-
Notifications
You must be signed in to change notification settings - Fork 0
96 lines (89 loc) · 3.99 KB
/
slsa-generator-nodejs-custom.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
name: SLSA Generator Custom NodeJS
on:
workflow_dispatch:
push:
permissions:
contents: read
id-token: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup node
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
- name: Build steps
run: |
echo "Building the project"
npm pack
- name: Auto-Detect - Package details
id: package-details
run: |
PACKAGE_PATH=$(ls -1 *.tgz | head -n 1) # To be change with the action as input
PACKAGE_TGZ=$(basename $PACKAGE_PATH)
PACKAGE_NAME=$(jq -r '.name' package.json)
PACKAGE_VERSION=$(jq -r '.version' package.json)
PACKAGE_INTEGRITY=$(shasum -a 512 $PACKAGE_PATH | awk '{print $1}')
echo "PACKAGE_TGZ=${PACKAGE_TGZ}" >> $GITHUB_OUTPUT
echo "PACKAGE_NAME=${PACKAGE_NAME}" >> $GITHUB_OUTPUT
echo "PACKAGE_VERSION=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT
echo "PACKAGE_INTEGRITY=sha512-${PACKAGE_INTEGRITY}" >> $GITHUB_OUTPUT
- name: Print all outputs of packges details
run: |
echo "PACKAGE_TGZ=${{ steps.package-details.outputs.PACKAGE_TGZ }}"
echo "PACKAGE_NAME=${{ steps.package-details.outputs.PACKAGE_NAME }}"
echo "PACKAGE_VERSION=${{ steps.package-details.outputs.PACKAGE_VERSION }}"
echo "PACKAGE_INTEGRITY=${{ steps.package-details.outputs.PACKAGE_INTEGRITY }}"
- name: Generate the Predicate
env:
BUILDER_ID: ${{ github.workflow_ref }} # Buid is made on the same job
CONFIG_SOURCE_URI: git+${{ github.event.repository.html_url }}@${{ github.ref }}
CONFIG_SOURCE_DIGEST: ${{ github.sha }}
ENTRY_POINT: ${{ github.workflow }}
GITHUB_ACTOR_ID: ${{ github.actor_id }}
GITHUB_TRIGGERING_ACTOR_ID: ${{ github.triggering_actor }}
GITHUB_REPOSITORY_ID: ${{ github.repository_id }}
GITHUB_REPOSITORY_OWNER_ID: ${{ github.repository_owner_id}}
GITHUB_RUN_ID: ${{ github.run_id }}
GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }}
GITHUB_RUN_NUMBER: ${{ github.run_number }}
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
GITHUB_REF_TYPE: ${{ github.ref_type }}
GITHUB_EVENT_NAME: ${{ github.event_name }}
GITHUB_WORKFLOW: ${{ github.workflow }}
GITHUB_BASE_REF: ${{ github.base_ref }}
GITHUB_WORKFLOW_REF: ${{ github.workflow_ref }}
BUILD_INVOCATION_ID: ${{ github.run_id }}-${{ github.run_attempt }}
run: |
bash ./.github/workflows/slsa-github-generator-nodejs-predicate.sh
cat predicate.json
- name: Generate the SLSA layout
env:
SLSA_OUTPUTS_ARTIFACTS_FILE: artifacts-layout.json
PACKAGE_NAME: ${{ steps.package-details.outputs.PACKAGE_NAME }}
PACKAGE_VERSION: ${{ steps.package-details.outputs.PACKAGE_VERSION }}
PACKAGE_INTEGRITY: ${{ steps.package-details.outputs.PACKAGE_INTEGRITY }}
PACKAGE_FILENAME: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
run: |
bash ./.github/workflows/slsa-github-generator-nodejs-layout.sh
- run: |
ls -lar
pwd
mkdir testattest
mkdir attestations
ls -lar
- name: Generate the attestation
uses: slsa-framework/slsa-github-generator/.github/actions/[email protected]
with:
slsa-layout-file: ./artifacts-layout.json
predicate-type: https://slsa.dev/provenance/v0.2
predicate-file: ./predicate.json
output-folder: ./attestations
- name: Sign the attestation
uses: slsa-framework/slsa-github-generator/.github/actions/[email protected]
with:
payload-type: application/vnd.in-toto+json
attestations: ./attestations
output-folder: ./attestations-signed