container.default.verify.sh index 9703cffb99..5797eef222 100644 --- a/.github/workflows/scripts/e2e.container.default.verify.sh +++ b/.github/workflows/scripts/e2e.container.default.verify.sh @@ -8,8 +8,6 @@ go env -w GOFLAGS=-mod=mod # verify_provenance_content verifies provenance content generated by the container generator. verify_provenance_content() { ATTESTATION=$(jq -r '.payload' <"$PROVENANCE" | base64 -d) - has_assets=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep assets) - annotated_tags=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep annotated || true) echo " **** Provenance content verification *****" @@ -32,5 +30,9 @@ echo "DEBUG: file is $THIS_FILE" # Verify provenance authenticity. e2e_run_verifier_all_releases "HEAD" -# Verify the provenance content. -verify_provenance_content +# TODO: Add provenance content verification for containers with +# with provenance attached on the OCI registry. +if [[ -n $PROVENANCE ]]; then + verify_provenance_content +fi + From f312f2d92c078d360c4c02f3a65529a06b47e0be Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Wed, 14 Sep 2022 13:39:45 -0500 Subject: [PATCH 3/5] shellcheck Signed-off-by: Asra Ali --- .github/workflows/scripts/e2e-verify.common.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh index 00d708b89f..eccc0b1be4 100755 --- a/.github/workflows/scripts/e2e-verify.common.sh +++ b/.github/workflows/scripts/e2e-verify.common.sh @@ -117,9 +117,9 @@ verify_provenance_authenticity() { # Assemble artifact args: if $BINARY is defined, then this is an artifact, otherwise an image. if [[ -n $BINARY ]]; then - read -ra artifactArg <<<"$($argr "artifact-path") "$BINARY"" + read -ra artifactArg <<<"$($argr "artifact-path") ${BINARY}" else - read -ra artifactArg <<<"$CONTAINER" + read -ra artifactArg <<<"${CONTAINER}" fi # Assemble the provenance args: for some containers it is attached. From 04efa9d1229767dedb6424f9de7ac7c85e3a1c01 Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Thu, 15 Sep 2022 13:54:22 -0500 Subject: [PATCH 4/5] fix Signed-off-by: Asra Ali --- .../e2e.container.push.main.default.slsa3.yml | 22 ++--- ....container.schedule.main.default.slsa3.yml | 14 +-- .../e2e.container.tag.main.default.slsa3.yml | 18 ++-- ...r.workflow_dispatch.main.default.slsa3.yml | 16 ++-- ...ow_dispatch.main.workflow_inputs.slsa3.yml | 16 ++-- ...b.workflow_dispatch.main.default.slsa3.yml | 6 +- ...e2e.generic.push.branch1.default.slsa3.yml | 16 ++-- .../e2e.generic.push.main.default.slsa3.yml | 14 +-- ...e2e.generic.release.main.default.slsa3.yml | 16 ++-- ...ule.main.adversarial-invalidpath.slsa3.yml | 6 +- ...main.adversarial-invalidsubjects.slsa3.yml | 6 +- ...c.schedule.main.attestation-name.slsa3.yml | 12 +-- ...2e.generic.schedule.main.default.slsa3.yml | 12 +-- ...ric.schedule.main.multi-subjects.slsa3.yml | 16 ++-- .../e2e.generic.tag.branch1.default.slsa3.yml | 16 ++-- .../e2e.generic.tag.main.assets.slsa3.yml | 16 ++-- ...orkflow_dispatch.branch1.default.slsa3.yml | 14 +-- ...c.workflow_dispatch.main.default.slsa3.yml | 14 +-- ...ow_dispatch.main.workflow_inputs.slsa3.yml | 14 +-- ...e.go.push.branch1.config-ldflags.slsa3.yml | 14 +-- ...e.main.config-ldflags-assets-tag.slsa3.yml | 2 +- ...e.main.adversarial-binary-upload.slsa3.yml | 6 +- ...ain.adversarial-build-provenance.slsa3.yml | 6 +- ....schedule.main.adversarial-build.slsa3.yml | 6 +- ....schedule.main.adversarial-invalidpath.yml | 4 +- ...ule.main.config-ldflags-main-dir.slsa3.yml | 2 +- ...ain.adversarial-asset-provenance.slsa3.yml | 12 +-- ...ow_dispatch.main.workflow_inputs.slsa3.yml | 2 +- .../workflows/scripts/e2e-verify.common.sh | 85 ++++++++++--------- .../scripts/e2e.container.default.verify.sh | 8 +- ...er-e2e.generic.tag.main.noassets.slsa3.yml | 4 +- ...c.workflow_dispatch.main.default.slsa3.yml | 4 +- ...tag.main.config-ldflags-noassets.slsa3.yml | 2 +- 33 files changed, 211 insertions(+), 210 deletions(-) diff --git a/.github/workflows/e2e.container.push.main.default.slsa3.yml b/.github/workflows/e2e.container.push.main.default.slsa3.yml index e545537ece..bb173e33a8 100644 --- a/.github/workflows/e2e.container.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.container.push.main.default.slsa3.yml @@ -32,7 +32,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-push.sh # Build the Go application into a Docker image @@ -48,13 +48,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v2.3.4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # v2.0.0 + uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # tag=v2.0.0 - name: Authenticate Docker - uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # v2.0.0 + uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # tag=v2.0.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -62,12 +62,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # v4.0.1 + uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # tag=v4.0.1 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # v3.0.0 + uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # tag=v3.0.0 id: build with: push: true @@ -123,12 +123,14 @@ jobs: cosign login "${IMAGE_REGISTRY}" -u "${REGISTRY_USERNAME}" -p "${REGISTRY_PASSWORD}" # TODO: use --enforce-sct # TODO: add cue policy for further validation. - COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type slsaprovenance "${IMAGE_NAME}@${IMAGE_DIGEST}" - - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + COSIGN_EXPERIMENTAL=1 cosign verify-attestation --type slsaprovenance "${IMAGE_NAME}@${IMAGE_DIGEST}" > provenance_file + echo "provenance_file=provenance" >> $GITHUB_ENV + - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - env: CONTAINER: "${IMAGE_NAME}@${IMAGE_DIGEST}" + PROVENANCE: "{{ env.provenance_file }}" run: ./.github/workflows/scripts/e2e.container.default.verify.sh if-succeeded: @@ -136,7 +138,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -144,5 +146,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.schedule.main.default.slsa3.yml b/.github/workflows/e2e.container.schedule.main.default.slsa3.yml index 1f310a5a89..56de62d7a6 100644 --- a/.github/workflows/e2e.container.schedule.main.default.slsa3.yml +++ b/.github/workflows/e2e.container.schedule.main.default.slsa3.yml @@ -36,13 +36,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v2.3.4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # v2.0.0 + uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # tag=v2.0.0 - name: Authenticate Docker - uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # v2.0.0 + uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # tag=v2.0.