-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathaction.yml
51 lines (49 loc) · 2.42 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
name: SLSA Source VSA Creator
description: Creates SLSA Source Track VSAs
runs:
using: "Composite"
steps:
- uses: actions/checkout@v4
- id: determine_level
# TODO: This doesn't currently work if there are no rulesets enabled. Using the tool from https://github.com/slsa-framework/slsa-source-poc/pull/6 should fix that?
run: |
cd ${{ github.action_path }}
echo "source_level=$(./determine_source_level_gh.sh ${{ github.sha }} ${{ github.repository }} ${{ github.ref_name }})" >> $GITHUB_OUTPUT
shell: bash
- id: create_vsa
# Run the script from the action directory so it has access to the template...
# TODO: determine_level just wants the plain github.repository, but create_vsa wants the URL. That's not great, we should fix it.
run: |
mkdir -p metadata
cd ${{ github.action_path }}
./create_vsa.sh ${{ github.sha }} https://github.com/${{ github.repository }} ${{ github.ref }} ${{ steps.determine_level.outputs.source_level }} > ${{ github.workspace }}/metadata/unsigned_vsa.json
shell: bash
- id: summary
run: |
echo "## Unsigned VSA" >> $GITHUB_STEP_SUMMARY
cat ${{ github.workspace }}/metadata/unsigned_vsa.json >> $GITHUB_STEP_SUMMARY
shell: bash
- id: install_witness
# This is a bit of a hack, running witness happens to also install it.
# We don't care much about what it does here, we just want the side-effect of witness being installed.
# If this works well we might lodge some feature requests?
uses: testifysec/witness-run-action@reusable-workflow
with:
command: /bin/sh -c "echo \"hello from slsa-source-poc\""
step: "install_witness"
- id: sign_vsa
# Use witness to sign that VSA...
run: |
witness sign -f ${{ github.workspace }}/metadata/unsigned_vsa.json -t "application/vnd.in-toto+json" -o ${{ github.workspace }}/metadata/signed_vsa.json \
--signer-fulcio-url https://fulcio.sigstore.dev \
--signer-fulcio-oidc-client-id sigstore \
--signer-fulcio-oidc-issuer https://oauth2.sigstore.dev/auth \
--timestamp-servers https://freetsa.org/tsr
echo "## Signed VSA" >> $GITHUB_STEP_SUMMARY
cat ${{ github.workspace }}/metadata/signed_vsa.json >> $GITHUB_STEP_SUMMARY
shell: bash
- uses: actions/upload-artifact@v4
if: always()
with:
name: vsa_metadata
path: ./metadata/