|
| 1 | +name: "Preare docker evidence example" |
| 2 | + |
| 3 | +on: |
| 4 | + workflow_dispatch: |
| 5 | + |
| 6 | +permissions: |
| 7 | + id-token: write |
| 8 | + contents: read |
| 9 | + actions: read |
| 10 | + |
| 11 | +jobs: |
| 12 | + prepare-docker-evidence-example: |
| 13 | + runs-on: ubuntu-latest |
| 14 | + steps: |
| 15 | + - name: Call the prepare API |
| 16 | + run: | |
| 17 | + read -r -d '' REQUEST << EOF |
| 18 | + { |
| 19 | + "subject" { |
| 20 | + "subject_type": "package", |
| 21 | + "package_repo": "${{ env.DOCKER_REPO }}", |
| 22 | + "package_name": "${{ env.IMAGE_NAME }}", |
| 23 | + "package_version": "${{ env.IMAGE_TAG }}" |
| 24 | + }, |
| 25 | + "predicate": { |
| 26 | + "statement": "This docker image is great." |
| 27 | + }, |
| 28 | + "predicate_type": "https://example.com/evidence/statement/v1" |
| 29 | + } |
| 30 | + EOF |
| 31 | + echo "Request: $REQUEST" |
| 32 | + curl -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}" -d "REQUEST" -o response.json "${{ vars.ARTIFACTORY_URL }}/evidence/api/v1/evidence/prepare" |
| 33 | + echo "Response: $(cat response.json)" |
| 34 | + - name: Sign the payload |
| 35 | + run: | |
| 36 | + BASE64_PAYLOAD=$(cat response.json | jq .dsse_payload | tr -d '"') |
| 37 | + echo "Base64 payload: $BASE64_PAYLOAD" |
| 38 | + PAYLOAD=$(echo -n "$BASE64_PAYLOAD" | base64 -D) |
| 39 | + echo "Payload: $PAYLOAD" |
| 40 | + PAYLOAD_TYPE=$(cat response.json | jq .dsse_payload_type | tr -d '"') |
| 41 | + echo "Payload type: $PAYLOAD_TYPE" |
| 42 | + PAYLOAD_LEN="${#PAYLOAD}" |
| 43 | + PAYLOAD_TYPE_LEN="${#PAYLOAD_TYPE}" |
| 44 | + PRE_AUTH_ENC="DSSEv1 $PAYLOAD_TYPE_LEN $PAYLOAD_TYPE $PAYLOAD_LEN $PAYLOAD" |
| 45 | + echo "Pre-authentication encoding: $PRE_AUTH_ENC" |
| 46 | + PAYLOAD_SIGNATURE=$(echo -n "$PRE_AUTH_ENC" | openssl dgst -sha256 -sign "${{ secrets.JIRA_TEST_PKEY }}" | openssl base64 | tr -d '\n') |
| 47 | + echo "Signature: $PAYLOAD_SIGNATURE" |
| 48 | + echo -n "$PAYLOAD_SIGNATURE" > signature_file |
| 49 | + - name: Build the DSSE |
| 50 | + run: | |
| 51 | + read -r -d '' DSSE << EOF |
| 52 | + { |
| 53 | + "payloadType": $(cat response.json | jq .dsse_payload_type), |
| 54 | + "payload": $(cat response.json | jq .dsse_payload), |
| 55 | + "sinatures": [ |
| 56 | + { |
| 57 | + "keyid": "${{ vars.JIRA_TEST_KEY }}", |
| 58 | + "sig": "$(cat signature_file)" |
| 59 | + } |
| 60 | + ] |
| 61 | + } |
| 62 | + EOF |
| 63 | + echo "DSSE: $DSSE" |
| 64 | + echo -n "$DSSE" > dsse.json |
| 65 | + - name: Create the evidence |
| 66 | + run: | |
| 67 | + POST_URL=$(cat response.json | jq .post_url | tr -d '"') |
| 68 | + curl -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}" -d @dsse.json "${{ vars.ARTIFACTORY_URL }}$POST_URL" |
| 69 | +
|
| 70 | +
|
0 commit comments