test workflows

Signed-off-by: Ramon Petgrave <[email protected]>
slsa-framework · Aug 12, 2024 · 0387907 · 0387907
1 parent cd497c4
commit 0387907
Show file tree

Hide file tree

Showing 3 changed files with 54 additions and 22 deletions.
diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml
@@ -319,20 +319,18 @@ jobs:
       go-provenance-name: ${{ steps.sign-prov.outputs.signed-provenance-name }}
       go-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }}
     steps:
-      - name: Checkout builder repository
-        uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
+      - name: Generate builder
+        id: generate-builder
+        continue-on-error: true
+        uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@main
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
-          path: __BUILDER_CHECKOUT_DIR__
-
-      - name: Download builder
-        uses: ./__BUILDER_CHECKOUT_DIR__/.github/actions/secure-download-artifact
-        with:
-          name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
-          path: "${{ env.BUILDER_BINARY }}"
-          sha256: "${{ needs.builder.outputs.go-builder-sha256 }}"
-          set-executable: true
+          go-version: "1.22"
+          binary: "${{ env.BUILDER_BINARY }}"
+          compile-builder: "true"
+          directory: "${{ env.BUILDER_DIR }}"
+          allow-private-repository: ${{ inputs.private-repository }}
 
       - name: Create and sign provenance
         id: sign-prov

diff --git a/.github/workflows/debug.generic-generator.yml b/.github/workflows/debug.generic-generator.yml
@@ -25,7 +25,7 @@ env:
   GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 jobs:
-  build:
+  generic-build:
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
     runs-on: ubuntu-latest
@@ -61,21 +61,21 @@ jobs:
           if-no-files-found: error
           retention-days: 5
 
-  provenance:
-    needs: build
+  generic-provenance:
+    needs: generic-build
     permissions:
       id-token: write # For signing.
       contents: write # For asset uploads.
       actions: read # For reading workflow info.
     uses: ./.github/workflows/generator_generic_slsa3.yml
     with:
-      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      base64-subjects: "${{ needs.generic-build.outputs.hashes }}"
       compile-generator: true
-      provenance-name: build.intoto.jsonl
+      provenance-name: generic-build.intoto.jsonl
       upload-assets: true
 
-  verify:
-    needs: provenance
+  generic-verify:
+    needs: generic-provenance
     runs-on: ubuntu-latest
     steps:
       - name: Download artifact1
@@ -89,7 +89,7 @@ jobs:
       - name: Download provenance
         uses: actions/download-artifact@v4
         with:
-          name: build.intoto.jsonl
+          name: "${{ needs.generic-provenance.outputs.provenance-name }}"
       - uses: actions/setup-go@v5
         with:
           go-version: 1.22
@@ -99,7 +99,41 @@ jobs:
         run: |
           SLSA_VERIFIER_TESTING=1 slsa-verifier verify-artifact \
             artifact1 artifact2 \
-            --provenance-path build.intoto.jsonl \
+            --provenance-path generic-build.intoto.jsonl \
             --source-uri github.com/slsa-framework/slsa-github-generator \
             --source-branch ramonpetgrave64-internal-builder-sigstore-bundle \
             --print-provenance
+
+  go-build:
+    uses: ./.github/workflows/builder_go_slsa3.yml
+    with:
+      go-version: 1.22
+
+  go-verify:
+    needs: generic-provenance
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: "${{ needs.go-build.outputs.go-binary-name }}"
+      - name: Download provenance
+        uses: actions/download-artifact@v4
+        with:
+          name: "${{ needs.go-build.outputs.go-provenance-name }}"
+      - uses: actions/setup-go@v5
+        with:
+          go-version: 1.22
+      - name: Setup slsa-verifier
+        run: go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@verify-sigstore-go-Bundlev2
+      - name: Verify
+        env:
+          ARTIFACT: "${{ needs.go-build.outputs.go-provenance-name }}"
+          PROVENANCE: "${{ needs.go-build.outputs.go-provenance-name }}"
+        run: |
+          SLSA_VERIFIER_TESTING=1 slsa-verifier verify-artifact \
+            "$ARTIFACT" \
+            --provenance-path "$PROVENANCE" \
+            --source-uri github.com/slsa-framework/slsa-github-generator \
+            --source-branch ramonpetgrave64-internal-builder-sigstore-bundle \
+            --print-provenance
diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml
@@ -96,7 +96,7 @@ on:
         value: ${{ jobs.upload-assets.outputs.release-id }}
       provenance-name:
         description: "The artifact name of the signed provenance. (A file with the intoto.jsonl extension)."
-        value: ${{ jobs.generator.outputs.provenance-name }}
+        value: provenance-name
       # Note: we use this output because there is no buildt-in `outcome` and `result` is always `success`
       # if `continue-on-error` is set to `true`.
       outcome:
@@ -160,7 +160,7 @@ jobs:
         with:
           repository: "${{ needs.detect-env.outputs.repository }}"
           ref: "${{ needs.detect-env.outputs.ref }}"
-          go-version: "1.21"
+          go-version: "1.22"
           binary: "${{ env.BUILDER_BINARY }}"
           compile-builder: "${{ inputs.compile-generator }}"
           directory: "${{ env.BUILDER_DIR }}"