Adding an initial version of reusable workflow for chainloop.

[danlishka]

This is how the workflow is going to be used:

  chainloop:
    uses: chainloop-dev/labs/.github/workflows/chainloop.yml@main
    needs: validate-and-generate-reports
    secrets:
      token: ${{ secrets.CHAINLOOP_ROBOT_ACCOUNT }}
      signing_key: ${{ secrets.COSIGN_PRIVATE_KEY }}
      signing_key_password: ${{ secrets.COSIGN_PASSWORD }}

You will need to use upload-artifact action to share all metadata which you want to store in Chainloop.

      - uses: actions/upload-artifact@v3
        with:
          name: reports
          path: reports/*

Finally we expect the .chainloop/config.yml config file to provide information about metadata files to be stored. Example:

attestation:
  - name: sbom-cdx
    path: reports/sbom.cyclonedx.json
  - name: sbom-spdx
    path: reports/sbom.spdx.json
  - name: built-site
    path: reports/build.tar.gz

[migmartri]

Very cool!

Added some comments but approving it

[migmartri]

I might be more specific about what this is. what about workflow_robot_account ?

[danlishka]

I just wanted something shorter.

[migmartri]

these are github workflow runs artifact correct?

[danlishka]

Why not?

[migmartri]

Why do you think we need to have a chainloop directory?

I would potentially prefer just a .chainloop.yml file. That way it's similar to .goreleaser.yaml, .golangcilint.yaml, ...

[danlishka]

I was storing the contract, this config in this folder. I can change it