-
Notifications
You must be signed in to change notification settings - Fork 0
154 lines (148 loc) · 6.98 KB
/
slsa-generator-nodejs-custom.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: SLSA Generator Custom NodeJS
on:
workflow_dispatch:
push:
permissions:
contents: read
id-token: write
attestations: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup node
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
- name: Build steps
run: |
echo "Building the project"
npm pack
- name: Auto-Detect - Package details
id: package-details
run: |
PACKAGE_PATH=$(ls -1 *.tgz | head -n 1) # To be change with the action as input
pack_json=$(npm pack $PACKAGE_PATH --json | tee pack.json | jq -c)
jq <pack.json
PACKAGE_FILENAME=$(echo "$pack_json" | jq -r '.[0].filename')
PACKAGE_NAME=$(echo "$pack_json" | jq -r '.[0].name')
PACKAGE_VERSION=$(echo "$pack_json" | jq -r '.[0].version')
PACKAGE_INTEGRITY=$(echo "$pack_json" | jq -r '.[0].integrity')
echo "PACKAGE_FILENAME=${PACKAGE_FILENAME}" >> $GITHUB_OUTPUT
echo "PACKAGE_NAME=${PACKAGE_NAME}" >> $GITHUB_OUTPUT
echo "PACKAGE_VERSION=${PACKAGE_VERSION}" >> $GITHUB_OUTPUT
echo "PACKAGE_INTEGRITY=${PACKAGE_INTEGRITY}" >> $GITHUB_OUTPUT
- name: Print all outputs of packges details
run: |
echo "PACKAGE_FILENAME=${{ steps.package-details.outputs.PACKAGE_FILENAME }}"
echo "PACKAGE_NAME=${{ steps.package-details.outputs.PACKAGE_NAME }}"
echo "PACKAGE_VERSION=${{ steps.package-details.outputs.PACKAGE_VERSION }}"
echo "PACKAGE_INTEGRITY=${{ steps.package-details.outputs.PACKAGE_INTEGRITY }}"
- name: Generate the Predicate
env:
BUILDER_ID: ${{ github.workflow_ref }} # Buid is made on the same job
CONFIG_SOURCE_URI: git+${{ github.event.repository.html_url }}@${{ github.ref }}
CONFIG_SOURCE_DIGEST: ${{ github.sha }}
GITHUB_ACTOR_ID: ${{ github.actor_id }}
GITHUB_TRIGGERING_ACTOR_ID: ${{ github.triggering_actor }}
GITHUB_REPOSITORY_ID: ${{ github.repository_id }}
GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
GITHUB_REPOSITORY_OWNER_ID: ${{ github.repository_owner_id}}
GITHUB_RUN_ID: ${{ github.run_id }}
GITHUB_RUN_ATTEMPT: ${{ github.run_attempt }}
GITHUB_RUN_NUMBER: ${{ github.run_number }}
GITHUB_SHA: ${{ github.sha }}
GITHUB_REF: ${{ github.ref }}
GITHUB_REF_TYPE: ${{ github.ref_type }}
GITHUB_EVENT_NAME: ${{ github.event_name }}
GITHUB_WORKFLOW: ${{ github.workflow }}
GITHUB_BASE_REF: ${{ github.base_ref }}
GITHUB_WORKFLOW_REF: ${{ github.workflow_ref }}
BUILD_INVOCATION_ID: ${{ github.run_id }}-${{ github.run_attempt }}
run: |
bash ./.github/workflows/slsa-github-generator-nodejs-predicate.sh
cat predicate.json
- name: Generate the SLSA layout
env:
SLSA_OUTPUTS_ARTIFACTS_FILE: artifacts-layout.json
PACKAGE_NAME: ${{ steps.package-details.outputs.PACKAGE_NAME }}
PACKAGE_VERSION: ${{ steps.package-details.outputs.PACKAGE_VERSION }}
PACKAGE_INTEGRITY: ${{ steps.package-details.outputs.PACKAGE_INTEGRITY }}
PACKAGE_FILENAME: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
run: |
bash ./.github/workflows/slsa-github-generator-nodejs-layout.sh
- name: Generate the attestation
uses: slsa-framework/slsa-github-generator/.github/actions/[email protected]
with:
slsa-layout-file: artifacts-layout.json
predicate-type: https://slsa.dev/provenance/v0.2
predicate-file: predicate.json
output-folder: attestations
- name: Sign the attestation
uses: slsa-framework/slsa-github-generator/.github/actions/[email protected]
with:
payload-type: application/vnd.in-toto+json
attestations: attestations
output-folder: attestations-signed
- name: Scan to find the attestation signed from the signed folder
id: scan-attestations-signed
run: |
ATTESTATION_SIGNED_PATH=$(ls -1 ./attestations-signed/*.build.slsa | head -n 1)
if [ -z "$ATTESTATION_SIGNED_PATH" ]; then
echo "Error: No attestation signed files found in the ./attestations-signed directory."
exit 1
fi
echo "ATTESTATION_SIGNED_PATH=${ATTESTATION_SIGNED_PATH}" >> $GITHUB_OUTPUT
- name: Debug
run: |
cat predicate.json
cat artifacts-layout.json
cat ${{ steps.scan-attestations-signed.outputs.ATTESTATION_SIGNED_PATH }}
- name: Upload artifact1
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
path: predicate.json
name: predicate.json
- name: Upload artifact2
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
path: artifacts-layout.json
name: artifacts-layout.json
- name: Upload artifact3
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
path: ${{ steps.scan-attestations-signed.outputs.ATTESTATION_SIGNED_PATH }}
name: signed-attestations.json
- name: Upload artifact4
uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # tag=v3.1.0
with:
path: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
name: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
- name: Upload the Attestation to the Github API
env:
ATTESTATION_PATH: ${{ steps.scan-attestations-signed.outputs.ATTESTATION_SIGNED_PATH }}
run: |
cat $ATTESTATION_PATH
response=$(curl -L \
-X POST \
-H "Accept: application/vnd.github+json" \
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${{ github.repository }}/attestations \
-d "{\"value\": \"$(cat $ATTESTATION_PATH)\"}" \
-d "{\"value\": {\"bundle\": \"$(cat $ATTESTATION_PATH)\"}}" \
-w "%{http_code}" -o response.json)
http_code=$(jq -r '.status' response.json)
if [ "$http_code" -ne 201 ]; then
echo "Error: Failed to upload attestation to GitHub API. HTTP status code: $http_code"
cat response.json
exit 1
fi
cat response.json
- name: Upload to npmjs.com
env:
TARBALL_PATH: ${{ steps.package-details.outputs.PACKAGE_FILENAME }}
PROVENANCE_PATH: ${{ steps.scan-attestations-signed.outputs.ATTESTATION_SIGNED_PATH }}
run: |
npm config set //registry.npmjs.org/:_authToken "${{ secrets.NPM_TOKEN }}"
npm publish "${TARBALL_PATH}" --access public --provenance-file="${PROVENANCE_PATH}"