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -50,12 +50,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # v4.0.1 + uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # tag=v4.0.1 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # v3.0.0 + uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # tag=v3.0.0 id: build with: push: true @@ -119,7 +119,7 @@ jobs: needs: [build, provenance, verify] if: needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -127,5 +127,5 @@ jobs: needs: [build, provenance, verify] if: always() && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.tag.main.default.slsa3.yml b/.github/workflows/e2e.container.tag.main.default.slsa3.yml index 9de7fc49e7..4de61a2b0a 100644 --- a/.github/workflows/e2e.container.tag.main.default.slsa3.yml +++ b/.github/workflows/e2e.container.tag.main.default.slsa3.yml @@ -34,7 +34,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-create-release.sh shim: @@ -43,7 +43,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -61,13 +61,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v2.3.4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # v2.0.0 + uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # tag=v2.0.0 - name: Authenticate Docker - uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # v2.0.0 + uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # tag=v2.0.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -75,12 +75,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # v4.0.1 + uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # tag=v4.0.1 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # v3.0.0 + uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # tag=v3.0.0 id: build with: push: true @@ -144,7 +144,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -152,5 +152,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.container.workflow_dispatch.main.default.slsa3.yml index 43efabfa94..8dc26f06da 100644 --- a/.github/workflows/e2e.container.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.container.workflow_dispatch.main.default.slsa3.yml @@ -30,7 +30,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-dispatch.sh # Build the Go application into a Docker image @@ -46,13 +46,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v2.3.4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # v2.0.0 + uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # tag=v2.0.0 - name: Authenticate Docker - uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # v2.0.0 + uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # tag=v2.0.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -60,12 +60,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # v4.0.1 + uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # tag=v4.0.1 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # v3.0.0 + uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # tag=v3.0.0 id: build with: push: true @@ -129,7 +129,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -137,5 +137,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml b/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml index 60f76e2424..a685731232 100644 --- a/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml +++ b/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml @@ -35,7 +35,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-dispatch.sh # Build the Go application into a Docker image @@ -51,13 +51,13 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v2.3.4 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # v2.0.0 + uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # tag=v2.0.0 - name: Authenticate Docker - uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # v2.0.0 + uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # tag=v2.0.0 with: registry: ${{ env.IMAGE_REGISTRY }} username: ${{ github.actor }} @@ -65,12 +65,12 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # v4.0.1 + uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # tag=v4.0.1 with: images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} - name: Build and push Docker image - uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # v3.0.0 + uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # tag=v3.0.0 id: build with: push: true @@ -134,7 +134,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -142,5 +142,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.gcb.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.gcb.workflow_dispatch.main.default.slsa3.yml index bc1ae952cd..b8929592d6 100644 --- a/.github/workflows/e2e.gcb.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.gcb.workflow_dispatch.main.default.slsa3.yml @@ -26,7 +26,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-dispatch.sh # Trigger the GCB build @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout the repository - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2.3.4 + uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v2.3.4 - id: 'auth' name: 'Authenticate to Google Cloud' uses: 'google-github-actions/auth@v0' @@ -50,7 +50,7 @@ jobs: workload_identity_provider: 'projects/819720953812/locations/global/workloadIdentityPools/example-package-pool/providers/example-package-provider' service_account: 'example-package-user@slsa-tooling.iam.gserviceaccount.com' - name: 'Set up Cloud SDK' - uses: 'google-github-actions/setup-gcloud@877d4953d2c70a0ba7ef3290ae968eb24af233bb' # v0.6.0 + uses: 'google-github-actions/setup-gcloud@877d4953d2c70a0ba7ef3290ae968eb24af233bb' # tag=v0.6.0 - name: Trigger build via manual invocation id: build run: | diff --git a/.github/workflows/e2e.generic.push.branch1.default.slsa3.yml b/.github/workflows/e2e.generic.push.branch1.default.slsa3.yml index eb0d81c19b..8849c64d67 100644 --- a/.github/workflows/e2e.generic.push.branch1.default.slsa3.yml +++ b/.github/workflows/e2e.generic.push.branch1.default.slsa3.yml @@ -19,7 +19,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-push.sh shim: @@ -28,7 +28,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - id: verify run: | set -euo pipefail @@ -52,7 +52,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Setup Bazelisk - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0 + uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # tag=v2.0.0 with: bazelisk-version: "1.11" - name: Build artifact @@ -62,7 +62,7 @@ jobs: cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root echo "::set-output name=binary-name::hello" - name: Upload binary - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v2.3.1 with: name: ${{ steps.build.outputs.binary-name }} path: ${{ steps.build.outputs.binary-name }} @@ -94,14 +94,14 @@ jobs: runs-on: ubuntu-latest if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.provenance.outputs.attestation-name }} - - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - env: @@ -114,7 +114,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -122,5 +122,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.push.main.default.slsa3.yml b/.github/workflows/e2e.generic.push.main.default.slsa3.yml index 3f496d1361..3bf764aec8 100644 --- a/.github/workflows/e2e.generic.