actions/attest-build-provenance
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wip

Browse source 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
This commit is contained in:
Brian DeHamer 2024-09-18 15:25:13 -07:00
parent 4c42c37b1b
commit 740d40239e
No known key found for this signature in database
1 changed files with 29 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

42
.github/workflows/prober.yml vendored
View file

@ -5,6 +5,20 @@ on:
inputs: inputs:
sigstore: sigstore:
description: 'Which Sigstore instance to use for signing' description: 'Which Sigstore instance to use for signing'
default: 'public-good'
required: false
type: string
secrets:
trust-domain:
description: 'Trust domain in which the test is executed'
required: true
type: string
service:
description: 'Service against which status should be reported'
required: true
type: string
team:
description: 'Team associated with status report'
required: true required: true
type: string type: string
@ -16,6 +30,8 @@ jobs:
id-token: write id-token: write
steps: steps:
- uses: hmarr/debug-action@v2
- name: Request OIDC Token - name: Request OIDC Token
run: | run: |
curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \ curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \
@ -28,6 +44,11 @@ jobs:
run: | run: |
date > artifact date > artifact
- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
path: "artifact"
- name: Attest build provenance - name: Attest build provenance
uses: actions/attest-build-provenance@v1 uses: actions/attest-build-provenance@v1
env: env:
@ -41,11 +62,6 @@ jobs:
run: | run: |
gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER" gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"
- name: Upload build artifact
uses: actions/upload-artifact@v4
with:
path: "artifact"
- name: Report attestation prober success - name: Report attestation prober success
if: ${{ success() }} if: ${{ success() }}
uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1 uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
@ -56,12 +72,12 @@ jobs:
status: 0 status: 0
host_name: github.com host_name: github.com
tags: tags:
- "catalog_service:${{ secrets.CATALOG_SERVICE }}" - "catalog_service:${{ secrets.service }}"
- "service:${{ secrets.CATALOG_SERVICE }}" - "service:${{ secrets.service }}"
- "stamp:${{ secrets.STAMP }}" - "stamp:${{ secrets.trust-domain }}"
- "env:production" - "env:production"
- "repo:${{ github.repository }}" - "repo:${{ github.repository }}"
- "team:${{ secrets.TEAM }}" - "team:${{ secrets.team }}"
- "sigstore:${{ inputs.sigstore }}" - "sigstore:${{ inputs.sigstore }}"
- name: Report attestation prober failure - name: Report attestation prober failure
@ -75,10 +91,10 @@ jobs:
status: 2 status: 2
host_name: github.com host_name: github.com
tags: tags:
- "catalog_service:${{ secrets.CATALOG_SERVICE }}" - "catalog_service:${{ secrets.service }}"
- "service:${{ secrets.CATALOG_SERVICE }}" - "service:${{ secrets.service }}"
- "stamp:${{ secrets.STAMP }}" - "stamp:${{ secrets.trust-domain }}"
- "env:production" - "env:production"
- "repo:${{ github.repository }}" - "repo:${{ github.repository }}"
- "team:${{ secrets.TEAM }}" - "team:${{ secrets.team }}"
- "sigstore:${{ inputs.sigstore }}" - "sigstore:${{ inputs.sigstore }}"