Update GitHub Artifact Actions to v4 #144
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: calculator-cli | |
on: | |
push: | |
workflow_dispatch: | |
permissions: {} | |
env: | |
SLSA_VERIFIER_VERSION: "2.4.1" | |
jobs: | |
build-calculator: | |
runs-on: ubuntu-22.04 | |
outputs: | |
calculator-hash: ${{ steps.calculator-hash.outputs.calculator-hash }} | |
steps: | |
- name: Check out repository | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Setup Go | |
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
with: | |
go-version-file: 'go.mod' | |
- name: Install syft & grype | |
uses: ./.github/actions/install_syft_grype | |
with: | |
syftVersion: "0.98.0" | |
grypeVersion: "0.73.3" | |
- name: Build Calculator | |
run: | | |
make build-cli | |
syft calculator \ | |
-o spdx-json=calculator.spdx.json | |
- uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 | |
with: | |
name: calculator | |
path: calculator | |
- uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 | |
with: | |
name: calculator.spdx.json | |
path: calculator.spdx.json | |
- name: Compute calculator hash | |
id: calculator-hash | |
run: | | |
CALCULATOR_HASH=$(sha256sum calculator calculator.spdx.json | base64 -w0) | |
echo calculator-hash=${CALCULATOR_HASH} >> $GITHUB_OUTPUT | |
provenance: | |
permissions: | |
actions: read | |
contents: write | |
id-token: write | |
needs: | |
- build-calculator | |
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 | |
with: | |
base64-subjects: "${{ needs.build-calculator.outputs.calculator-hash }}" | |
provenance-name: calculator.intoto.jsonl | |
provenance-verify: | |
runs-on: ubuntu-22.04 | |
needs: | |
- build-calculator | |
- provenance | |
steps: | |
- name: Download calculator binary | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: calculator | |
- name: Download provenance | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: ${{ needs.provenance.outputs.provenance-name }} | |
- name: Install slsa-verifier | |
run: | | |
curl -LO https://github.com/slsa-framework/slsa-verifier/releases/download/v${{ env.SLSA_VERIFIER_VERSION }}/slsa-verifier-linux-amd64 | |
install slsa-verifier-linux-amd64 /usr/local/bin/slsa-verifier | |
- name: Verify provenance | |
run: | | |
slsa-verifier verify-artifact calculator \ | |
--provenance-path calculator.intoto.jsonl \ | |
--source-uri github.com/datosh-org/most-secure-calculator | |
release: | |
runs-on: ubuntu-22.04 | |
permissions: | |
contents: write | |
needs: | |
- build-calculator | |
- provenance | |
if: startsWith(github.ref, 'refs/tags/v') | |
steps: | |
- name: Download calculator binary | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: calculator | |
- name: Download SBOM | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: calculator.spdx.json | |
- name: Download provenance | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: ${{ needs.provenance.outputs.provenance-name }} | |
- name: Release | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
draft: true | |
artifacts: "calculator,calculator.spdx.json,calculator.intoto.jsonl" |