-
Notifications
You must be signed in to change notification settings - Fork 114
99 lines (82 loc) · 2.97 KB
/
rekor_cli.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
name: Build and attest Rekor CLI
# Workflow to build the Rekor command line tool from source, and to generate
# a GitHub provenance/attestation for the build artifact.
# Only to be run manually via:
# gh workflow run --repo project-oak/oak .github/workflows/rekor_cli.yaml
# See build.yaml for details.
on:
workflow_dispatch:
branches: [main]
jobs:
build_attest_rekor_cli:
permissions:
actions: read
id-token: write
attestations: write
contents: read
runs-on: ubuntu-20.04
steps:
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
- name: Setup Google Cloud
uses: google-github-actions/setup-gcloud@v2
- name: Mount main branch
uses: actions/checkout@v4
- name: Show values
run: |
set -o errexit
gsutil --version
echo "GITHUB_SHA: ${GITHUB_SHA}"
- name: Build
id: build
run: |
set -o errexit
set -o xtrace
git clone https://github.com/sigstore/rekor.git rekor-cli
cd rekor-cli
make rekor-cli
cp --preserve=timestamps rekor-cli /tmp/rekor-cli
chmod 755 /tmp/rekor-cli
- name: Show build artifact
run: |
ls -la /tmp/rekor-cli
/tmp/rekor-cli version
- name: Attest
id: attest
uses: actions/[email protected]
with:
subject-path: /tmp/rekor-cli
- name: Show bundle
run: |
echo "${{ steps.attest.outputs.bundle-path }}"
ls -la "${{ steps.attest.outputs.bundle-path }}"
cat "${{ steps.attest.outputs.bundle-path }}"
- name: Upload
id: upload
run: |
set -o errexit
set -o nounset
set -o pipefail
set -o xtrace
bucket=oak-bins
package_name=rekor_cli_linux_amd64
binary_path=/tmp/rekor-cli
provenance_path=${{ steps.attest.outputs.bundle-path }}
gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/binary"
gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/attestation.jsonl"
binary_url="https://storage.googleapis.com/${bucket}/${gcs_binary_path}"
provenance_url="https://storage.googleapis.com/${bucket}/${gcs_provenance_path}"
gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}"
gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}"
curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${binary_url}\" }" \
https://api.static.space/v1/snapshot
curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${provenance_url}\" }" \
https://api.static.space/v1/snapshot