From ad8d10c6005b035b8dc1645579237ad197393688 Mon Sep 17 00:00:00 2001 From: Josh Armitage Date: Tue, 18 Apr 2023 09:35:32 +0800 Subject: [PATCH 1/3] Add SLSA3 provenance to FC builds --- .github/workflows/aws_cicd.yaml | 7 ++----- .github/workflows/cicd.yaml | 20 ++++++++++++++++++++ .github/workflows/gcp_cicd.yaml | 9 +++++---- .github/workflows/provenance.yaml | 25 +++++++++++++++++++++++++ 4 files changed, 52 insertions(+), 9 deletions(-) create mode 100644 .github/workflows/cicd.yaml create mode 100644 .github/workflows/provenance.yaml diff --git a/.github/workflows/aws_cicd.yaml b/.github/workflows/aws_cicd.yaml index 4a4380f..79e36e3 100644 --- a/.github/workflows/aws_cicd.yaml +++ b/.github/workflows/aws_cicd.yaml @@ -1,13 +1,10 @@ name: aws-cicd on: - push: - branches: - - main workflow_dispatch: - pull_request: + workflow_call: concurrency: group: "AWS" - # cancel-in-progress: true + cancel-in-progress: true jobs: deploy: name: AWS diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml new file mode 100644 index 0000000..5794b74 --- /dev/null +++ b/.github/workflows/cicd.yaml @@ -0,0 +1,20 @@ + +on: + push: + branches: + - main + pull_request: + branches: + - main + workflow_dispatch: + +jobs: + aws: + uses: ./.github/workflows/aws_cicd.yaml + + gcp: + uses: ./.github/workflows/gcp_cicd.yaml + + slsa: + uses: ./.github/workflows/provenance.yaml + needs: [aws, gcp] diff --git a/.github/workflows/gcp_cicd.yaml b/.github/workflows/gcp_cicd.yaml index 1d607c8..9e23e6b 100644 --- a/.github/workflows/gcp_cicd.yaml +++ b/.github/workflows/gcp_cicd.yaml @@ -1,10 +1,11 @@ +<<<<<<< HEAD name: gcp-cicd +======= +name: gcp +>>>>>>> b0b73b43 (Add SLSA3 provenance to FC builds) on: - push: - branches: - - main workflow_dispatch: - pull_request: + workflow_call: concurrency: group: "GCP" cancel-in-progress: true diff --git a/.github/workflows/provenance.yaml b/.github/workflows/provenance.yaml new file mode 100644 index 0000000..2a7ab33 --- /dev/null +++ b/.github/workflows/provenance.yaml @@ -0,0 +1,25 @@ +on: + workflow_call: + +jobs: + build: + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + runs-on: ubuntu-latest + steps: + - name: Generate hashes + shell: bash + id: hash + run: | + make synth + echo "hashes=$(tar cf - infrastructure | sha256sum | base64 -w0)" >> "$GITHUB_OUTPUT" + provenance: + needs: [build] + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + with: + base64-subjects: "${{ needs.build.outputs.hashes }}" + upload-assets: true From 2e5d7dadaf07d672f14040baa5d560112927ff2e Mon Sep 17 00:00:00 2001 From: Josh Armitage Date: Tue, 18 Apr 2023 10:04:18 +0800 Subject: [PATCH 2/3] Add SLSA3 provenance to FC builds --- .github/workflows/gcp_cicd.yaml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/gcp_cicd.yaml b/.github/workflows/gcp_cicd.yaml index 9e23e6b..e2871d0 100644 --- a/.github/workflows/gcp_cicd.yaml +++ b/.github/workflows/gcp_cicd.yaml @@ -1,8 +1,4 @@ -<<<<<<< HEAD name: gcp-cicd -======= -name: gcp ->>>>>>> b0b73b43 (Add SLSA3 provenance to FC builds) on: workflow_dispatch: workflow_call: From a82315d0c8957dd6e23c995dbf6307553a647f08 Mon Sep 17 00:00:00 2001 From: Josh Armitage Date: Tue, 18 Apr 2023 10:09:44 +0800 Subject: [PATCH 3/3] Add SLSA3 provenance to FC builds --- .github/workflows/cicd.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml index 5794b74..7501cf8 100644 --- a/.github/workflows/cicd.yaml +++ b/.github/workflows/cicd.yaml @@ -14,6 +14,7 @@ jobs: gcp: uses: ./.github/workflows/gcp_cicd.yaml + secrets: inherit slsa: uses: ./.github/workflows/provenance.yaml