|
| 1 | +name: "Preare docker evidence with prepare API example" |
| 2 | + |
| 3 | +on: |
| 4 | + workflow_dispatch: |
| 5 | + |
| 6 | +permissions: |
| 7 | + id-token: write |
| 8 | + contents: read |
| 9 | + actions: read |
| 10 | + |
| 11 | +jobs: |
| 12 | + prepare-docker-evidence-example: |
| 13 | + runs-on: ubuntu-latest |
| 14 | + env: |
| 15 | + DOCKER_REPO: 'test-docker-local' |
| 16 | + IMAGE_NAME: 'my-very-cool-image' |
| 17 | + IMAGE_TAG: '40' |
| 18 | + steps: |
| 19 | + - name: Call the prepare API |
| 20 | + run: | |
| 21 | + DOCKER_REPO=${{ env.DOCKER_REPO }} |
| 22 | + IMAGE_NAME=${{ env.IMAGE_NAME }} |
| 23 | + IMAGE_TAG=${{ env.IMAGE_TAG }} |
| 24 | + [ "$DOCKER_REPO" == "" ] && echo "Missing env.DOCKER_REPO" && exit 1 |
| 25 | + [ "$IMAGE_NAME" == "" ] && echo "Missing env.IMAGE_NAME" && exit 1 |
| 26 | + [ "$IMAGE_TAG" == "" ] && echo "Missing env.IMAGE_TAG" && exit 1 |
| 27 | + REQUEST=$(cat << EOF |
| 28 | + { |
| 29 | + "subject" { |
| 30 | + "subject_type": "package", |
| 31 | + "package_repo": "${{ env.DOCKER_REPO }}", |
| 32 | + "package_name": "${{ env.IMAGE_NAME }}", |
| 33 | + "package_version": "${{ env.IMAGE_TAG }}" |
| 34 | + }, |
| 35 | + "predicate": { |
| 36 | + "statement": "This docker image is great." |
| 37 | + }, |
| 38 | + "predicate_type": "https://example.com/evidence/statement/v1" |
| 39 | + } |
| 40 | + EOF |
| 41 | + ) |
| 42 | + echo "Request: $REQUEST" |
| 43 | + URL="${{ vars.ARTIFACTORY_URL }}/evidence/api/v1/evidence/prepare" |
| 44 | + echo "URL: $URL" |
| 45 | + [ "${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}" == "" ] && echo "secrets.ARTIFACTORY_ACCESS_TOKEN is empty!" && exit 1 |
| 46 | + curl -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}" -d "REQUEST" -o response.json "$URL" |
| 47 | + echo "Response: $(cat response.json)" |
| 48 | + # Make sure it is valid response |
| 49 | + cat response.json | grep "dsse_payload" |
| 50 | + - name: Sign the payload |
| 51 | + run: | |
| 52 | + BASE64_PAYLOAD=$(cat response.json | jq .dsse_payload | tr -d '"') |
| 53 | + echo "Base64 payload: $BASE64_PAYLOAD" |
| 54 | + PAYLOAD=$(echo -n "$BASE64_PAYLOAD" | base64 -d) |
| 55 | + echo "Payload: $PAYLOAD" |
| 56 | + PAYLOAD_TYPE=$(cat response.json | jq .dsse_payload_type | tr -d '"') |
| 57 | + echo "Payload type: $PAYLOAD_TYPE" |
| 58 | + PAYLOAD_LEN="${#PAYLOAD}" |
| 59 | + PAYLOAD_TYPE_LEN="${#PAYLOAD_TYPE}" |
| 60 | + PRE_AUTH_ENC="DSSEv1 $PAYLOAD_TYPE_LEN $PAYLOAD_TYPE $PAYLOAD_LEN $PAYLOAD" |
| 61 | + echo "Pre-authentication encoding: $PRE_AUTH_ENC" |
| 62 | + PAYLOAD_SIGNATURE=$(echo -n "$PRE_AUTH_ENC" | openssl dgst -sha256 -sign "${{ secrets.JIRA_TEST_PKEY }}" | openssl base64 | tr -d '\n') |
| 63 | + echo "Signature: $PAYLOAD_SIGNATURE" |
| 64 | + echo -n "$PAYLOAD_SIGNATURE" > signature_file |
| 65 | + - name: Build the DSSE |
| 66 | + run: | |
| 67 | + DSSE=$(cat << EOF |
| 68 | + { |
| 69 | + "payloadType": $(cat response.json | jq .dsse_payload_type), |
| 70 | + "payload": $(cat response.json | jq .dsse_payload), |
| 71 | + "sinatures": [ |
| 72 | + { |
| 73 | + "keyid": "${{ vars.JIRA_TEST_KEY }}", |
| 74 | + "sig": "$(cat signature_file)" |
| 75 | + } |
| 76 | + ] |
| 77 | + } |
| 78 | + EOF |
| 79 | + ) |
| 80 | + echo "DSSE: $DSSE" |
| 81 | + echo -n "$DSSE" > dsse.json |
| 82 | + - name: Create the evidence |
| 83 | + run: | |
| 84 | + POST_URL=$(cat response.json | jq .post_url | tr -d '"') |
| 85 | + curl -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}" -d @dsse.json "${{ vars.ARTIFACTORY_URL }}$POST_URL" |
| 86 | +
|
| 87 | +
|
0 commit comments