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.generic.push.main.default.slsa3.yml @@ -19,7 +19,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-push.sh build: @@ -32,7 +32,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Setup Bazelisk - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0 + uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # tag=v2.0.0 with: bazelisk-version: "1.11" - name: Build artifact @@ -42,7 +42,7 @@ jobs: cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root echo "::set-output name=binary-name::hello" - name: Upload binary - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v2.3.1 with: name: ${{ steps.build.outputs.binary-name }} path: ${{ steps.build.outputs.binary-name }} @@ -74,14 +74,14 @@ jobs: needs: [build, provenance] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.provenance.outputs.attestation-name }} - - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - env: @@ -94,7 +94,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -102,5 +102,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.release.main.default.slsa3.yml b/.github/workflows/e2e.generic.release.main.default.slsa3.yml index cf7fa347b0..ea4f4711db 100644 --- a/.github/workflows/e2e.generic.release.main.default.slsa3.yml +++ b/.github/workflows/e2e.generic.release.main.default.slsa3.yml @@ -23,7 +23,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -33,7 +33,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -48,7 +48,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Setup Bazelisk - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0 + uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # tag=v2.0.0 with: bazelisk-version: "1.11" - name: Build artifact @@ -58,7 +58,7 @@ jobs: cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root echo "::set-output name=binary-name::hello" - name: Upload binary - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v2.3.1 with: name: ${{ steps.build.outputs.binary-name }} path: ${{ steps.build.outputs.binary-name }} @@ -90,14 +90,14 @@ jobs: needs: [shim, build, provenance] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.provenance.outputs.attestation-name }} - - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - env: @@ -110,7 +110,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -118,5 +118,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'release' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.schedule.main.adversarial-invalidpath.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.adversarial-invalidpath.slsa3.yml index 1d91a6f639..a36c572a2e 100644 --- a/.github/workflows/e2e.generic.schedule.main.adversarial-invalidpath.slsa3.yml +++ b/.github/workflows/e2e.generic.schedule.main.adversarial-invalidpath.slsa3.yml @@ -59,7 +59,7 @@ jobs: needs: [build] if: always() && needs.build.result == 'failure' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh if-failed-provenance: @@ -67,7 +67,7 @@ jobs: needs: [build, provenance] if: always() && needs.build.result == 'success' && needs.provenance.result == 'failure' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-succeeded-provenance: @@ -75,5 +75,5 @@ jobs: needs: [build, provenance] if: always() && needs.build.result == 'success' && needs.provenance.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.schedule.main.adversarial-invalidsubjects.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.adversarial-invalidsubjects.slsa3.yml index 220cc3fc9a..2af54d45e0 100644 --- a/.github/workflows/e2e.generic.schedule.main.adversarial-invalidsubjects.slsa3.yml +++ b/.github/workflows/e2e.generic.schedule.main.adversarial-invalidsubjects.slsa3.yml @@ -57,7 +57,7 @@ jobs: needs: [build] if: always() && needs.build.result == 'failure' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh if-failed-provenance: @@ -65,7 +65,7 @@ jobs: needs: [build, provenance] if: always() && needs.build.result == 'success' && needs.provenance.result == 'failure' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-succeeded-provenance: @@ -73,5 +73,5 @@ jobs: needs: [build, provenance] if: always() && needs.build.result == 'success' && needs.provenance.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.schedule.main.attestation-name.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.attestation-name.slsa3.yml index 9978884277..98b9bf1aab 100644 --- a/.github/workflows/e2e.generic.schedule.main.attestation-name.slsa3.yml +++ b/.github/workflows/e2e.generic.schedule.main.attestation-name.slsa3.yml @@ -20,7 +20,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Setup Bazelisk - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0 + uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # tag=v2.0.0 with: bazelisk-version: "1.11" - name: Build artifact @@ -30,7 +30,7 @@ jobs: cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root echo "::set-output name=binary-name::hello" - name: Upload binary - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v2.3.1 with: name: ${{ steps.build.outputs.binary-name }} path: ${{ steps.build.outputs.binary-name }} @@ -62,7 +62,7 @@ jobs: needs: [build, provenance] steps: - name: Checkout code - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - name: Download binary uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: @@ -72,7 +72,7 @@ jobs: with: name: ${{ needs.provenance.outputs.attestation-name }} - name: Setup Go - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - name: Verify attestation name @@ -92,7 +92,7 @@ jobs: needs: [build, provenance, verify] if: needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -100,5 +100,5 @@ jobs: needs: [build, provenance, verify] if: always() && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml index d541257621..8a149f1ab2 100644 --- a/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml +++ b/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml @@ -20,7 +20,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Setup Bazelisk - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0 + uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # tag=v2.0.0 with: bazelisk-version: "1.11" - name: Build artifact @@ -30,7 +30,7 @@ jobs: cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root echo "::set-output name=binary-name::hello" - name: Upload binary - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v2.3.1 with: name: ${{ steps.build.outputs.binary-name }} path: ${{ steps.build.outputs.binary-name }} @@ -61,7 +61,7 @@ jobs: needs: [build, provenance] steps: - name: Checkout code - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - name: Download binary uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: @@ -71,7 +71,7 @@ jobs: with: name: ${{ needs.provenance.outputs.attestation-name }} - name: Setup Go - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - name: Verify provenance @@ -85,7 +85,7 @@ jobs: needs: [build, provenance, verify] if: needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -93,5 +93,5 @@ jobs: needs: [build, provenance, verify] if: always() && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml index 0e54026d5e..0b549c6d9c 100644 --- a/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml +++ b/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml @@ -59,7 +59,7 @@ jobs: needs: [build, provenance] steps: - name: Checkout code - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - name: Download binary uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: @@ -69,7 +69,7 @@ jobs: with: name: ${{ needs.provenance.outputs.attestation-name }} - name: Setup Go - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" # Note: the 3 artifacts share the same provenance file. @@ -94,7 +94,7 @@ jobs: needs: [build, provenance, verify] if: needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -102,7 +102,7 @@ jobs: needs: [build, provenance, verify] if: always() && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh no-verify: @@ -110,13 +110,13 @@ jobs: needs: [build, provenance] steps: - name: Checkout code - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - name: Download provenance uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.provenance.outputs.attestation-name }} - name: Setup Go - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - name: Alter artifacts @@ -134,7 +134,7 @@ jobs: needs: [build, provenance, no-verify] if: always() && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.no-verify.result == 'success') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh if-failed-no: @@ -142,5 +142,5 @@ jobs: needs: [build, provenance, no-verify] if: always() && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'failure' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh diff --git a/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml b/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml index 79e02d9f6d..5543389625 100644 --- a/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml +++ b/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml @@ -24,7 +24,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -35,7 +35,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -50,7 +50,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Setup Bazelisk - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0 + uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # tag=v2.0.0 with: bazelisk-version: "1.11" - name: Build artifact @@ -60,7 +60,7 @@ jobs: cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root echo "::set-output name=binary-name::hello" - name: Upload binary - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v2.3.1 with: name: ${{ steps.build.outputs.binary-name }} path: ${{ steps.build.outputs.binary-name }} @@ -92,14 +92,14 @@ jobs: needs: [shim, build, provenance] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.provenance.outputs.attestation-name }} - - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - env: @@ -112,7 +112,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -120,5 +120,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.tag.main.assets.slsa3.yml b/.github/workflows/e2e.generic.tag.main.assets.slsa3.yml index 833bee9247..036db4fc9c 100644 --- a/.github/workflows/e2e.generic.tag.main.assets.slsa3.yml +++ b/.github/workflows/e2e.generic.tag.main.assets.slsa3.yml @@ -21,7 +21,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - id: create run: ./.github/workflows/scripts/e2e-create-release.sh @@ -31,7 +31,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - id: verify run: ./.github/workflows/scripts/e2e-verify-release.sh @@ -46,7 +46,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Setup Bazelisk - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0 + uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # tag=v2.0.0 with: bazelisk-version: "1.11" - name: Build artifact @@ -56,7 +56,7 @@ jobs: cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root echo "::set-output name=binary-name::hello" - name: Upload binary - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v2.3.1 with: name: ${{ steps.build.outputs.binary-name }} path: ${{ steps.build.outputs.binary-name }} @@ -89,14 +89,14 @@ jobs: needs: [shim, build, provenance] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.provenance.outputs.attestation-name }} - - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - env: @@ -109,7 +109,7 @@ jobs: needs: [shim, build, provenance, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -117,5 +117,5 @@ jobs: needs: [shim, build, provenance, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml index 6a4c100336..dd187fd66e 100644 --- a/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml +++ b/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml @@ -20,7 +20,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-dispatch.sh build: @@ -33,7 +33,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Setup Bazelisk - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0 + uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # tag=v2.0.0 with: bazelisk-version: "1.11" - name: Build artifact @@ -43,7 +43,7 @@ jobs: cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root echo "::set-output name=binary-name::hello" - name: Upload binary - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v2.3.1 with: name: ${{ steps.build.outputs.binary-name }} path: ${{ steps.build.outputs.binary-name }} @@ -75,14 +75,14 @@ jobs: needs: [build, provenance] if: github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.provenance.outputs.attestation-name }} - - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - env: @@ -95,7 +95,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -103,5 +103,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.main.default.slsa3.yml index b962321507..390d603ddd 100644 --- a/.github/workflows/e2e.generic.