Add e2e test workflow

Signed-off-by: Marcela Melara <[email protected]>
in-toto · Oct 31, 2023 · ed74e18 · ed74e18
1 parent 93cf7b3
commit ed74e18
Show file tree

Hide file tree

Showing 4 changed files with 95 additions and 12 deletions.
diff --git a/.github/actions/scai-gen-assert/action.yml b/.github/actions/scai-gen-assert/action.yml
@@ -4,21 +4,24 @@ inputs:
   attribute:
     description: "The attribute being asserted"
     required: true
-    type: string
   evidence-file:
-    description: "The file containing the evidence. This action assumes the evidence was an artifact uploaded during a previous step."
+    description: "The file containing the evidence. This action assumes the evidence was an artifact uploaded during a previous step, unless otherwise specified."
     required: true
-    type: string
   evidence-type:
     description: "The media type of the evidence"
     required: optional
     default: "application/json"
-    type: string
+  download-evidence:
+    description: "Flag to download the evidence artifact"
+    required: false
+    default: 'true'
   assertion-name:
     description: "The artifact name of the unsigned SCAI AttributeAssertion. The file must have the .json extension. Defaults to <attribute>-assert.json when not specified."
     required: false
     default: "scai-assertion.json"
-    type: string
+  path:
+    description: "The path to save the generated assertion"
+    default: "$GITHUB_WORKSPACE/temp"
 outputs:
   assertion-name:
     description: "Filename of the generated AttributeAssertion"
@@ -29,6 +32,7 @@ runs:
   steps:
     - name: Get the evidence artifact
       id: get-evidence
+      if: ${{ inputs.download-evidence == 'true' }}
       uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
       with:
         name: "${{ inputs.evidence-file }}"
@@ -39,12 +43,12 @@ runs:
       with:
         name: "${{ inputs.evidence-file }}"
         media-type: "${{ inputs.evidence-type }}"
-        path: "${{ steps.get-evidence.outputs.download-path }}"
         rd-name: "${{ inputs.evidence-file }}-desc.json"
 
     - name: Run scai-gen assert
       id: scai-gen-assert
       shell: bash
       run: |
-        scai-gen assert -e ${{ steps.gen-rd.outputs.file-rd-name }} -o ${{ steps.get-evidence.outputs.download-path }}/${{ inputs.assertion-name }} ${{ inputs.attribute}}
-        echo "assertion-name=${{ steps.get-evidence.outputs.download-path }}/${{ inputs.assertion-name }}" >> "$GITHUB_OUTPUT"
+        mkdir -p ${{ inputs.path }}
+        scai-gen assert -e ${{ steps.gen-rd.outputs.file-rd-name }} -o ${{ inputs.path }}/${{ inputs.assertion-name }} ${{ inputs.attribute}}
+        echo "assertion-name=${{ inputs.path }}/${{ inputs.assertion-name }}" >> "$GITHUB_OUTPUT"
diff --git a/.github/actions/scai-gen-report/action.yml b/.github/actions/scai-gen-report/action.yml
@@ -32,14 +32,13 @@ runs:
       run: |
         mkdir -p ${{ inputs.report-path }}
         scai-gen report -s ${{ inputs.subject }} -o ${{ inputs.report-path }}/${{ inputs.report-name }} ${{ inputs.attr-assertions }}
-        scai-gen sigstore -o ${{ inputs.report-path }}/signed.${{ inputs.report-name }} ${{ inputs.report-path }}/${{ inputs.report-name }}
-        echo "report-name=${{ inputs.report-path }}/signed.${{ inputs.report-name }}" >> "$GITHUB_OUTPUT"
+        echo "report-name=${{ inputs.report-path }}/${{ inputs.report-name }}" >> "$GITHUB_OUTPUT"
         ls ${{ inputs.report-path }}
 
