labs/.github/workflows/chainloop.yml at main · chainloop-dev/labs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
name: Chainloop Attestation Process
on:
  workflow_call:
    inputs:
      chainloop_version:
        required: false
        type: string
      contract_revision:
        required: false
        type: string
      attestation_name:
        required: false
        type: string
      chainloop_labs_branch:
        required: false
        type: string
        default: main
      workflow_name:
        required: false
        type: string
      project_name:
        required: false
        type: string
    secrets:
      api_token:
        required: true
      signing_key:
        required: true
      signing_key_password:
        required: true

jobs:
  chainloop-attestation:
    name: Chainloop Attestation Process
    runs-on: ubuntu-latest

    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
          sparse-checkout: |
            .chainloop.yml

      - name: Install Chainloop CLI, Labs and Cosign
        run: |
          # TODO: add checksum verification
          curl -o c8l https://raw.githubusercontent.com/chainloop-dev/labs/${{ inputs.chainloop_labs_branch }}/tools/c8l
          chmod +x c8l; source <(./c8l source)
          chainloop_bin_install c8l
          chainloop_install chainloop_cli cosign

      # Download all artifacts and metadata created in previous jobs/steps
      # to make them available to the attestation process.
      - name: Download all workflow run artifacts
        uses: actions/download-artifact@v4

      - name: Initialize Attestation
        run: |
          source <(/usr/local/bin/chainloop_bin/c8l source)
          chainloop_attestation_init
          echo "CHAINLOOP_ATTESTATION_ID=${CHAINLOOP_ATTESTATION_ID}" >> "$GITHUB_ENV"

      # - name: logs
      #   run: source <(/usr/local/bin/chainloop_bin/c8l source) && chainloop_collect_logs_for_github_jobs
      #   env:
      #     GH_TOKEN: ${{ github.token }}

      # Collect all artifacts, reports, and metadata
      # based on the configuration in .chainloop.yml
      - name: Add all artifacts, reports, and metadata to attestation.
        run: |
          source <(/usr/local/bin/chainloop_bin/c8l source)
          chainloop_attestation_add_from_yaml ${{ inputs.attestation_name }}

      - name: Chainloop Attestation Status
        run: |
          source <(/usr/local/bin/chainloop_bin/c8l source)
          chainloop_attestation_status

      - name: Validate Collected Artifacts and Record Attestation
        if: ${{ success() }}
        run: |
          source <(/usr/local/bin/chainloop_bin/c8l source)
          chainloop_attestation_push
        env:
          CHAINLOOP_SIGNING_KEY: ${{ secrets.signing_key }}
          CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.signing_key_password }}

      - name: Generate a summary report
        run: |
          source <(/usr/local/bin/chainloop_bin/c8l source)
          chainloop_generate_github_summary

      - name: Mark attestation as failed
        if: ${{ failure() }}
        run: |
          source <(/usr/local/bin/chainloop_bin/c8l source)
          chainloop attestation reset
          chainloop_generate_github_summary_on_failure

      - name: Mark attestation as cancelled
        if: ${{ cancelled() }}
        run: |
          chainloop attestation reset --trigger cancellation

    env:
      CHAINLOOP_VERSION: ${{ inputs.chainloop_version }}
      CHAINLOOP_TOKEN: ${{ secrets.api_token }}
      CHAINLOOP_CONTRACT_REVISION: ${{ inputs.contract_revision }}
      CHAINLOOP_WORKFLOW_NAME: ${{ inputs.workflow_name }}
      CHAINLOOP_PROJECT_NAME: ${{ inputs.project_name }}