Skip to content

Add sigstore CLI flags --staging and --identity-token #588

Add sigstore CLI flags --staging and --identity-token

Add sigstore CLI flags --staging and --identity-token #588

Workflow file for this run

# Copyright 2024 The Sigstore Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: SLSA for ML models example
on:
workflow_dispatch:
inputs:
model_type:
description: Name of the model (implies framework)
required: true
type: choice
options:
- tensorflow_model.keras
- tensorflow_hdf5_model.h5
- tensorflow_hdf5.weights.h5
- pytorch_model.pth
- pytorch_full_model.pth
- pytorch_jitted_model.pt
pull_request:
branches: [main]
types: [opened, synchronize]
paths-ignore:
- '**/*.md'
- '*.md'
permissions: read-all
defaults:
run:
shell: bash
jobs:
train:
name: Train model
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false # Don't cancel other jobs if one fails
matrix:
os: [ubuntu-latest] ## , macos-latest, windows-latest]
include:
#- os: macos-latest
# os_family: Darwin
- os: ubuntu-latest
os_family: Linux
#- os: windows-latest
# os_family: Windows
outputs:
hash-ubuntu-latest: ${{ steps.hash.outputs.hash-ubuntu-latest }}
# hash-macos-latest: ${{ steps.hash.outputs.hash-macos-latest }}
# hash-windows-latest: ${{ steps.hash.outputs.hash-windows-latest }}
steps:
- run: git config --global core.autocrlf input
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version: 3.11
cache: pip
cache-dependency-path: slsa_for_models/install/requirements_${{ matrix.os_family }}.txt
- name: Install dependencies
run: |
set -exuo pipefail
python -m venv venv
.github/workflows/scripts/venv_activate.sh
python -m pip install --require-hashes -r slsa_for_models/install/requirements_${{ matrix.os_family }}.txt
- name: Build model
env:
MODEL_TYPE: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }}
run: |
set -exuo pipefail
python -m venv venv
.github/workflows/scripts/venv_activate.sh
python slsa_for_models/main.py "$MODEL_TYPE"
- uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
path: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }}
name: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }}_${{ matrix.os_family }}
if-no-files-found: error
- id: hash
env:
MODEL: ${{ github.event.inputs.model_type || 'pytorch_jitted_model.pt' }}
run: |
set -euo pipefail
(sha256sum -t "$MODEL" || shasum -a 256 "$MODEL") > checksum
echo "hash-${{ matrix.os }}=$(base64 -w0 checksum || base64 checksum)" >> "${GITHUB_OUTPUT}"
provenance:
# TODO(mihaimaruseac): Don't run on pull requests for now
if: ${{ github.event_name != 'pull_request' }}
needs: [train]
strategy:
fail-fast: false # Don't cancel other jobs if one fails
matrix:
os: [ubuntu-latest] #, macos-latest, windows-latest]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.train.outputs[format('hash-{0}', matrix.os)] }}"
upload-assets: true # NOTE: This does nothing unless 'upload-tag-name' parameter is also set to an existing tag