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/e2e.generic.workflow_dispatch.main.default.slsa3.yml @@ -17,7 +17,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-dispatch.sh build: @@ -30,7 +30,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Setup Bazelisk - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0 + uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # tag=v2.0.0 with: bazelisk-version: "1.11" - name: Build artifact @@ -40,7 +40,7 @@ jobs: cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root echo "::set-output name=binary-name::hello" - name: Upload binary - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v2.3.1 with: name: ${{ steps.build.outputs.binary-name }} path: ${{ steps.build.outputs.binary-name }} @@ -72,14 +72,14 @@ jobs: needs: [build, provenance] if: github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.provenance.outputs.attestation-name }} - - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - env: @@ -92,7 +92,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -100,5 +100,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.generic.workflow_dispatch.main.workflow_inputs.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.main.workflow_inputs.slsa3.yml index cd0057b373..2bc7791bee 100644 --- a/.github/workflows/e2e.generic.workflow_dispatch.main.workflow_inputs.slsa3.yml +++ b/.github/workflows/e2e.generic.workflow_dispatch.main.workflow_inputs.slsa3.yml @@ -22,7 +22,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-dispatch.sh build: @@ -35,7 +35,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Setup Bazelisk - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0 + uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # tag=v2.0.0 with: bazelisk-version: "1.11" - name: Build artifact @@ -45,7 +45,7 @@ jobs: cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root echo "::set-output name=binary-name::hello" - name: Upload binary - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v2.3.1 with: name: ${{ steps.build.outputs.binary-name }} path: ${{ steps.build.outputs.binary-name }} @@ -77,14 +77,14 @@ jobs: needs: [build, provenance] if: github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.binary-name }} - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.provenance.outputs.attestation-name }} - - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - env: @@ -97,7 +97,7 @@ jobs: needs: [build, provenance, verify] if: github.event_name == 'workflow_dispatch' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-success.sh if-failed: @@ -105,5 +105,5 @@ jobs: needs: [build, provenance, verify] if: always() && github.event_name == 'workflow_dispatch' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: ./.github/workflows/scripts/e2e-report-failure.sh diff --git a/.github/workflows/e2e.go.push.branch1.config-ldflags.slsa3.yml b/.github/workflows/e2e.go.push.branch1.config-ldflags.slsa3.yml index 845f3f1e27..36780e174e 100644 --- a/.github/workflows/e2e.go.push.branch1.config-ldflags.slsa3.yml +++ b/.github/workflows/e2e.go.push.branch1.config-ldflags.slsa3.yml @@ -21,7 +21,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: | set -euo pipefail @@ -33,7 +33,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - id: verify run: | set -euo pipefail @@ -54,7 +54,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.3.4 with: fetch-depth: 0 - id: ldflags @@ -94,14 +94,14 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - env: @@ -117,7 +117,7 @@ jobs: needs: [shim, build, verify] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && needs.build.result == 'success' && needs.verify.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: | set -euo pipefail @@ -128,7 +128,7 @@ jobs: needs: [shim, build, verify] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.event.head_commit.message == github.workflow && (needs.build.result == 'failure' || needs.verify.result == 'failure') steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml b/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml index 670a3a8262..1e2c9d4a53 100644 --- a/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml +++ b/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml @@ -51,7 +51,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.3.4 with: fetch-depth: 0 - id: ldflags diff --git a/.github/workflows/e2e.go.schedule.main.adversarial-binary-upload.slsa3.yml b/.github/workflows/e2e.go.schedule.main.adversarial-binary-upload.slsa3.yml index aa5e2c20f9..3242e86ad8 100644 --- a/.github/workflows/e2e.go.schedule.main.adversarial-binary-upload.slsa3.yml +++ b/.github/workflows/e2e.go.schedule.main.adversarial-binary-upload.slsa3.yml @@ -16,7 +16,7 @@ jobs: binary-upload-tamper: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - uses: ./.github/actions/tamper-artifact-new with: artifact-prefix: slsa-builder-go-linux-amd64 @@ -48,7 +48,7 @@ jobs: needs: [build] if: needs.build.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: | set -euo pipefail @@ -60,7 +60,7 @@ jobs: needs: [build] if: always() && needs.build.result == 'failure' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.go.schedule.main.adversarial-build-provenance.slsa3.yml b/.github/workflows/e2e.go.schedule.main.adversarial-build-provenance.slsa3.yml index 3c3363304a..e3d1e46278 100644 --- a/.github/workflows/e2e.go.schedule.main.adversarial-build-provenance.slsa3.yml +++ b/.github/workflows/e2e.go.schedule.main.adversarial-build-provenance.slsa3.yml @@ -16,7 +16,7 @@ jobs: build-provenance-tamper: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - uses: ./.github/actions/tamper-artifact-new with: # Note: pretty hard to time correctly in practice. Often times the build part will fail instead. @@ -49,7 +49,7 @@ jobs: needs: [build] if: needs.build.