-
Notifications
You must be signed in to change notification settings - Fork 0
137 lines (130 loc) · 6.18 KB
/
slsa-generator-nodejs-custom.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: SLSA Generator Custom NodeJS
on:
workflow_dispatch:
push:
permissions:
contents: read
id-token: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup node
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
- name: Build steps
run: |
echo "Building the project"
npm pack --json > pack.json
- name: Upload npm pack
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
path: pack.json
name: pack.json
- name: Auto-Detect - Package details
id: package-details
run: |
PACKAGE_PATH=$(ls -1 *.tgz | head -n 1) # To be change with the action as input
PACKAGE_FILENAME=$(basename $PACKAGE_PATH)
PACKAGE_NAME=$(jq -r '.name' package.json)
PACKAGE_VERSION=$(jq -r '.version' package.json)
PACKAGE_INTEGRITY=$(openssl dgst -sha512 -binary "$PACKAGE_PATH" | base64)
echo "PACKAGE_FILENAME=${PACKAGE_FILENAME}" >> $GITHUB_OUTPUT
echo "PACKAGE_NAME=${PACKAGE_NAME}" >> $GITHUB_OUTPUT
echo "PACKAGE_VERSION=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT
echo "PACKAGE_INTEGRITY=sha512-${PACKAGE_INTEGRITY}" >> $GITHUB_OUTPUT
package_integrity=$(echo "${pack_json}" | jq -r '.[0].integrity')
echo package_integrity
- name: Print all outputs of packges details
run: |
echo "PACKAGE_FILENAME=${{ steps.package-details.outputs.PACKAGE_FILENAME }}"
echo "PACKAGE_NAME=${{ steps.package-details.outputs.PACKAGE_NAME }}"
echo "PACKAGE_VERSION=${{ steps.package-details.outputs.PACKAGE_VERSION }}"
echo "PACKAGE_INTEGRITY=${{ steps.package-details.outputs.PACKAGE_INTEGRITY }}"
- name: Generate the Predicate
env:
BUILDER_ID: ${{ github.workflow_ref }} # Buid is made on the same job
CONFIG_SOURCE_URI: git+${{ github.event.repository.html_url }}@${{ github.ref }}
CONFIG_SOURCE_DIGEST: ${{ github.sha }}
ENTRY_POINT: ${{ github.event.repository.html_url }}
GITHUB_ACTOR_ID: ${{ github.actor_id }}
GITHUB_TRIGGERING_ACTOR_ID: ${{ github.triggering_actor }}
GITHUB_REPOSITORY_ID: ${{ github.repository_id }}
GITHUB_REPOSITORY_OWNER_ID: ${{ github.repository_owner_id}}
GITHUB_RUN_ID: ${{ github.run_id }}
GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }}
GITHUB_RUN_NUMBER: ${{ github.run_number }}
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
GITHUB_REF_TYPE: ${{ github.ref_type }}
GITHUB_EVENT_NAME: ${{ github.event_name }}
GITHUB_WORKFLOW: ${{ github.workflow }}
GITHUB_BASE_REF: ${{ github.base_ref }}
GITHUB_WORKFLOW_REF: ${{ github.workflow_ref }}
BUILD_INVOCATION_ID: ${{ github.run_id }}-${{ github.run_attempt }}
run: |
bash ./.github/workflows/slsa-github-generator-nodejs-predicate.sh
- name: Generate the SLSA layout
env:
SLSA_OUTPUTS_ARTIFACTS_FILE: artifacts-layout.json
PACKAGE_NAME: ${{ steps.package-details.outputs.PACKAGE_NAME }}
PACKAGE_VERSION: ${{ steps.package-details.outputs.PACKAGE_VERSION }}
PACKAGE_INTEGRITY: ${{ steps.package-details.outputs.PACKAGE_INTEGRITY }}
PACKAGE_FILENAME: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
run: |
bash ./.github/workflows/slsa-github-generator-nodejs-layout.sh
- name: Generate the attestation
uses: slsa-framework/slsa-github-generator/.github/actions/[email protected]
with:
slsa-layout-file: artifacts-layout.json
predicate-type: https://slsa.dev/provenance/v0.2
predicate-file: predicate.json
output-folder: attestations
- name: Sign the attestation
uses: slsa-framework/slsa-github-generator/.github/actions/[email protected]
with:
payload-type: application/vnd.in-toto+json
attestations: attestations
output-folder: attestations-signed
- name: Scan to find the attestation signed from the signed folder
id: scan-attestations-signed
run: |
ATTESTATION_SIGNED_PATH=$(ls -1 ./attestations-signed/*.build.slsa | head -n 1)
if [ -z "$ATTESTATION_SIGNED_PATH" ]; then
echo "Error: No attestation signed files found in the ./attestations-signed directory."
exit 1
fi
echo "ATTESTATION_SIGNED_PATH=${ATTESTATION_SIGNED_PATH}" >> $GITHUB_OUTPUT
- name: Debug
run: |
cat predicate.json
cat artifacts-layout.json
cat ${{ steps.scan-attestations-signed.outputs.ATTESTATION_SIGNED_PATH }}
- name: Upload artifact1
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
path: predicate.json
name: predicate.json
- name: Upload artifact2
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
path: artifacts-layout.json
name: artifacts-layout.json
- name: Upload artifact3
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
path: ${{ steps.scan-attestations-signed.outputs.ATTESTATION_SIGNED_PATH }}
name: signed-attestations.json
- name: Upload artifact4
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
path: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
name: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
- name: Upload to npmjs.com
env:
TARBALL_PATH: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
PROVENANCE_PATH: ${{ steps.scan-attestations-signed.outputs.ATTESTATION_SIGNED_PATH }}
run: |
npm config set //registry.npmjs.org/:_authToken "${{ secrets.NPM_TOKEN }}"
npm publish "${TARBALL_PATH}" --access public --provenance-file="${PROVENANCE_PATH}"