From bd1cb41e3ef7e6c87843430bad3b2db27f604041 Mon Sep 17 00:00:00 2001 From: saisatishkarra Date: Sun, 5 May 2024 17:15:47 -0700 Subject: [PATCH] wip(slsa): test nodejs provenance builder --- .DS_Store | Bin 0 -> 6148 bytes .github/workflows/build.yml | 92 ++++++++++++++++++++++++++++++++++-- src/.DS_Store | Bin 0 -> 6148 bytes 3 files changed, 88 insertions(+), 4 deletions(-) create mode 100644 .DS_Store create mode 100644 src/.DS_Store diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..854000085e554ffed4e34eabc305c63f5d871652 GIT binary patch literal 6148 zcmeHKy-ve05I(mNRIqeFz=Grj28N0b2*yx_2SA;XP+HU?QBqOLN;Y1E5%CTnBnIAr zje&Py;5*xGY(g0Up*zX`lKaVb{o2?y5vkU=+a#(JQ4NDJTEO&$ahylVD$cV6RQ!z7 zUbEfF2E$UOI79(a;4dn`?`}j5>d^^Z1n=+i!Mz_FWJ!{qW+{BN%G=KRjegt<7kTWbTT_D=*O&ohV7C@)S-;JbR71h z8m=EN!|&(iIp`euc8*p_#UpX4^Z84qLFDrmOo2|BJQD#v<6c7cb3h?@%F&JZq zxka;dU@}JlU<9`@T${ZFsM!IG9p)C{fhk)Gw57@&F_bNbU%R~6VQ$fulQPVBj$>Bt zgrW>P{Mw|GiY>}43Wx%s0#$ok=ly?w_W3_7k~>jA6!=#Ps3>VCEqo-mx0XH}@3k7^ r2!oCDa*L(}liQBX1#iWx7{(COd;yFd<`&_B$sYkDgG{2pk1Fs13x1Y} literal 0 HcmV?d00001 diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 0d9704cab..90be8e9a3 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -11,21 +11,56 @@ on: workflow_dispatch: jobs: + check: + runs-on: ubuntu-latest + outputs: + supported_node_runtimes: ${{steps.metadata.outputs.supported_node_runtimes}} + legacy_node_runtimes: ${{steps.metadata.outputs.legacy_node_runtimes}} + all_node_runtimes: ${{steps.metadata.outputs.all_node_runtimes}} + steps: + - name: Checkout branch + uses: actions/checkout@v3 + with: + path: ${{ github.repository }} + + # Perform SCA analysis for the code repository + # Produces SBOM and CVE report + # Helps understand vulnerabilities / license compliance across third party dependencies + - id: sca-project + uses: Kong/public-shared-actions/security-actions/sca@2f02738ecb1670f01391162e43fe3f5d4e7942a1 # v2.2.2 + with: + dir: ${{ github.repository }} + upload-sbom-release-assets: true + + - id: metadata + run: | + supported_node_runtimes='{"version": [${{env.supported_node_runtimes}}]}' > GITHUB_OUTPUT + legacy_node_runtimes='{"version":[${{env.legacy_node_runtimes}}]}' > GITHUB_OUTPUT + all_node_runtimes='{"version": [${{env.supported_node_runtimes}}, ${{env.legacy_node_runtimes}}]}' > GITHUB_OUTPUT + + cat $GITHUB_OUTPUT + env: + supported_node_runtimes: '"20"' # Command separated Double qouted strings eclosed in single qouted string + legacy_node_runtimes: '"16","18"' + + # The build job is still needed to support building on pull_request for supported and legacy node runtimes + # The provenance job uses slsa nodejs builder and doesn't support pull_request event build: + needs: [check] + name: Build - ${{matrix.node-version}} runs-on: ubuntu-latest strategy: fail-fast: false - matrix: - node-version: [16, 18, 20] + matrix: "${{fromJson(needs.check.outputs.all_node_runtimes)}}" steps: - name: Checkout branch uses: actions/checkout@v3 - + with: + path: ${{ github.repository }} - name: Setup Node uses: actions/setup-node@v3 with: node-version: ${{ matrix.node-version }} - - name: Install run: npm ci @@ -37,3 +72,52 @@ jobs: - name: Build run: npm run build + + ## Build and Generate provenance using slsa nodejs builder only for supported Node runtime + provenance: + needs: [check, build] + permissions: + id-token: write # For signing + contents: read # For repo checkout. + actions: read # For getting workflow run info. + if: > + github.event_name != 'pull_request' + # github.repository_owner == 'Kong' + # && + + # && github.ref_type == 'tag' || github.event_name == 'push' + strategy: + matrix: "${{ fromJson(needs.check.outputs.supported_node_runtimes)}}" + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@v2.0.0 + with: + run-scripts: 'ci, test, lint, build' + node-version: ${{matrix.node-version}} # Only for supported runtime + + publish: + needs: [build, provenance] + runs-on: ubuntu-latest + steps: + - run: | + echo "PACKAGE_NAME=${{ needs.build.outputs.package-name }}" + echo "PACKAGE_DOWNLOAD_NAME=${{ needs.build.outputs.package-download-name }}" + echo "PACKAGE_DOWNLOAD_SHA256=${{ needs.build.outputs.package-download-sha256 }}" + echo "PROVEANACE_NAME=${{ needs.build.outputs.provenance-name }}" + echo "PROVEANACE_DOWNLOAD_NAME=${{ needs.build.outputs.provenance-download-name }}" + echo "PROVEANACE_DOWNLOAD_SHA256=${{ needs.build.outputs.provenance-download-sha256 }}" + + # - name: Set up Node registry authentication + # uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + # with: + # registry-url: "https://registry.npmjs.org" + # - name: publish + # id: publish + # uses: slsa-framework/slsa-github-generator/actions/nodejs/publish@v2.0.0 + # with: + # access: public + # node-auth-token: ${{ secrets.NPM_TOKEN }} + # package-name: ${{ needs.build.outputs.package-name }} + # package-download-name: ${{ needs.build.outputs.package-download-name }} + # package-download-sha256: ${{ needs.build.outputs.package-download-sha256 }} + # provenance-name: ${{ needs.build.outputs.provenance-name }} + # provenance-download-name: ${{ needs.build.outputs.provenance-download-name }} + # provenance-download-sha256: ${{ needs.build.outputs.provenance-download-sha256 }} diff --git a/src/.DS_Store b/src/.DS_Store new file mode 100644 index 0000000000000000000000000000000000000000..96aa2cb5536d858cb2f7a0176ece0c312e30448d GIT binary patch literal 6148 zcmeHKu};G<5IvWo7QxVw(F+q|=)@YT@C6xQETzyQrAjEN#F&p@W#b26Wo6+nK>P^r zd?rboR6-00p*!jPEa#p5@)E@{5t+ea+$ZW0Q5VVB+CtM1e4VovEkCjYG;WRs&FO+} z;z>WMv31}tI>67aOP6#-x0F%k`JE@TR0P|*CeADg!%>`!_}cyT{@#OqIcnyOzr{OECV9)00ZVPIw4yXg_K;Zy? zA1snF@R$p_PX`)z1OT=%>;ip0OK^?#7WA>AJD|Htdk|7C&p)B$zi-#K8~VH6H4b+;RsPc+3Scg3uoUXM;BCz^^*+2{(jsVgLXD literal 0 HcmV?d00001