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: | set -euo pipefail @@ -61,7 +61,7 @@ jobs: needs: [build] if: always() && needs.build.result == 'failure' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.go.schedule.main.adversarial-build.slsa3.yml b/.github/workflows/e2e.go.schedule.main.adversarial-build.slsa3.yml index 2aae317bcf..f8d0864827 100644 --- a/.github/workflows/e2e.go.schedule.main.adversarial-build.slsa3.yml +++ b/.github/workflows/e2e.go.schedule.main.adversarial-build.slsa3.yml @@ -16,7 +16,7 @@ jobs: build-tamper: runs-on: ubuntu-latest steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 # Note: build-dry and build should fail. It's hard to tell which failed, # but they both should. It's good enough to verify that the re-usable workflow always fails. - uses: ./.github/actions/tamper-artifact-new @@ -49,7 +49,7 @@ jobs: needs: [build] if: needs.build.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: | set -euo pipefail @@ -61,7 +61,7 @@ jobs: needs: [build] if: always() && needs.build.result == 'failure' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.go.schedule.main.adversarial-invalidpath.yml b/.github/workflows/e2e.go.schedule.main.adversarial-invalidpath.yml index 46f8e99d62..f8b8e53e02 100644 --- a/.github/workflows/e2e.go.schedule.main.adversarial-invalidpath.yml +++ b/.github/workflows/e2e.go.schedule.main.adversarial-invalidpath.yml @@ -36,7 +36,7 @@ jobs: needs: [build] if: needs.build.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: | set -euo pipefail @@ -47,7 +47,7 @@ jobs: needs: [build] if: always() && needs.build.result == 'failure' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml b/.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml index de1a7f759c..687945566f 100644 --- a/.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml +++ b/.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml @@ -23,7 +23,7 @@ jobs: main: ${{ steps.ldflags.outputs.main }} steps: - id: checkout - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.3.4 with: fetch-depth: 0 - id: ldflags diff --git a/.github/workflows/e2e.go.tag.main.adversarial-asset-provenance.slsa3.yml b/.github/workflows/e2e.go.tag.main.adversarial-asset-provenance.slsa3.yml index 94e3990f3c..f6b7e79cee 100644 --- a/.github/workflows/e2e.go.tag.main.adversarial-asset-provenance.slsa3.yml +++ b/.github/workflows/e2e.go.tag.main.adversarial-asset-provenance.slsa3.yml @@ -23,7 +23,7 @@ jobs: permissions: contents: write steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - id: create run: | set -euo pipefail @@ -36,7 +36,7 @@ jobs: outputs: continue: ${{ steps.verify.outputs.continue }} steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - id: verify run: | set -euo pipefail @@ -48,7 +48,7 @@ jobs: if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' runs-on: ubuntu-latest steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - uses: ./.github/actions/tamper-artifact-new with: artifact: binary-linux-amd64.intoto.jsonl @@ -66,7 +66,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.3.4 with: fetch-depth: 0 - id: ldflags @@ -106,7 +106,7 @@ jobs: needs: [shim, build] if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: | set -euo pipefail @@ -117,7 +117,7 @@ jobs: needs: [shim, build] if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'failure' steps: - - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.4.0 + - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.4.0 - run: | set -euo pipefail diff --git a/.github/workflows/e2e.go.workflow_dispatch.main.workflow_inputs.slsa3.yml b/.github/workflows/e2e.go.workflow_dispatch.main.workflow_inputs.slsa3.yml index a0b0a37be8..8bf413a9d8 100644 --- a/.github/workflows/e2e.go.workflow_dispatch.main.workflow_inputs.slsa3.yml +++ b/.github/workflows/e2e.go.workflow_dispatch.main.workflow_inputs.slsa3.yml @@ -53,7 +53,7 @@ jobs: - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # tag=v3.0.0 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # v2.2.0 + - uses: actions/setup-go@f6164bd8c8acb4a71fb2791a8b6c4024ff038dab # tag=v2.2.0 with: go-version: "1.18" - env: diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh index eccc0b1be4..7fd05dbb8d 100755 --- a/.github/workflows/scripts/e2e-verify.common.sh +++ b/.github/workflows/scripts/e2e-verify.common.sh @@ -77,19 +77,21 @@ verify_provenance_authenticity() { local verifier="$1" local tag="$2" local annotated_tags + local build_type annotated_tags=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep annotated || true) + build_type=$(echo "$THIS_FILE" | cut -d '.' -f2) verifierCmd="$verifier" # After version 1.3.0, we split into subcommands for artifacts and images if [[ "$tag" == HEAD ]] || version_gt "$tag" "v1.3.0"; then - if [[ -n $BINARY ]]; then - verifierCmd="$verifier verify-artifact" - elif [[ -n $CONTAINER ]]; then + if [[ "$build_type" == "container" || "$build_type" == "gcb" ]]; then verifierCmd="$verifier verify-image" + else + verifierCmd="$verifier verify-artifact" fi fi # This transforms the argument name depending on the verifier tag. - read -ra argr <<<"$(e2e_verifier_arg_transformer "$tag")" + argr="$(e2e_verifier_arg_transformer "$tag")" read -ra sourceArg <<<"$($argr "source")" read -ra tagArg <<<"$($argr "tag")" read -ra branchArg <<<"$($argr "branch")" @@ -97,8 +99,8 @@ verify_provenance_authenticity() { read -ra workflowInputArg <<<"$($argr "workflow-input")" # Only versions 1.3.0+ of the verifier can verify containers. - if [[ -n $CONTAINER ]] && version_lt "$tag" "v1.3.0"; then - echo " INFO: container verification at $tag: skipping due to lack of support" + if [[ "$build_type" == "container" || "$build_type" == "gcb" ]] && version_lt "$tag" "v1.3.0"; then + echo " INFO: image verification at $tag: skipping due to lack of support" return 0 fi @@ -115,17 +117,16 @@ verify_provenance_authenticity() { return 0 fi - # Assemble artifact args: if $BINARY is defined, then this is an artifact, otherwise an image. - if [[ -n $BINARY ]]; then - read -ra artifactArg <<<"$($argr "artifact-path") ${BINARY}" - else + # Assemble artifact args depending on whether this is a container or binary artifact. + if [[ "$build_type" == "container" || "$build_type" == "gcb" ]]; then