wip

Signed-off-by: Brian DeHamer <bdehamer@github.com>
2024-09-18 15:25:13 -07:00 · 2024-09-18 15:25:13 -07:00 · 740d40239e
commit 740d40239e
parent 4c42c37b1b
1 changed files with 29 additions and 13 deletions
--- a/.github/workflows/prober.yml
+++ b/.github/workflows/prober.yml
@ -5,6 +5,20 @@ on:
    inputs:
      sigstore:
        description: 'Which Sigstore instance to use for signing'
+        default: 'public-good'
+        required: false
+        type: string
+    secrets:
+      trust-domain:
+        description: 'Trust domain in which the test is executed'
+        required: true
+        type: string
+      service:
+        description: 'Service against which status should be reported'
+        required: true
+        type: string
+      team:
+        description: 'Team associated with status report'
        required: true
        type: string

@ -16,6 +30,8 @@ jobs:
      id-token: write

    steps:
+      - uses: hmarr/debug-action@v2
+
      - name: Request OIDC Token
        run: |
          curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \
@ -28,6 +44,11 @@ jobs:
        run: |
          date > artifact

+      - name: Upload build artifact
+        uses: actions/upload-artifact@v4
+        with:
+          path: "artifact"
+
      - name: Attest build provenance
        uses: actions/attest-build-provenance@v1
        env:
@ -41,11 +62,6 @@ jobs:
        run: |
          gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"

-      - name: Upload build artifact
-        uses: actions/upload-artifact@v4
-        with:
-          path: "artifact"
-
      - name: Report attestation prober success
        if: ${{ success() }}
        uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
@ -56,12 +72,12 @@ jobs:
              status: 0
              host_name: github.com
              tags:
-                - "catalog_service:${{ secrets.CATALOG_SERVICE }}"
-                - "service:${{ secrets.CATALOG_SERVICE }}"
-                - "stamp:${{ secrets.STAMP }}"
+                - "catalog_service:${{ secrets.service }}"
+                - "service:${{ secrets.service }}"
+                - "stamp:${{ secrets.trust-domain }}"
                - "env:production"
                - "repo:${{ github.repository }}"
-                - "team:${{ secrets.TEAM }}"
+                - "team:${{ secrets.team }}"
                - "sigstore:${{ inputs.sigstore }}"

      - name: Report attestation prober failure
@ -75,10 +91,10 @@ jobs:
              status: 2
              host_name: github.com
              tags:
-                - "catalog_service:${{ secrets.CATALOG_SERVICE }}"
-                - "service:${{ secrets.CATALOG_SERVICE }}"
-                - "stamp:${{ secrets.STAMP }}"
+                - "catalog_service:${{ secrets.service }}"
+                - "service:${{ secrets.service }}"
+                - "stamp:${{ secrets.trust-domain }}"
                - "env:production"
                - "repo:${{ github.repository }}"
-                - "team:${{ secrets.TEAM }}"
+                - "team:${{ secrets.team }}"
                - "sigstore:${{ inputs.sigstore }}"