Try out new provenance workflow - DO NOT MERGE #9504
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Builddddd SLSA3 Provenances | ||
| # See https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#example-using-concurrency-to-cancel-any-in-progress-job-or-run | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | ||
| cancel-in-progress: true | ||
| on: | ||
| push: | ||
| branches: [main] | ||
| # This workflow builds several binaries and is very time and resource consuming. As a result it | ||
| # is disabled by default on pull-request events. If you need to test this workflow on your PR | ||
| # before merge, label it with `provenance:force-run` to trigger the workflow. | ||
| pull_request: | ||
| branches: [main] | ||
| jobs: | ||
| build_binary: | ||
| if: | | ||
| github.event_name == 'push' || | ||
| contains(github.event.pull_request.labels.*.name, 'provenance:force-run') | ||
| # We use the same job template to generate provenances for multiple binaries. | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| buildconfig: | ||
| - buildconfigs/key_xor_test_app.toml | ||
| - buildconfigs/oak_containers_kernel.toml | ||
| - buildconfigs/oak_containers_orchestrator.toml | ||
| - buildconfigs/oak_containers_stage1.toml | ||
| - buildconfigs/oak_containers_syslogd.toml | ||
| - buildconfigs/oak_containers_system_image.toml | ||
| - buildconfigs/oak_echo_enclave_app.toml | ||
| - buildconfigs/oak_echo_raw_enclave_app.toml | ||
| - buildconfigs/oak_functions_enclave_app.toml | ||
| - buildconfigs/oak_functions_insecure_enclave_app.toml | ||
| - buildconfigs/oak_restricted_kernel_simple_io_init_rd_wrapper_bin.toml | ||
| - buildconfigs/stage0_bin.toml | ||
| - buildconfigs/oak_orchestrator.toml | ||
| permissions: | ||
| actions: read | ||
| id-token: write | ||
| # Allow the job to update the repo with the latest provenance info and index. | ||
| contents: write | ||
| # Allow the job to add a comment to the PR. | ||
| pull-requests: write | ||
| uses: ./.github/workflows/reusable_provenance2.yaml | ||
|
Check failure on line 49 in .github/workflows/provenance.yaml
|
||
| with: | ||
| build-config-path: ${{ matrix.buildconfig }} | ||
| # Key pair generated with `ent keygen`, under which Ent tags are published. | ||
| # The secret key is stored in the repo secrets page: https://github.com/project-oak/oak/settings/secrets/actions | ||
| # The public key is stored in the repo variables page: https://github.com/project-oak/oak/settings/variables/actions | ||
| ent-public-key: ${{ vars.ENT_PUBLIC_KEY }} | ||
| secrets: | ||
| ENT_API_KEY: ${{ secrets.ENT_API_KEY }} | ||
| # Secret key corresponding to `ent-public-key` above, used to sign Ent tags. | ||
| ENT_SECRET_KEY: ${{ secrets.ENT_SECRET_KEY }} | ||
| GCP_SERVICE_ACCOUNT_KEY_JSON: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }} | ||
