E2E #78

Workflow file for this run

	---
	name: E2E

	"on":
	workflow_dispatch:
	schedule:
	- cron: '0 3 * * 0'

	permissions: {}

	jobs:
	cosign:
	name: cosign blob
	runs-on: ubuntu-latest
	steps:
	- name: install cosign
	uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
	- name: install rekor
	run: \|
	set -x
	latest="$(curl -sL https://api.github.com/repos/sigstore/rekor/releases/latest \
	\| jq -r '.tag_name')"
	curl -sfJSOL "https://github.com/sigstore/rekor/releases/download/${latest}/rekor-cli-linux-amd64"
	sudo install -m755 rekor-cli-linux-amd64 /usr/local/bin/rekor-cli
	rekor-cli version
	- name: download rustracer
	run: \|
	set -x
	# dowload only
	for libc in musl gnu; do
	curl -sSf https://andros21.github.io/rustracer/install.sh \
	\| sed 's/^_verify_release$/#\0/;s/^_install_release$/#\0/' \
	\| bash -s -- ${libc}
	done
	# verify keyless signature using cosign and rekor
	# see https://github.com/sigstore/cosign/blob/b2351d3d7e47e51548b46cc16f459e3c23a42d94/FUN.md
	- name: verify rustracer blobs
	run: \|
	set -x
	oidc="https://token.actions.githubusercontent.com"
	latest="$(curl -sL https://api.github.com/repos/andros21/rustracer/releases/latest \
	\| jq -r '.tag_name')"
	id="https://github.com/andros21/rustracer/.github/workflows/cd.yml@refs/tags/${latest}"
	# verify checksum
	uuid="$(rekor-cli search --artifact "rustracer-${latest}_checksums_sha256.txt")"
	sig="$(rekor-cli get --uuid="$uuid" --format=json \
	\| jq -r .Body.HashedRekordObj.signature.content)"
	cert="$(rekor-cli get --uuid="$uuid" --format=json \
	\| jq -r .Body.HashedRekordObj.signature.publicKey.content)"
	cosign verify-blob \
	--cert <(echo "$cert" \| base64 -d) \
	--signature <(echo "$sig") \
	--certificate-identity "${id}" \
	--certificate-oidc-issuer "${oidc}" \
	"rustracer-${latest}_checksums_sha256.txt"
	# verify tar.gz
	for libc in musl gnu; do
	uuid="$(rekor-cli search --artifact "rustracer-${latest}-x86_64-unknown-linux-${libc}.tar.gz" \| tail -n1)"
	sig="$(rekor-cli get --uuid="$uuid" --format=json \
	\| jq -r .Body.HashedRekordObj.signature.content)"
	cert="$(rekor-cli get --uuid="$uuid" --format=json \
	\| jq -r .Body.HashedRekordObj.signature.publicKey.content)"
	cosign verify-blob \
	--cert <(echo "$cert" \| base64 -d) \
	--signature <(echo "$sig") \
	--certificate-identity "${id}" \
	--certificate-oidc-issuer "${oidc}" \
	"rustracer-${latest}-x86_64-unknown-linux-${libc}.tar.gz"
	done
	slsa:
	name: slsa blob
	runs-on: ubuntu-latest
	steps:
	- name: install slsa-verify
	uses: slsa-framework/slsa-verifier/actions/installer@v2.6.0
	# verify slsa attestation using slsa-verifier
	# https://github.com/slsa-framework/slsa-verifier?tab=readme-ov-file#available-options
	- name: download rustracer
	run: \|
	set -x
	# dowload only
	for libc in musl gnu; do
	curl -sSf https://andros21.github.io/rustracer/install.sh \
	\| sed 's/^_verify_release$/#\0/;s/^_install_release$/#\0/' \
	\| bash -s -- ${libc}
	done
	- name: verify slsa blobs
	run: \|
	set -x
	latest="$(curl -sL https://api.github.com/repos/andros21/rustracer/releases/latest \
	\| jq -r '.tag_name')"
	repo="github.com/andros21/rustracer"
	for libc in musl gnu; do
	slsa-verifier verify-artifact \
	"rustracer-${latest}-x86_64-unknown-linux-${libc}.tar.gz" \
	--provenance-path multiple.intoto.jsonl \
	--source-uri ${repo} \
	--source-tag "${latest}"
	done
	openssl:
	name: openssl blob
	runs-on: ubuntu-latest
	strategy:
	matrix:
	libc: ["musl", "gnu"]
	steps:
	# verify using openssl and release artifacts
	- name: install rustracer
	run: \|
	set -x
	curl -sSf https://andros21.github.io/rustracer/install.sh \
	\| bash -s -- ${{ matrix.libc }}
	- name: cli rustracer
	run: \|
	"${HOME}/.local/bin/rustracer" -V
	"${HOME}/.local/bin/rustracer" -h

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

E2E #78

Workflow file

E2E #78

Jobs

Run details

Workflow file for this run