.github/workflows/e2e.generic.tag.main.assets.slsa3.yml

.github/workflows/e2e.go.push.branch1.config-ldflags.slsa3.yml #30000

Workflow file for this run

.github/workflows/e2e.generic.tag.main.assets.slsa3.yml at 9604a10

	on:
	schedule:
	- cron: "0 2 * * *"
	workflow_dispatch:
	push:
	tags:
	- "v[0-9]+.[0-9]+.[0-9]+" # # triggers only if push new tag version, like `v0.8.4` or else

	permissions: read-all

	concurrency: "e2e.generic.tag.main.assets.slsa3"

	env:
	GH_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }}
	ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
	DEFAULT_VERSION: v18.0.0

	jobs:
	release:
	runs-on: ubuntu-latest
	if: github.event_name == 'schedule' \|\| github.event_name == 'workflow_dispatch'
	permissions:
	contents: write
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- id: create
	run: ./.github/workflows/scripts/e2e-create-release.sh

	shim:
	runs-on: ubuntu-latest
	if: github.event_name == 'push' && github.ref_type == 'tag'
	outputs:
	continue: ${{ steps.verify.outputs.continue }}
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- id: verify
	run: ./.github/workflows/scripts/e2e-verify-release.sh

	build:
	runs-on: ubuntu-latest
	needs: [shim]
	if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
	outputs:
	binary-name: ${{ steps.build.outputs.binary-name }}
	digest: ${{ steps.hash.outputs.digest }}
	steps:
	- name: Checkout code
	uses: actions/checkout@v4
	- name: Setup Bazelisk
	uses: bazelbuild/setup-bazelisk@b39c379c82683a5f25d34f0d062761f62693e0b2 # v3.0.0
	with:
	bazelisk-version: "1.11"
	- name: Build artifact
	id: build
	run: \|
	bazelisk build //:hello
	cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root
	echo "binary-name=hello" >> "${GITHUB_OUTPUT}"
	- name: Upload binary
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
	with:
	name: ${{ steps.build.outputs.binary-name }}
	path: ${{ steps.build.outputs.binary-name }}
	if-no-files-found: error
	retention-days: 5
	- name: Generate hash
	shell: bash
	id: hash
	env:
	BINARY_NAME: ${{ steps.build.outputs.binary-name }}
	run: \|
	set -euo pipefail
	echo "digest=$(sha256sum "$BINARY_NAME" \| base64 -w0)" >> "${GITHUB_OUTPUT}"

	provenance:
	needs: [shim, build]
	if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
	permissions:
	id-token: write # For signing.
	contents: write # For asset uploads.
	actions: read # For the entrypoint.
	uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
	with:
	base64-subjects: "${{ needs.build.outputs.digest }}"
	compile-generator: true
	upload-assets: true

	verify:
	runs-on: ubuntu-latest
	needs: [shim, build, provenance]
	if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
	with:
	name: ${{ needs.build.outputs.binary-name }}
	- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
	with:
	name: ${{ needs.provenance.outputs.provenance-name }}
	- uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
	with:
	go-version: "1.24"
	- env:
	BINARY: ${{ needs.build.outputs.binary-name }}
	PROVENANCE: ${{ needs.provenance.outputs.provenance-name }}
	run: ./.github/workflows/scripts/e2e.generic.default.verify.sh

	if-succeeded:
	runs-on: ubuntu-latest
	needs: [shim, build, provenance, verify]
	if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success'
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- run: ./.github/workflows/scripts/e2e-report-success.sh

	if-failed:
	runs-on: ubuntu-latest
	needs: [shim, build, provenance, verify]
	if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' \|\| needs.provenance.result == 'failure' \|\| needs.verify.result == 'failure')
	steps:
	- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	- run: ./.github/workflows/scripts/e2e-report-failure.sh

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

.github/workflows/e2e.go.push.branch1.config-ldflags.slsa3.yml #30000

Workflow file

.github/workflows/e2e.go.push.branch1.config-ldflags.slsa3.yml #30000

Uh oh!

Jobs

Run details

Workflow file for this run