Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Adding an initial version of reusable workflow for chainloop. #1

Merged
merged 3 commits into from
Sep 28, 2023
Merged

Adding an initial version of reusable workflow for chainloop. #1

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
1e6c3cd
working on a reusable workflow
danlishka Sep 28, 2023
0cfd29e
some feedback from Miguel
danlishka Sep 28, 2023
a747f7c
working on a reusable workflow
danlishka Sep 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
84 changes: 84 additions & 0 deletions .github/workflows/chainloop.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
name: Chainloop Metadata Collection and Attestation Process
on:
workflow_call:
inputs:
chainloop_version:
required: false
type: string
secrets:
api_token:
required: true
signing_key:
required: true
signing_key_password:
required: true

jobs:
chainloop-attestation:
name: Chainloop Attestation Process
runs-on: ubuntu-latest

steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
sparse-checkout: |
.chainloop.yml

- uses: sigstore/cosign-installer@v3.1.1

- name: Install Chainloop CLI
run: |
if [ -n "${CHAINLOOP_VERSION}" ]; then
curl -sfL https://docs.chainloop.dev/install.sh | bash -s -- --version v${CHAINLOOP_VERSION}
else
curl -sfL https://docs.chainloop.dev/install.sh | bash -s
fi

- name: Download all workflow run artifacts
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

these are github workflow runs artifact correct?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not?

uses: actions/download-artifact@v3

- name: Initialize Attestation
run: chainloop attestation init # --contract-revision 2

- name: Add all artifacts, reports, and metadata to attestation.
run: |
script=`cat .chainloop.yml | yq eval '.attestation[] | "chainloop attestation add --name " + .name + " --value " + .path + "; "'`
eval $script

- name: Chainloop Attestation Status
run: |
chainloop attestation status --full &> c8-status.txt

- name: Validate Collected Artifacts and Record Attestation
if: ${{ success() }}
run: |
chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY &> c8-push.txt
env:
CHAINLOOP_SIGNING_KEY: ${{ secrets.signing_key }}
CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.signing_key_password }}

- name: Generate a summary report
run: |
digest=`cat c8-push.txt| grep " Digest: " | awk -F\ '{print $3}'`
echo -e "## Great job!\nYou are making SecOps and Compliance teams really happy. Keep up the good work!\n" >> $GITHUB_STEP_SUMMARY
echo "**[Chainloop Trust Report](https://app.chainloop.dev/attestation/${digest})**" >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY
cat c8-status.txt >> $GITHUB_STEP_SUMMARY
echo "\`\`\`" >> $GITHUB_STEP_SUMMARY

- name: Mark attestation as failed
if: ${{ failure() }}
run: |
chainloop attestation reset

- name: Mark attestation as cancelled
if: ${{ cancelled() }}
run: |
chainloop attestation reset --trigger cancellation

env:
CHAINLOOP_VERSION: ${{ inputs.chainloop_version }}
CHAINLOOP_ROBOT_ACCOUNT: ${{ secrets.api_token }}