test diff package integrity with pack #42

Summary
Jobs
- build
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/slsa-generator-nodejs-custom.yaml at 504a3ae

	name: SLSA Generator Custom NodeJS

	on:
	workflow_dispatch:
	push:

	permissions:
	contents: read
	id-token: write

	jobs:
	build:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Setup node
	uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
	- name: Build steps
	run: \|
	echo "Building the project"
	npm pack --json > pack.json
	- name: Upload npm pack
	uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
	with:
	path: pack.json
	name: pack.json
	- name: Auto-Detect - Package details
	id: package-details
	run: \|
	PACKAGE_PATH=$(ls -1 *.tgz \| head -n 1) # To be change with the action as input
	PACKAGE_FILENAME=$(basename $PACKAGE_PATH)
	PACKAGE_NAME=$(jq -r '.name' package.json)
	PACKAGE_VERSION=$(jq -r '.version' package.json)
	PACKAGE_INTEGRITY=$(openssl dgst -sha512 -binary "$PACKAGE_PATH" \| base64)
	echo "PACKAGE_FILENAME=${PACKAGE_FILENAME}" >> $GITHUB_OUTPUT
	echo "PACKAGE_NAME=${PACKAGE_NAME}" >> $GITHUB_OUTPUT
	echo "PACKAGE_VERSION=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT
	echo "PACKAGE_INTEGRITY=sha512-${PACKAGE_INTEGRITY}" >> $GITHUB_OUTPUT
	package_integrity=$(echo "${pack_json}" \| jq -r '.[0].integrity')
	echo package_integrity
	- name: Print all outputs of packges details
	run: \|
	echo "PACKAGE_FILENAME=${{ steps.package-details.outputs.PACKAGE_FILENAME }}"
	echo "PACKAGE_NAME=${{ steps.package-details.outputs.PACKAGE_NAME }}"
	echo "PACKAGE_VERSION=${{ steps.package-details.outputs.PACKAGE_VERSION }}"
	echo "PACKAGE_INTEGRITY=${{ steps.package-details.outputs.PACKAGE_INTEGRITY }}"
	- name: Generate the Predicate
	env:
	BUILDER_ID: ${{ github.workflow_ref }} # Buid is made on the same job
	CONFIG_SOURCE_URI: git+${{ github.event.repository.html_url }}@${{ github.ref }}
	CONFIG_SOURCE_DIGEST: ${{ github.sha }}
	ENTRY_POINT: ${{ github.event.repository.html_url }}
	GITHUB_ACTOR_ID: ${{ github.actor_id }}
	GITHUB_TRIGGERING_ACTOR_ID: ${{ github.triggering_actor }}
	GITHUB_REPOSITORY_ID: ${{ github.repository_id }}
	GITHUB_REPOSITORY_OWNER_ID: ${{ github.repository_owner_id}}
	GITHUB_RUN_ID: ${{ github.run_id }}
	GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }}
	GITHUB_RUN_NUMBER: ${{ github.run_number }}
	GITHUB_SHA: ${{ github.sha }}
	GITHUB_REF: ${{ github.ref }}
	GITHUB_REF_TYPE: ${{ github.ref_type }}
	GITHUB_EVENT_NAME: ${{ github.event_name }}
	GITHUB_WORKFLOW: ${{ github.workflow }}
	GITHUB_BASE_REF: ${{ github.base_ref }}
	GITHUB_WORKFLOW_REF: ${{ github.workflow_ref }}
	BUILD_INVOCATION_ID: ${{ github.run_id }}-${{ github.run_attempt }}
	run: \|
	bash ./.github/workflows/slsa-github-generator-nodejs-predicate.sh
	- name: Generate the SLSA layout
	env:
	SLSA_OUTPUTS_ARTIFACTS_FILE: artifacts-layout.json
	PACKAGE_NAME: ${{ steps.package-details.outputs.PACKAGE_NAME }}
	PACKAGE_VERSION: ${{ steps.package-details.outputs.PACKAGE_VERSION }}
	PACKAGE_INTEGRITY: ${{ steps.package-details.outputs.PACKAGE_INTEGRITY }}
	PACKAGE_FILENAME: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
	run: \|
	bash ./.github/workflows/slsa-github-generator-nodejs-layout.sh
	- name: Generate the attestation
	uses: slsa-framework/slsa-github-generator/.github/actions/[email protected]
	with:
	slsa-layout-file: artifacts-layout.json
	predicate-type: https://slsa.dev/provenance/v0.2
	predicate-file: predicate.json
	output-folder: attestations
	- name: Sign the attestation
	uses: slsa-framework/slsa-github-generator/.github/actions/[email protected]
	with:
	payload-type: application/vnd.in-toto+json
	attestations: attestations
	output-folder: attestations-signed
	- name: Scan to find the attestation signed from the signed folder
	id: scan-attestations-signed
	run: \|
	ATTESTATION_SIGNED_PATH=$(ls -1 ./attestations-signed/*.build.slsa \| head -n 1)
	if [ -z "$ATTESTATION_SIGNED_PATH" ]; then
	echo "Error: No attestation signed files found in the ./attestations-signed directory."
	exit 1
	fi
	echo "ATTESTATION_SIGNED_PATH=${ATTESTATION_SIGNED_PATH}" >> $GITHUB_OUTPUT
	- name: Debug
	run: \|
	cat predicate.json
	cat artifacts-layout.json
	cat ${{ steps.scan-attestations-signed.outputs.ATTESTATION_SIGNED_PATH }}
	- name: Upload artifact1
	uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
	with:
	path: predicate.json
	name: predicate.json
	- name: Upload artifact2
	uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
	with:
	path: artifacts-layout.json
	name: artifacts-layout.json
	- name: Upload artifact3
	uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
	with:
	path: ${{ steps.scan-attestations-signed.outputs.ATTESTATION_SIGNED_PATH }}
	name: signed-attestations.json
	- name: Upload artifact4
	uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
	with:
	path: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
	name: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
	- name: Upload to npmjs.com
	env:
	TARBALL_PATH: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
	PROVENANCE_PATH: ${{ steps.scan-attestations-signed.outputs.ATTESTATION_SIGNED_PATH }}
	run: \|
	npm config set //registry.npmjs.org/:_authToken "${{ secrets.NPM_TOKEN }}"
	npm publish "${TARBALL_PATH}" --access public --provenance-file="${PROVENANCE_PATH}"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

test diff package integrity with pack #42

Workflow file

test diff package integrity with pack #42

Jobs

Run details

Workflow file for this run