read -ra artifactArg <<<"${CONTAINER}" + else + read -ra artifactArg <<<"$($argr "artifact-path") ${BINARY}" fi - # Assemble the provenance args: for some containers it is attached. - # In that case, provenanceArg and $PROVENANCE are empty. - if [[ -n $PROVENANCE ]]; then - read -ra provenanceArg <<<"$($argr "provenance")" + # Assemble the provenance args: for container builds it is attached. + if [[ "$build_type" != "container" ]]; then + read -ra provenanceArg <<<"$($argr "provenance") ${PROVENANCE}" else read -ra provenanceArg <<<"" fi @@ -136,17 +137,17 @@ verify_provenance_authenticity() { # https://github.com/slsa-framework/slsa-verifier/pull/192 if [[ "$tag" == "HEAD" ]] || version_gt "$tag" "v1.2.0"; then echo " **** Default parameters (annotated tags) *****" - $verifierCmd "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "not main default parameters" elif [[ -z "$annotated_tags" ]]; then # Until v1.2.0, we verified the default branch as "main". if [[ "$BRANCH" == "main" ]]; then echo " **** Default parameters (main) *****" - $verifierCmd "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "main default parameters" else echo " **** Default parameters *****" - $verifierCmd "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "not main default parameters" fi fi @@ -167,42 +168,42 @@ verify_provenance_authenticity() { workflow_inputs=$(echo "$THIS_FILE" | cut -d '.' -f5 | grep workflow_inputs) if [[ -n "$workflow_inputs" ]] && version_gt "$tag" "v1.2.0"; then echo " **** Correct Workflow Inputs *****" - $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" "${workflowInputArg[@]}" test=true + $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" "${workflowInputArg[@]}" test=true e2e_assert_eq "$?" "0" "should be workflow inputs" echo " **** Wrong Workflow Inputs *****" - $verifierCmd "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" "${workflowInputArg[@]}" test=false + $verifierCmd "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" "${workflowInputArg[@]}" test=false e2e_assert_not_eq "$?" "0" "wrong workflow inputs" fi # Correct branch. echo " **** Correct branch *****" - $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "should be branch $BRANCH" # Wrong branch echo " **** Wrong branch *****" - $verifierCmd "${branchArg[@]}" "not-$GITHUB_REF_NAME" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchArg[@]}" "not-$GITHUB_REF_NAME" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "wrong branch" # Wrong tag echo " **** Wrong tag *****" - $verifierCmd "${tagArg[@]}" v1.2.3 "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${tagArg[@]}" v1.2.3 "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "wrong tag" - # Not that for containers with attached provenance, we will skip this test. + # Note that for containers with attached provenance, we will skip this test. # TODO: Add a malicious container test that attaches bad provenance. - if [[ -n $PROVENANCE ]]; then + if [[ "$build_type" != "container" ]]; then echo " **** Wrong payload *****" local BAD_PROV BAD_PROV="$(mktemp -t slsa-e2e.XXXXXXXX)" e2e_set_payload "$PROVENANCE" '{"foo": "bar"}' >"$BAD_PROV" - $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "${provenanceArg[@]}" "$BAD_PROV" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + read -ra badProvenanceArg <<<"$($argr "provenance") ${BAD_PROV}" + $verifierCmd "${branchOpts[@]}" "${artifactArg[@]}" "${badProvenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "wrong payload" fi if [[ "$GITHUB_REF_TYPE" == "tag" ]]; then - #TODO: try several versioned-tags and tags. local SEMVER MAJOR MINOR PATCH SEMVER="$GITHUB_REF_NAME" MAJOR=$(version_major "$SEMVER") @@ -221,82 +222,82 @@ verify_provenance_authenticity() { # Correct vM.N.P echo " **** Correct vM.N.P *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "$MAJOR.$MINOR.$PATCH versioned-tag vM.N.P ($MAJOR.$MINOR.$PATCH) should be correct" # Correct vM.N echo " **** Correct vM.N *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "$MAJOR.$MINOR versioned-tag vM.N ($MAJOR.$MINOR) should be correct" # Correct vM echo " **** Correct vM *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_eq "$?" "0" "$MAJOR versioned-tag vm ($MAJOR) should be correct" # Incorrect v(M-1) echo " **** Incorrect v(M-1) *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_LESS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_LESS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR_LESS_ONE versioned-tag should be incorrect" # Incorrect v(M-1).N echo " **** Incorrect v(M-1).N *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_LESS_ONE.$MINOR" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_LESS_ONE.$MINOR" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR_LESS_ONE.$MINOR versioned-tag should be incorrect" # Incorrect v(M-1).N.P echo " **** Incorrect v(M-1).N.P *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_LESS_ONE.$MINOR.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_LESS_ONE.$MINOR.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR_LESS_ONE.$MINOR.$PATCH versioned-tag should be incorrect" # Incorrect vM.(N-1) echo " **** Incorrect vM.(N-1) *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_LESS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_LESS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_LESS_ONE versioned-tag should be incorrect" # Incorrect vM.(N-1).P echo " **** Incorrect vM.(N-1).P *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_LESS_ONE.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_LESS_ONE.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_LESS_ONE.$PATCH versioned-tag should be incorrect" # Incorrect vM.N.(P-1) echo " **** Incorrect vM.N.(P-1) *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR.$PATCH_LESS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR.$PATCH_LESS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR.$PATCH_LESS_ONE versioned-tag should be incorrect" # Incorrect v(M+1) echo " **** Incorrect v(M+1) *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_PLUS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_PLUS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR_PLUS_ONE versioned-tag should be incorrect" # Incorrect v(M+1).N echo " **** Incorrect v(M+1).N *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_PLUS_ONE.$MINOR" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_PLUS_ONE.