From 740d40239ecfef0cccf75a1adad301fe6b40bdab Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Wed, 18 Sep 2024 15:25:13 -0700 Subject: [PATCH] wip Signed-off-by: Brian DeHamer --- .github/workflows/prober.yml | 42 +++++++++++++++++++++++++----------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/.github/workflows/prober.yml b/.github/workflows/prober.yml index f2cfa4f..d2efb15 100644 --- a/.github/workflows/prober.yml +++ b/.github/workflows/prober.yml @@ -5,6 +5,20 @@ on: inputs: sigstore: description: 'Which Sigstore instance to use for signing' + default: 'public-good' + required: false + type: string + secrets: + trust-domain: + description: 'Trust domain in which the test is executed' + required: true + type: string + service: + description: 'Service against which status should be reported' + required: true + type: string + team: + description: 'Team associated with status report' required: true type: string @@ -16,6 +30,8 @@ jobs: id-token: write steps: + - uses: hmarr/debug-action@v2 + - name: Request OIDC Token run: | curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \ @@ -28,6 +44,11 @@ jobs: run: | date > artifact + - name: Upload build artifact + uses: actions/upload-artifact@v4 + with: + path: "artifact" + - name: Attest build provenance uses: actions/attest-build-provenance@v1 env: @@ -41,11 +62,6 @@ jobs: run: | gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER" - - name: Upload build artifact - uses: actions/upload-artifact@v4 - with: - path: "artifact" - - name: Report attestation prober success if: ${{ success() }} uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1 @@ -56,12 +72,12 @@ jobs: status: 0 host_name: github.com tags: - - "catalog_service:${{ secrets.CATALOG_SERVICE }}" - - "service:${{ secrets.CATALOG_SERVICE }}" - - "stamp:${{ secrets.STAMP }}" + - "catalog_service:${{ secrets.service }}" + - "service:${{ secrets.service }}" + - "stamp:${{ secrets.trust-domain }}" - "env:production" - "repo:${{ github.repository }}" - - "team:${{ secrets.TEAM }}" + - "team:${{ secrets.team }}" - "sigstore:${{ inputs.sigstore }}" - name: Report attestation prober failure @@ -75,10 +91,10 @@ jobs: status: 2 host_name: github.com tags: - - "catalog_service:${{ secrets.CATALOG_SERVICE }}" - - "service:${{ secrets.CATALOG_SERVICE }}" - - "stamp:${{ secrets.STAMP }}" + - "catalog_service:${{ secrets.service }}" + - "service:${{ secrets.service }}" + - "stamp:${{ secrets.trust-domain }}" - "env:production" - "repo:${{ github.repository }}" - - "team:${{ secrets.TEAM }}" + - "team:${{ secrets.team }}" - "sigstore:${{ inputs.sigstore }}"