Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test #5037

Closed
wants to merge 6 commits into from
Closed

Test #5037

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
c63d242
Add Rekor CLI build and attest workflow.
thmsbinder Jul 15, 2024
5b8a387
Retry
thmsbinder Jul 15, 2024
74cdf01
Retry
thmsbinder Jul 15, 2024
9bea505
Retry
thmsbinder Jul 15, 2024
0288c55
Retry
thmsbinder Jul 15, 2024
011fa5a
Retry
thmsbinder Jul 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 100 additions & 0 deletions .github/workflows/rekor_cli.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
name: Build and attest Rekor CLI

on:
push:
branches: [stage0verify]
workflow_dispatch:
branches: [stage0verify]

jobs:
build_attest_rekor_cli:
permissions:
actions: read
id-token: write
attestations: write
contents: read

runs-on: ubuntu-20.04

steps:
# Needed for GCS upload.
# - name: Authenticate to Google Cloud
# uses: google-github-actions/auth@v2
# with:
# credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}

# Needed for GCS upload.
- name: Setup Google Cloud
uses: google-github-actions/setup-gcloud@v2

- name: Mount main branch
uses: actions/checkout@v4

- name: Show values
run: |
set -o errexit
gsutil --version
echo "GITHUB_SHA: ${GITHUB_SHA}"

- name: Build
id: build
run: |
set -o errexit
set -o xtrace
git clone https://github.com/sigstore/rekor.git rekor-cli
cd rekor-cli
make rekor-cli
cp --preserve=timestamps rekor-cli /tmp/rekor-cli-linux-amd64
chmod 755 /tmp/rekor-cli-linux-amd64

- name: Show build artifact
run: |
ls -la /tmp/rekor-cli-linux-amd64
/tmp/rekor-cli-linux-amd64 version

- name: Attest
id: attest
uses: actions/[email protected]
with:
subject-path: /tmp/rekor-cli-linux-amd64

- name: Show bundle
run: |
echo "${{ steps.attest.outputs.bundle-path }}"
ls -la "${{ steps.attest.outputs.bundle-path }}"
cat "${{ steps.attest.outputs.bundle-path }}"

# Upload binary and provenance to GCS and index via http://static.space
# so that, regardless of the GCS bucket and path, it can easily be
# located by its digest.
- name: Upload
id: upload
run: |
set -o errexit
set -o nounset
set -o pipefail
set -o xtrace

bucket=oak-bins
package_name=rekor_cli_linux_amd64
binary_path=/tmp/rekor-cli-linux-amd64
provenance_path=${{ steps.attest.outputs.bundle-path }}

gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/binary"
gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/attestation.jsonl"
binary_url="https://storage.googleapis.com/${bucket}/${gcs_binary_path}"
provenance_url="https://storage.googleapis.com/${bucket}/${gcs_provenance_path}"

gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}"
gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}"

curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${binary_url}\" }" \
https://api.static.space/v1/snapshot
curl --fail \
--request POST \
--header 'Content-Type: application/json' \
--data "{ \"url\": \"${provenance_url}\" }" \
https://api.static.space/v1/snapshot
Loading