141 lines (133 loc) · 5.85 KB
/
e2e.verify-token.schedule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: schedule verify-token
on:
# Daily run.
schedule:
- cron: "0 4 * * *"
workflow_dispatch:
permissions: read-all
env:
GH_TOKEN: ${{ github.token }}
ISSUE_REPOSITORY: ${{ github.repository }}
jobs:
setup-token:
permissions:
contents: read
id-token: write
runs-on: ubuntu-latest
outputs:
valid-token: ${{ steps.verify.outputs.slsa-token }}
invalid-mask-token: ${{ steps.verify-invalid-mask.outputs.slsa-token }}
steps:
# NOTE: to test this workflow on a dev branch, use:
# curl -s -X POST -H "Accept: application/vnd.github.v3+json" \
# "https://api.github.com/repos/$USERNAME/slsa-github-generator/actions/workflows/e2e.verify-token.schedule.yml/dispatches" \
# -d "{\"ref\":\"$BRANCH\"}" \
# -H "Authorization: token $GH_TOKEN"
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
- id: setup
uses: ./actions/delegator/setup-token
with:
slsa-workflow-recipient: "delegator_generic_slsa3.yml"
slsa-rekor-log-public: true
slsa-runner-label: "ubuntu-latest"
slsa-build-action-path: "./actions/build-artifacts-composite"
slsa-workflow-inputs: '{"name1":"value1","name2":"value2","name3":"value3","name4":"","name5":"value5","name6":"value6","private-repository":true}'
# name4 has empty value and won't be obfuscated even though it's in the list.
# The Action should trim the spaces automatically.
slsa-workflow-masked-inputs: name2, name4,name6
- id: verify
env:
SLSA_TOKEN: ${{ steps.setup.outputs.slsa-token }}
run: |
set -euo pipefail
./.github/workflows/scripts/schedule.actions/verify-setup-token.sh
echo "slsa-token=$SLSA_TOKEN" >> "$GITHUB_OUTPUT"
- id: setup-invalid-mask
uses: ./actions/delegator/setup-token
with:
slsa-workflow-recipient: "delegator_generic_slsa3.yml"
slsa-rekor-log-public: true
slsa-runner-label: "ubuntu-latest"
slsa-build-action-path: "./actions/build-artifacts-composite"
slsa-workflow-inputs: '{"name1":"value1","name2":"value2","name3":"value3","name4":"","name5":"value5","name6":"value6","private-repository":true}'
slsa-workflow-masked-inputs: name2, name4,name7 # name7 does not exist in the inputs.
- id: verify-invalid-mask
env:
SLSA_TOKEN: ${{ steps.setup-invalid-mask.outputs.slsa-token }}
run: |
set -euo pipefail
./.github/workflows/scripts/schedule.actions/verify-setup-token.sh
echo "slsa-token=$SLSA_TOKEN" >> "$GITHUB_OUTPUT"
verify-token:
permissions:
contents: read
runs-on: ubuntu-latest
needs: [setup-token]
steps:
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
- id: verify
uses: ./.github/actions/verify-token
with:
slsa-unverified-token: ${{ needs.setup-token.outputs.valid-token }}
slsa-workflow-recipient: "delegator_generic_slsa3.yml"
output-predicate: predicate.json
- env:
VERIFIED_TOKEN: ${{ steps.verify.outputs.slsa-verified-token }}
TOOL_REPOSITORY: ${{ steps.verify.outputs.tool-repository }}
TOOL_REF: ${{ steps.verify.outputs.tool-ref }}
PREDICATE: predicate.json
run: ./.github/workflows/scripts/schedule.actions/verify-verified-token.sh
- id: verify-mismatch-recipient
uses: ./.github/actions/verify-token
continue-on-error: true
with:
slsa-unverified-token: ${{ steps.verify.outputs.slsa-verified-token }}
slsa-workflow-recipient: "elegator_generic_slsa3.yml"
output-predicate: mismatch-recipient-predicate.json
- id: verify-mismatch-token
uses: ./.github/actions/verify-token
continue-on-error: true
with:
slsa-unverified-token: aGVsbG8K
slsa-workflow-recipient: "delegator_generic_slsa3.yml"
output-predicate: mismatch-token-predicate.json
- id: verify-invalid-mask
uses: ./.github/actions/verify-token
continue-on-error: true
with:
# name7 does not exist in the inputs so it should trigger an error.
slsa-unverified-token: ${{ needs.setup-token.outputs.invalid-mask-token }}
slsa-workflow-recipient: "delegator_generic_slsa3.yml"
output-predicate: invalid-mask-predicate.json
- env:
SUCCESS: ${{ steps.verify-mismatch-recipient.outcome == 'failure' && steps.verify-mismatch-token.outcome == 'failure' && steps.verify-invalid-mask.outcome == 'failure' }}
run: |
[ "$SUCCESS" == "true" ]
# TODO(1419): Add more tests that manipulate the token.
if-succeed:
needs: [setup-token, verify-token]
runs-on: ubuntu-latest
# We use `== 'failure'` instead of ` != 'success'` because we want to ignore skipped jobs, if there are any.
if: github.event_name != 'workflow_dispatch' && needs.verify-token.result != 'failure' && needs.setup-token.result != 'failure'
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
repository: slsa-framework/example-package
ref: main
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
needs: [setup-token, verify-token]
runs-on: ubuntu-latest
if: always() && github.event_name != 'workflow_dispatch' && (needs.verify-token.result == 'failure' || needs.setup-token.result == 'failure')
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3 # v3.5.0
with:
repository: slsa-framework/example-package
ref: main
- run: ./.github/workflows/scripts/e2e-report-failure.sh