Update gcr.io/distroless/static Docker digest to 262ae33 #132
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: calculator-cli | |
| on: | |
| push: | |
| workflow_dispatch: | |
| permissions: {} | |
| env: | |
| SLSA_VERIFIER_VERSION: "2.4.1" | |
| jobs: | |
| build-calculator: | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| calculator-hash: ${{ steps.calculator-hash.outputs.calculator-hash }} | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Setup Go | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Install syft & grype | |
| uses: ./.github/actions/install_syft_grype | |
| with: | |
| syftVersion: "0.98.0" | |
| grypeVersion: "0.73.3" | |
| - name: Build Calculator | |
| run: | | |
| make build-cli | |
| syft calculator \ | |
| -o spdx-json=calculator.spdx.json | |
| - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: calculator | |
| path: calculator | |
| - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: calculator.spdx.json | |
| path: calculator.spdx.json | |
| - name: Compute calculator hash | |
| id: calculator-hash | |
| run: | | |
| CALCULATOR_HASH=$(sha256sum calculator calculator.spdx.json | base64 -w0) | |
| echo calculator-hash=${CALCULATOR_HASH} >> $GITHUB_OUTPUT | |
| provenance: | |
| permissions: | |
| actions: read | |
| contents: write | |
| id-token: write | |
| needs: | |
| - build-calculator | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 | |
| with: | |
| base64-subjects: "${{ needs.build-calculator.outputs.calculator-hash }}" | |
| provenance-name: calculator.intoto.jsonl | |
| provenance-verify: | |
| runs-on: ubuntu-22.04 | |
| needs: | |
| - build-calculator | |
| - provenance | |
| steps: | |
| - name: Download calculator binary | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: calculator | |
| - name: Download provenance | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: ${{ needs.provenance.outputs.provenance-name }} | |
| - name: Install slsa-verifier | |
| run: | | |
| curl -LO https://github.com/slsa-framework/slsa-verifier/releases/download/v${{ env.SLSA_VERIFIER_VERSION }}/slsa-verifier-linux-amd64 | |
| install slsa-verifier-linux-amd64 /usr/local/bin/slsa-verifier | |
| - name: Verify provenance | |
| run: | | |
| slsa-verifier verify-artifact calculator \ | |
| --provenance-path calculator.intoto.jsonl \ | |
| --source-uri github.com/datosh-org/most-secure-calculator | |
| release: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: write | |
| needs: | |
| - build-calculator | |
| - provenance | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| steps: | |
| - name: Download calculator binary | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: calculator | |
| - name: Download SBOM | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: calculator.spdx.json | |
| - name: Download provenance | |
| uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 | |
| with: | |
| name: ${{ needs.provenance.outputs.provenance-name }} | |
| - name: Release | |
| uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
| with: | |
| draft: true | |
| artifacts: "calculator,calculator.spdx.json,calculator.intoto.jsonl" |