$MINOR" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR_PLUS_ONE.$MINOR versioned-tag should be incorrect" # Incorrect v(M+1).N.P echo " **** Incorrect v(M+1).N.P *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_PLUS_ONE.$MINOR.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR_PLUS_ONE.$MINOR.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR_PLUS_ONE.$MINOR.$PATCH versioned-tag should be incorrect" # Incorrect vM.(N+1) echo " **** Incorrect vM.(N+1) *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_PLUS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_PLUS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_PLUS_ONE versioned-tag should be incorrect" # Incorrect vM.(N+1).P echo " **** Incorrect vM.(N+1).P *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_PLUS_ONE.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR_PLUS_ONE.$PATCH" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR_PLUS_ONE.$PATCH versioned-tag should be incorrect" # Incorrect vM.N.(P+1) echo " **** Incorrect vM.N.(P+1) *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR.$PATCH_PLUS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" "v$MAJOR.$MINOR.$PATCH_PLUS_ONE" "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "$MAJOR.$MINOR.$PATCH_PLUS_ONE versioned-tag should be incorrect" else # Wrong versioned-tag echo " **** Wrong versioned-tag *****" - $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" v1.2.3 "${artifactArg[@]}" "${provenanceArg[@]}" "$PROVENANCE" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" + $verifierCmd "${branchOpts[@]}" "${vTagArg[@]}" v1.2.3 "${artifactArg[@]}" "${provenanceArg[@]}" "${sourceArg[@]}" "github.com/$GITHUB_REPOSITORY" e2e_assert_not_eq "$?" "0" "wrong versioned-tag" fi } diff --git a/.github/workflows/scripts/e2e.container.default.verify.sh b/.github/workflows/scripts/e2e.container.default.verify.sh index 5797eef222..f8a5f347d8 100644 --- a/.github/workflows/scripts/e2e.container.default.verify.sh +++ b/.github/workflows/scripts/e2e.container.default.verify.sh @@ -30,9 +30,7 @@ echo "DEBUG: file is $THIS_FILE" # Verify provenance authenticity. e2e_run_verifier_all_releases "HEAD" -# TODO: Add provenance content verification for containers with -# with provenance attached on the OCI registry. -if [[ -n $PROVENANCE ]]; then - verify_provenance_content -fi +# Verify provenance content. +verify_provenance_content + diff --git a/.github/workflows/verifier-e2e.generic.tag.main.noassets.slsa3.yml b/.github/workflows/verifier-e2e.generic.tag.main.noassets.slsa3.yml index d1aaed2a70..993aa2eb09 100644 --- a/.github/workflows/verifier-e2e.generic.tag.main.noassets.slsa3.yml +++ b/.github/workflows/verifier-e2e.generic.tag.main.noassets.slsa3.yml @@ -23,7 +23,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Setup Bazelisk - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0 + uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # tag=v2.0.0 with: bazelisk-version: "1.11" - name: Build artifact @@ -33,7 +33,7 @@ jobs: cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root echo "::set-output name=binary-name::hello" - name: Upload binary - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v2.3.1 with: name: ${{ steps.build.outputs.binary-name }} path: ${{ steps.build.outputs.binary-name }} diff --git a/.github/workflows/verifier-e2e.generic.workflow_dispatch.main.default.slsa3.yml b/.github/workflows/verifier-e2e.generic.workflow_dispatch.main.default.slsa3.yml index 219ae59c35..1bda8a6c0d 100644 --- a/.github/workflows/verifier-e2e.generic.workflow_dispatch.main.default.slsa3.yml +++ b/.github/workflows/verifier-e2e.generic.workflow_dispatch.main.default.slsa3.yml @@ -17,7 +17,7 @@ jobs: - name: Checkout code uses: actions/checkout@v3 - name: Setup Bazelisk - uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # v2.0.0 + uses: bazelbuild/setup-bazelisk@95c9bf48d0c570bb3e28e57108f3450cd67c1a44 # tag=v2.0.0 with: bazelisk-version: "1.11" - name: Build artifact @@ -27,7 +27,7 @@ jobs: cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root echo "::set-output name=binary-name::hello" - name: Upload binary - uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # v2.3.1 + uses: actions/upload-artifact@6673cd052c4cd6fcf4b4e6e60ea986c889389535 # tag=v2.3.1 with: name: ${{ steps.build.outputs.binary-name }} path: ${{ steps.build.outputs.binary-name }} diff --git a/.github/workflows/verifier-e2e.go.tag.main.config-ldflags-noassets.slsa3.yml b/.github/workflows/verifier-e2e.go.tag.main.config-ldflags-noassets.slsa3.yml index 975b5c9e7e..701e5c4ad7 100644 --- a/.github/workflows/verifier-e2e.go.tag.main.config-ldflags-noassets.slsa3.yml +++ b/.github/workflows/verifier-e2e.go.tag.main.config-ldflags-noassets.slsa3.yml @@ -25,7 +25,7 @@ jobs: branch: ${{ steps.ldflags.outputs.branch }} steps: - id: checkout - uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4 + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.3.4 with: fetch-depth: 0 - id: ldflags From 16e3cd7098bf8f4aa2162bd84fbe0cd23ce8f8c3 Mon Sep 17 00:00:00 2001 From: Asra Ali Date: Fri, 16 Sep 2022 09:13:54 -0500 Subject: [PATCH 5/5] update Signed-off-by: Asra Ali --- .github/workflows/scripts/e2e-verify.common.sh | 3 ++- .github/workflows/scripts/e2e.container.default.verify.sh | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/scripts/e2e-verify.common.sh b/.github/workflows/scripts/e2e-verify.common.sh index 7fd05dbb8d..7dd6bd12c0 100755 --- a/.github/workflows/scripts/e2e-verify.common.sh +++ b/.github/workflows/scripts/e2e-verify.common.sh @@ -192,7 +192,8 @@ verify_provenance_authenticity() { e2e_assert_not_eq "$?" "0" "wrong tag" # Note that for containers with attached provenance, we will skip this test. - # TODO: Add a malicious container test that attaches bad provenance. + # TODO(github.com/slsa-framework/example-package/issues/108): + # Add a malicious container test that attaches bad provenance. if [[ "$build_type" != "container" ]]; then echo " **** Wrong payload *****" local BAD_PROV diff --git a/.github/workflows/scripts/e2e.container.default.verify.sh b/.github/workflows/scripts/e2e.container.default.verify.sh index f8a5f347d8..6b5c15f04d 100644 --- a/.github/workflows/scripts/e2e.container.default.verify.sh +++ b/.github/workflows/scripts/e2e.container.default.verify.sh @@ -32,5 +32,3 @@ e2e_run_verifier_all_releases "HEAD" # Verify provenance content. verify_provenance_content - -