.github/workflows/test.yml

name: Test CI

on:
  workflow_run: 
    workflows: [ 'Build CI' ]
    types: [completed]
    
env:
  MY_SECRET: ${{ secrets.MY_SECRET }}
  GITHUB_PAT: ${{ secrets.GH_PAT }}


jobs:
  deploy:
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' }}
    steps:
      - name: Alive
        run: |
          echo "I am alive"

      # By default, checks out base code (not PR code)
      - name: Checkout repository
        uses: actions/checkout@v4

      #- name: Echoing runtests.sh after downloading artifact
      #  run: |
      #    ls -lR
      #    echo cat runtests.sh
      #    cat runtests.sh
          
      - name: 'Download artifact'
        uses: actions/github-script@v6
        with:
          script: |
            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
               owner: context.repo.owner,
               repo: context.repo.repo,
               run_id: context.payload.workflow_run.id,
            });
            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
              return artifact.name == "archive-bin"
            })[0];
            let download = await github.rest.actions.downloadArtifact({
               owner: context.repo.owner,
               repo: context.repo.repo,
               artifact_id: matchArtifact.id,
               archive_format: 'zip',
            });
            let fs = require('fs');
            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/myartifact.zip`, Buffer.from(download.data));

      - name: 'Unzip artifact'
        run: |
          pwd
          unzip -o myartifact.zip
          echo "XXXXXXXXXXXXXXXXXXXXXXX"
          cat att.id

      - name: Calc SHA for bin and unzippin artifact to get the zip
        run: |
          #!/usr/bin/env bash
          pwd
          ls -l
          unzip -o myartifact.zip -d bin
          ls -l
          #sha256sum <(find . -type f -exec sha256sum {} \; | sort)
          SHA_SUM=$(sha256sum ./JavaVulnerableLab.war| cut -f1 -d ' ')
          echo $SHA_SUM

      - name: 'Verifying the attestation'
        run: |
          #!/usr/bin/bash
          echo " "
          echo "-------"
          echo "Calculating sha256sum for binary $ARTIFACTS_LOCATION/$BIN_FILE) ..."
          ATT_ID=$(cat att.id)
          echo "CCCCCCCCCCCCCCCCCCCCCCCCC"
          echo ATT_ID=$ATT_ID

          
          echo Downloading SALT ....
          curl -sLO https://get.xygeni.io/latest/salt/salt.zip
          unzip salt.zip -d ./salt_pro
          shopt -s expand_aliases
          alias salt=$PWD/salt_pro/xygeni_salt/salt


          #pwd
          #ls -l
          SHA_SUM=$(sha256sum ./JavaVulnerableLab.war | cut -f1 -d ' ')
          echo $SHA_SUM
          ATT_ID=$(echo $(salt -q registry search --digest sha256:$SHA_SUM --format json) | jq -r .[-1].gitoidSha256)
          echo "ATT_ID: $ATT_ID"


          echo " "
          echo "-------"
          # Download the provenance attestation
          echo "Downloading the provenance attestation ..." 
          salt -q reg get --id=$ATT_ID --format=json > ${GITHUB_WORKSPACE}/provenance_kk.signed.json
          #cat ${GITHUB_WORKSPACE}/provenance_kk.signed.json
          
          # this is for provenance
          #WFR=$(jq -r .payload ${GITHUB_WORKSPACE}/provenance_kk.signed.json |base64 -d | jq -r .predicate.buildDefinition.internalParameters.environment.GITHUB_WORKFLOW_REF)
          
          # this is for attestation
          WFR=$(jq -r .payload ${GITHUB_WORKSPACE}/provenance_kk.signed.json |base64 -d | jq -r .predicate.attestations[1].predicate.variables.GITHUB_WORKFLOW_REF)
          
          echo "WFR-------"$WFR"--------"
          echo $WFR | grep cicd_top10_3_salt\/.github\/workflows\/build.yml
          RES=$?
          echo "RES-------"$RES"--------"

          SHA_ATT_MATERIAL=$(jq -r .payload ${GITHUB_WORKSPACE}/provenance_kk.signed.json | base64 -d | jq -r .predicate.attestations[0].predicate.materials[].digest[])
          SHA_STEP_MATERIAL=$(jq -r .payload ${GITHUB_WORKSPACE}/provenance_kk.signed.json | base64 -d | jq -r .predicate.attestations[3].predicate.materials[0].digest[])
          echo "SHA_ATT_MATERIAL $SHA_ATT_MATERIAL"
          echo "SHA_STEP_MATERIAL $SHA_STEP_MATERIAL"
          if [ "$SHA_ATT_MATERIAL" == "$SHA_STEP_MATERIAL" ]; then
              echo " "
          else
                           
              echo Salt - Attestations FAILED !!
              echo Salt - Materials are different !!
              exit 1
          fi

          echo " "
          echo "-------"
          echo "Verifying provenance ..."
          # This should pass (the certificate is the same, and the file digest matches)
          salt verify \
              --basedir ${GITHUB_WORKSPACE} \
              --attestation=${GITHUB_WORKSPACE}/provenance_kk.signed.json \
              --public-key=${GITHUB_WORKSPACE}/Test1_public.pem \
              --file ./JavaVulnerableLab.war

             #--basedir $ARTIFACTS_LOCATION \
             #--public-key=${WORKSPACE}/cert_${JOB_BASE_NAME}.pem \


      # Runs tests
      - name: Running tests ...
        id : run_tests
        run: |
          exit 0
          echo Running tests..
          chmod +x runtests.sh
          cat runtests.sh
          #./runtests.sh "${{ github.event.pull_request.user.login }}" "${{ github.workflow }}" 
          bash ./runtests.sh "${{ github.event.workflow_run.actor.name }}" "${{ github.workflow }}" 
          export ret_value=$?
          echo ret_value $ret_value
          cat runtests.out
          echo Tests executed. 
          echo "run_tests=OK" >> $GITHUB_OUTPUT

      #
      # For demo purposes, the check merge condition will always be set to FALSE (avoiding to merge)
      #
      - name: pr_check_conditions_to_merge
        id: check_pr
        run: |
          echo "check_conditions_to_merge"
          PR_ID=$(<PR_ID.txt)
          PR_TITLE=$(<PR_TITLE.txt)
          echo "Checking conditions to merge PR with id $PR_ID and Title $PR_TITLE" 
          echo "Checking conditions to merge PR with id $PR_ID and Title $(<PR_TITLE.txt)" 
          echo "merge=false" >> $GITHUB_OUTPUT
      
      - name: pr_merge_pr_false
        if: steps.check_pr.outputs.merge == 'false'
        run: |
          echo "The merge check was ${{ steps.check_pr.outputs.merge }}"
          echo "Merge conditions NOT MEET!!!"


      - name: pr_merge_pr_true
        if: steps.check_pr.outputs.merge == 'true' && steps.run_tests.outputs.run_tests == 'OK'
        run: |
          echo "The merge check was ${{ steps.check_pr.outputs.merge }}"
          echo "Merge conditions successfully MEET!!!"
          echo "Merging .."
          PR_ID=$(<PR_ID.txt)
          curl -L \
                  -X PUT \
                  -H "Accept: application/vnd.github+json" \
                  -H "Authorization: Bearer $GITHUB_PAT" \
                  -H "X-GitHub-Api-Version: 2022-11-28" \
                  https://api.github.com/repos/lgvorg1/"${{github.event.repository.name}}"/pulls/"$PR_ID"/merge \
                  -d '{"commit_title":"Expand enum","commit_message":"Add a new value to the merge_method enum"}'
       