     - name: Upload the signed SCAI AttributeReport
       id: upload-assert
       uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
-        name: signed.${{ inputs.report-name }}
+        name: ${{ inputs.report-name }}
         path: ${{ steps.scai-gen-report.outputs.report-name }}
         retention-days: 15
diff --git a/.github/workflows/test-e2e-flow.yml b/.github/workflows/test-e2e-flow.yml
@@ -0,0 +1,78 @@
+name: Test composite actions on SBOM+SLSA example
+on:
+  push:
+    branch:
+      - main
+    paths:
+      - "scai-gen/**"
+  # Want to trigger these tests whenever the Go CLI or
+  # APIs are modified
+  pull_request:
+    paths:
+      - "scai-gen/**"
+
+jobs:
+  sbom-slsa-ex:
+    runs-on: ubuntu-22.04
+    permissions:
+      id-token: write # Needed to sign
+    steps:
+      - name: Install Go
+        uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe
+        with:
+          go-version: 1.20.x
+
+      - name: Checkout updated scai-gen CLI tools
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      - name: Setup Env
+        run: |
+          echo "$(go env GOPATH)/bin" >> $GITHUB_PATH
+
+      - name: Install scai-gen CLI tools
+        shell: bash
+        run: |
+          go install ./scai-gen
+          mkdir -p temp
+
+      - name: Generate SBOM SCAI AttributeAssertion
+        id: gen-sbom-assert
+        uses: marcelamelara/scai-demos/.github/actions/scai-gen-assert@add-scai-reusable-workflows
+        with:
+          attribute: "HasSBOM"
+          evidence-file: "examples/sbom+slsa/metadata/pdo_client_wawaka.spdx.json"
+          evidence-type: "application/json"
+          download-evidence: false
+          assertion-name: "hassbom-assertion.json"
+
+      - name: Generate SLSA Provenance SCAI AttributeAssertion
+        id: gen-slsa-assert
+        uses: marcelamelara/scai-demos/.github/actions/scai-gen-assert@add-scai-reusable-workflows
+        with:
+          attribute: "HasSLSA"
+          evidence-file: "examples/sbom+slsa/metadata/pdo_client_wawaka.provenance.json"
+          evidence-type: "application/vnd.in-toto.provenance+dsse"
+          download-evidence: false
+          assertion-name: "hasslsa-assertion.json"
+
+      - name: Generate SCAI AttributeReport
+        id: gen-sbom-slsa-report
+        uses: marcelamelara/scai-demos/.github/actions/scai-gen-report@add-scai-reusable-workflows
+        with:
+          subject: "examples/sbom+slsa/metadata/container-img-desc.json"
+          attr-assertions: "${{ steps.gen-sbom-assert.outputs.assertion-name }} ${{ steps.gen-slsa-assert.outputs.assertion-name }}"
+          report-name: "evidence-collection.scai.json"
+
+      - name: Sign and upload generated SCAI report (Sigstore)
+        id: sign-report
+        shell: bash
+        run: |
+          scai-gen sigstore -o ${{ steps.gen-sbom-slsa-report.outputs.report-name }}.sig ${{ steps.gen-sbom-slsa-report.outputs.report-name }}
+
+      - name: Upload the signed SCAI AttributeReport
+        id: upload-signed-report
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        with:
+          name: ${{ steps.gen-sbom-slsa-report.inputs.report-name }}.sig
+          path: ${{ steps.gen-sbom-slsa-report.outputs.report-name }}.sig
+          retention-days: 15
diff --git a/scai-gen/cmd/sigstore.go b/scai-gen/cmd/sigstore.go
@@ -70,7 +70,9 @@ func getNewFulcioSigner(ctx context.Context) (*fulcio.Signer, error) {
 	return fulcio.NewSigner(ctx, ko, sv)
 }
 
-func signWithSigstore(_ *cobra.Command, args []string) error {	
+func signWithSigstore(_ *cobra.Command, args []string) error {
+	fmt.Println("EXPERIMENTAL FEATURE. DO NOT USE IN PRODUCTION.")
+
 	statementFile := args[0]
 	statement := &ita.Statement{}
 	err := fileio.ReadPbFromFile(statementFile, statement)