GuillaumeHemmen/docker-bench-security
1
0
Fork 0
mirror of https://github.com/docker/docker-bench-security.git synced 2025-01-18 16:22:33 +01:00
Code Issues Projects Releases Packages Wiki Activity

slsa gha

Browse source 
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
Thomas Sjögren 2023-03-13 15:52:27 +01:00
parent 41a44f54d3
commit faa0e88479
No known key found for this signature in database
1 changed files with 47 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
.github/workflows/slsa.yml vendored
View file

@ -1,41 +1,71 @@
--- ---
name: slsa name: SLSA
on: on:
push: push:
release: release:
permissions:
contents: write
types: [published, released] types: [published, released]
permissions:
contents: read
jobs: jobs:
build: build:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV - run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
shell: bash shell: bash
- name: checkout repository - name: Checkout repository
uses: actions/checkout@master uses: actions/checkout@master
- name: create checksum file - name: Build artifacts
run: find *.sh distros/* functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256 run: |
find *.sh distros/* functions/* tests/* Dockerfile Vagrantfile -exec sha256sum {} \; > ${{ env.REPOSITORY_NAME }}.sha256
- name: upload artifact - name: Generate hashes
uses: actions/upload-artifact@v3 shell: bash
id: hash
run: |
echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Upload ${{ env.REPOSITORY_NAME }}.sha256
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
with: with:
name: ${{ env.REPOSITORY_NAME }}.sha256
path: ${{ env.REPOSITORY_NAME }}.sha256 path: ${{ env.REPOSITORY_NAME }}.sha256
if-no-files-found: error
retention-days: 5
generate-provenance: provenance:
needs: build needs: [build]
name: generate build provenance permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true
release:
needs: [build, provenance]
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
steps: steps:
- name: download build artifact - run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
uses: actions/download-artifact@v3 shell: bash
- name: generate provenance - name: Download ${{ env.REPOSITORY_NAME }}.sha256
uses: slsa-framework/github-actions-demo@v0.1 uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with: with:
artifact_path: artifact/ name: ${{ env.REPOSITORY_NAME }}.sha256
- name: upload provenance - name: Upload asset
uses: actions/upload-artifact@v3 uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with: with:
path: build.provenance files: |
${{ env.REPOSITORY_NAME }}.sha256