Skip to content

don't use base64

don't use base64 #39

name: SLSA Generator Custom NodeJS
on:
workflow_dispatch:
push:
permissions:
contents: read
id-token: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup node
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
- name: Build steps
run: |
echo "Building the project"
npm pack
- name: Auto-Detect - Package details
id: package-details
run: |
PACKAGE_PATH=$(ls -1 *.tgz | head -n 1) # To be change with the action as input
PACKAGE_FILENAME=$(basename $PACKAGE_PATH)
PACKAGE_NAME=$(jq -r '.name' package.json)
PACKAGE_VERSION=$(jq -r '.version' package.json)
PACKAGE_INTEGRITY=$(openssl dgst -sha512 -binary "$PACKAGE_PATH")
echo "PACKAGE_FILENAME=${PACKAGE_FILENAME}" >> $GITHUB_OUTPUT
echo "PACKAGE_NAME=${PACKAGE_NAME}" >> $GITHUB_OUTPUT
echo "PACKAGE_VERSION=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT
echo "PACKAGE_INTEGRITY=sha512-${PACKAGE_INTEGRITY}" >> $GITHUB_OUTPUT
- name: Print all outputs of packges details
run: |
echo "PACKAGE_FILENAME=${{ steps.package-details.outputs.PACKAGE_FILENAME }}"
echo "PACKAGE_NAME=${{ steps.package-details.outputs.PACKAGE_NAME }}"
echo "PACKAGE_VERSION=${{ steps.package-details.outputs.PACKAGE_VERSION }}"
echo "PACKAGE_INTEGRITY=${{ steps.package-details.outputs.PACKAGE_INTEGRITY }}"
- name: Generate the Predicate
env:
BUILDER_ID: ${{ github.workflow_ref }} # Buid is made on the same job
CONFIG_SOURCE_URI: git+${{ github.event.repository.html_url }}@${{ github.ref }}
CONFIG_SOURCE_DIGEST: ${{ github.sha }}
ENTRY_POINT: ${{ github.event.repository.html_url }}
GITHUB_ACTOR_ID: ${{ github.actor_id }}
GITHUB_TRIGGERING_ACTOR_ID: ${{ github.triggering_actor }}
GITHUB_REPOSITORY_ID: ${{ github.repository_id }}
GITHUB_REPOSITORY_OWNER_ID: ${{ github.repository_owner_id}}
GITHUB_RUN_ID: ${{ github.run_id }}
GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }}
GITHUB_RUN_NUMBER: ${{ github.run_number }}
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
GITHUB_REF_TYPE: ${{ github.ref_type }}
GITHUB_EVENT_NAME: ${{ github.event_name }}
GITHUB_WORKFLOW: ${{ github.workflow }}
GITHUB_BASE_REF: ${{ github.base_ref }}
GITHUB_WORKFLOW_REF: ${{ github.workflow_ref }}
BUILD_INVOCATION_ID: ${{ github.run_id }}-${{ github.run_attempt }}
run: |
bash ./.github/workflows/slsa-github-generator-nodejs-predicate.sh
- name: Generate the SLSA layout
env:
SLSA_OUTPUTS_ARTIFACTS_FILE: artifacts-layout.json
PACKAGE_NAME: ${{ steps.package-details.outputs.PACKAGE_NAME }}
PACKAGE_VERSION: ${{ steps.package-details.outputs.PACKAGE_VERSION }}
PACKAGE_INTEGRITY: ${{ steps.package-details.outputs.PACKAGE_INTEGRITY }}
PACKAGE_FILENAME: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
run: |
bash ./.github/workflows/slsa-github-generator-nodejs-layout.sh
- name: Generate the attestation
uses: slsa-framework/slsa-github-generator/.github/actions/[email protected]
with:
slsa-layout-file: artifacts-layout.json
predicate-type: https://slsa.dev/provenance/v0.2
predicate-file: predicate.json
output-folder: attestations
- name: Sign the attestation
uses: slsa-framework/slsa-github-generator/.github/actions/[email protected]
with:
payload-type: application/vnd.in-toto+json
attestations: attestations
output-folder: attestations-signed
- name: Scan to find the attestation signed from the signed folder
id: scan-attestations-signed
run: |
ATTESTATION_SIGNED_PATH=$(ls -1 ./attestations-signed/*.build.slsa | head -n 1)
if [ -z "$ATTESTATION_SIGNED_PATH" ]; then
echo "Error: No attestation signed files found in the ./attestations-signed directory."
exit 1
fi
echo "ATTESTATION_SIGNED_PATH=${ATTESTATION_SIGNED_PATH}" >> $GITHUB_OUTPUT
- name: Debug
run: |
cat predicate.json
cat artifacts-layout.json
cat ${{ steps.scan-attestations-signed.outputs.ATTESTATION_SIGNED_PATH }}
- name: Upload artifact1
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
path: predicate.json
name: predicate.json
- name: Upload artifact2
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
path: artifacts-layout.json
name: artifacts-layout.json
- name: Upload artifact3
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
path: ${{ steps.scan-attestations-signed.outputs.ATTESTATION_SIGNED_PATH }}
name: signed-attestations.json
- name: Upload artifact4
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
path: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
name: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
- name: Upload to npmjs.com
env:
TARBALL_PATH: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
PROVENANCE_PATH: ${{ steps.scan-attestations-signed.outputs.ATTESTATION_SIGNED_PATH }}
run: |
npm config set //registry.npmjs.org/:_authToken "${{ secrets.NPM_TOKEN }}"
npm publish "${TARBALL_PATH}" --access public --provenance-file="${PROVENANCE_PATH}"