New workflow to build SRP report (#2622)

* New workflow for SRP report Signed-off-by: Fran Mulero <fmulero@vmware.com> * Fix typo Signed-off-by: Fran Mulero <fmulero@vmware.com> * Fix permissions and configuration Signed-off-by: Fran Mulero <fmulero@vmware.com> * Uncomment submit step Signed-off-by: Fran Mulero <fmulero@vmware.com> * Apply suggestions Signed-off-by: Fran Mulero <fmulero@vmware.com>
2022-08-09 15:46:17 +02:00 · 2022-08-09 15:46:17 +02:00 · b166e9499e
parent a00f602c9c
commit b166e9499e
1 changed files with 45 additions and 0 deletions
--- a/.github/workflows/srp-report.yml
+++ b/.github/workflows/srp-report.yml
@ -0,0 +1,45 @@
+name: '[SRP] Secure Release Pipeline Report'
+on:
+  schedule:
+    - cron: '0 7 * * *'
+  workflow_dispatch:
+
+env:
+  BAC_SRP_ENDPOINT: https://apigw.vmware.com/v1/s1/api/helix-beta
+  BAC_SRP_CLIENT_ID: ${{ secrets.BAC_SRP_CLIENT_ID }}
+  BAC_SRP_CLIENT_SECRET: ${{ secrets.BAC_SRP_CLIENT_ID }}
+
+jobs:
+  report:
+    runs-on: ubuntu-latest
+    steps:
+      - id: install-tool
+        name: Install and configure SRP Tool
+        run: |
+          curl -SsLfo /tmp/srp-cli.tgz https://srp-cli.s3.amazonaws.com/srp-cli-latest.tgz
+          sudo tar xf /tmp/srp-cli.tgz -C /usr/local/bin/
+          srp config --srp-endpoint ${BAC_SRP_ENDPOINT}
+          srp config auth --client-id=${BAC_SRP_CLIENT_ID} --client-secret=${BAC_SRP_CLIENT_SECRET}
+      - uses: actions/checkout@v3
+        name: Checkout Repository
+        with:
+          # No full history required
+          fetch-depth: 1
+          submodules: true
+      - id: build-report
+        name: Build SRP report
+        run: |
+          export SRP_UID="uid.obj.build.github(instance='github.com',namespace='${GITHUB_REPOSITORY}',ref='${GITHUB_REF}',action='${GITHUB_ACTION}',build_id='${GITHUB_RUN_ID}_${GITHUB_RUN_ATTEMPT}')"
+          srp provenance source --verbose --scm-type git \
+            --name "bac-containers" --path . --saveto ./source-provenance.json \
+            --comp-uid "${SRP_UID}" --build-number "${GITHUB_RUN_ID}" \
+            --version "1.0" --all-ephemeral true --build-type release
+      - name: Archive SRP report
+        uses: actions/upload-artifact@v3
+        with:
+          name: source-provenance
+          path: source-provenance.json
+      - id: submit-report
+        name: Submit SRP report
+        run: |
+          srp metadata submit --path ./source-provenance.json