forked from slsa-framework/example-package
-
Notifications
You must be signed in to change notification settings - Fork 0
70 lines (62 loc) · 2.53 KB
/
e2e.go.schedule.main.adversarial-build-provenance.slsa3.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
on:
workflow_dispatch:
# TODO(github.com/slsa-framework/slsa-github-generator/issues/960): Fix tests
# schedule:
# - cron: "0 9 * * *"
permissions: read-all
concurrency: "e2e.go.schedule.main.adversarial-build-provenance.slsa3"
env:
GH_TOKEN: ${{ secrets.E2E_GO_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
# ISSUE_REPOSITORY: laurentsimon/slsa-on-github-test
# WARNING: update build job if CONFIG_FILE changes.
CONFIG_FILE: .github/configs-go/config-noldflags.yml
jobs:
build-provenance-tamper:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- uses: ./.github/actions/tamper-artifact-new
with:
# Note: pretty hard to time correctly in practice. Often times the build part will fail instead.
# It worked well in https://github.com/slsa-framework/example-package/runs/6379434930?check_suite_focus=true.
artifact-prefix: slsa-builder-go-linux-amd64
after: 230
duration: 50
every: 2
build:
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@main
with:
go-version: 1.18
# We cannot use ${{ env.CONFIG_FILE }} because env variables are not available.
config-file: .github/configs-go/config-noldflags.yml
compile-builder: true
# build:
# runs-on: ubuntu-latest
# steps:
# - run: |
# exit 1
if-succeeded:
runs-on: ubuntu-latest
needs: [build]
# NOTE: The workflow is allowed to run for other event types but don't post
# to issues unless it's a schedule event.
if: github.event_name == 'schedule' && needs.build.result == 'success'
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# The builder should fail if the builder is tampered with.
- run: ./.github/workflows/scripts/e2e-report-failure.sh
if-failed:
runs-on: ubuntu-latest
needs: [build]
# NOTE: The workflow is allowed to run for other event types but don't post
# to issues unless it's a schedule event.
if: always() && github.event_name == 'schedule' && needs.build.result == 'failure'
steps:
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
# The builder should fail if the builder is tampered with.
- run: ./.github/workflows/scripts/e2e-report-success.sh