|
| 1 | +name: "Preare docker evidence with prepare API example" |
| 2 | + |
| 3 | +on: |
| 4 | + workflow_dispatch: |
| 5 | + |
| 6 | +permissions: |
| 7 | + id-token: write |
| 8 | + contents: read |
| 9 | + actions: read |
| 10 | + |
| 11 | +jobs: |
| 12 | + prepare-docker-evidence-example: |
| 13 | + runs-on: ubuntu-latest |
| 14 | + steps: |
| 15 | + - name: Call the prepare API |
| 16 | + run: | |
| 17 | + REQUEST=$(cat << EOF |
| 18 | + { |
| 19 | + "subject": { |
| 20 | + "subject_type": "package", |
| 21 | + "package_repo": "commons-dev-maven-local", |
| 22 | + "package_name": "com.example:quote-of-day-service", |
| 23 | + "package_version": "1.0.0" |
| 24 | + }, |
| 25 | + "predicate": { |
| 26 | + "statement": "This maven package is great." |
| 27 | + }, |
| 28 | + "predicate_type": "https://example.com/evidence/statement/v1" |
| 29 | + } |
| 30 | + EOF |
| 31 | + ) |
| 32 | + echo "Request: $REQUEST" |
| 33 | + URL="${{ vars.ARTIFACTORY_URL }}/evidence/api/v1/evidence/prepare" |
| 34 | + echo "URL: $URL" |
| 35 | + [ "${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}" == "" ] && echo "secrets.ARTIFACTORY_ACCESS_TOKEN is empty!" && exit 1 |
| 36 | + curl -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}" -d "$REQUEST" -o response.json "$URL" |
| 37 | + echo "Response: $(cat response.json)" |
| 38 | + # Make sure it is valid response |
| 39 | + cat response.json | grep "dsse_payload" |
| 40 | + - name: Sign the payload |
| 41 | + run: | |
| 42 | + BASE64_PAYLOAD=$(cat response.json | jq .dsse_payload | tr -d '"') |
| 43 | + echo "Base64 payload: $BASE64_PAYLOAD" |
| 44 | + PAYLOAD=$(echo -n "$BASE64_PAYLOAD" | base64 -d) |
| 45 | + echo "Payload: $PAYLOAD" |
| 46 | + PAYLOAD_TYPE=$(cat response.json | jq .dsse_payload_type | tr -d '"') |
| 47 | + echo "Payload type: $PAYLOAD_TYPE" |
| 48 | + PAYLOAD_LEN="${#PAYLOAD}" |
| 49 | + PAYLOAD_TYPE_LEN="${#PAYLOAD_TYPE}" |
| 50 | + PRE_AUTH_ENC="DSSEv1 $PAYLOAD_TYPE_LEN $PAYLOAD_TYPE $PAYLOAD_LEN $PAYLOAD" |
| 51 | + echo "Pre-authentication encoding: $PRE_AUTH_ENC" |
| 52 | + echo -n "${{ secrets.JIRA_TEST_PKEY }}" > key_file |
| 53 | + PAYLOAD_SIGNATURE=$(echo -n "$PRE_AUTH_ENC" | openssl dgst -sha256 -sign key_file | openssl base64 | tr -d '\n') |
| 54 | + [ "$?" != "0" -o "$PAYLOAD_SIGNATURE" == "" ] && echo "Failed to create signature." && exit 1 |
| 55 | + rm key_file |
| 56 | + echo "Signature: $PAYLOAD_SIGNATURE" |
| 57 | + echo -n "$PAYLOAD_SIGNATURE" > signature_file |
| 58 | + - name: Build the DSSE |
| 59 | + run: | |
| 60 | + DSSE=$(cat << EOF |
| 61 | + { |
| 62 | + "payloadType": $(cat response.json | jq .dsse_payload_type), |
| 63 | + "payload": $(cat response.json | jq .dsse_payload), |
| 64 | + "sinatures": [ |
| 65 | + { |
| 66 | + "keyid": "${{ vars.JIRA_TEST_KEY }}", |
| 67 | + "sig": "$(cat signature_file)" |
| 68 | + } |
| 69 | + ] |
| 70 | + } |
| 71 | + EOF |
| 72 | + ) |
| 73 | + echo "DSSE: $DSSE" |
| 74 | + echo -n "$DSSE" > dsse.json |
| 75 | + - name: Create the evidence |
| 76 | + run: | |
| 77 | + POST_URL=$(cat response.json | jq .post_url | tr -d '"') |
| 78 | + echo "POST_URL: $POST_URL" |
| 79 | + curl -X POST -H 'Content-Type: application/json' -H "Authorization: Bearer ${{ secrets.ARTIFACTORY_ACCESS_TOKEN }}" -d @dsse.json "${{ vars.ARTIFACTORY_URL }}$POST_URL" |
| 80 | + [ "$?" != "0" ] && echo "Failed to create evidece." && exit 1 |
| 81 | +
|
| 82 | +
|
0 commit comments