.github/workflows/provenance4.yaml

name: Matrix Provenances

on:
  push:
    branches:
      - "stage0verify"
  workflow_dispatch:
    inputs:
      build-config-path:
        required: true
        type: string

jobs:
  build_attest_all:
    strategy:
      fail-fast: false
      matrix:
        buildconfig:
          - buildconfigs/key_xor_test_app.toml
          - buildconfigs/oak_echo_raw_enclave_app.toml

    permissions:
      actions: read
      id-token: write
      attestations: write
      contents: read
    runs-on: ubuntu-20.04

    steps:
      - name: Mount main branch
        uses: actions/checkout@v4

      - name: Parse buildconfig
        id: parse
        run: |
          set -o errexit
          set -o nounset
          set -o xtrace
          set -o pipefail
          source ./scripts/common
          artifact_path="$(tail -1 ${{ matrix.buildconfig }} | grep -oP 'artifact_path = \K(.*)')"
          package_name="$(basename ${{ matrix.buildconfig }} .toml)"
          builder_digest="$(echo "${DOCKER_IMAGE_REPO_DIGEST}" | cut -d'@' -f2)"
          echo "artifact-path=${artifact_path}" >> $GITHUB_OUTPUT
          echo "package-name=${package_name}" >> $GITHUB_OUTPUT
          echo "builder-digest=${builder_digest}" >> $GITHUB_OUTPUT

      - name: Show values
        run: |
          echo "${{ steps.parse.outputs.artifact-path }}"
          echo "${{ steps.parse.outputs.package-name }}"
          echo "${{ steps.parse.outputs.builder-digest }}"

      # Use slsa-github-generator for build only. We ignore the provenance it produces.
      - name: Build
        id: build
        uses: slsa-framework/slsa-github-generator/.github/workflows/builder_container-based_slsa3.yml@v2.0.0
        with:
          builder-image: europe-west2-docker.pkg.dev/oak-ci/oak-development/oak-development
          builder-digest: ${{ steps.parse.outputs.builder-digest }}
          config-path: ${{ matrix.buildconfig }}
          compile-builder: true

      - name: Show build artifact
        run: |
          echo "${{ steps.parse.outputs.artifact-path }}"
          ls -la "${{ steps.parse.outputs.artifact-path }}"

      - name: Attest
        id: attest
        uses: actions/attest-build-provenance@v1.1.1
        with:
          subject-path: ${{ steps.parse.outputs.artifact-path }}

      - name: Show Bundle
        run: |
          echo "${{ steps.attest.outputs.bundle-path }}"
          ls -la "${{ steps.attest.outputs.bundle-path }}"