Build CI #2

Workflow file for this run

	name: Build CI

	on:
	pull_request_target:
	branches: [ main ]

	workflow_dispatch:

	env:
	MY_SECRET: ${{ secrets.MY_SECRET }}
	GITHUB_PAT: ${{ secrets.GH_PAT }}
	PR_ID: ${{github.event.number}}

	XY_PRJ_NAME: LGV-GH-${{ github.event.repository.name }}
	PIPELINE: ${{ github.event.repository.name }}
	PRIVATE_KEY: ${{ secrets.SALT_PRIVATE_KEY }}
	KEY_PASSWD: ${{ secrets.SALT_PRIVATE_KEY_PASSWD }}
	API_KEY: ${{ secrets.XY_TOKEN_PRO }}
	OTRA_VAR: "hola"
	BASE_DIR: ${{ github.workspace }}

	jobs:

	prt_build_and_upload:
	runs-on: ubuntu-latest
	steps:
	- name: Checking out PR code
	uses: actions/checkout@v4
	if: ${{ github.event_name == 'pull_request_target' }}
	with:
	# Number of commits to fetch. 0 indicates all history for all branches and tags.
	# Default: 1
	fetch-depth: '0'
	# This is to get the PR code instead of the repo code
	ref: ${{ github.event.pull_request.head.sha }}

	# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
	- uses: actions/checkout@v4
	name: Checking out main code
	if: ${{ github.event_name == 'push' \|\| github.event_name == 'workflow_dispatch' }}
	with:
	# Number of commits to fetch. 0 indicates all history for all branches and tags.
	# Default: 1
	fetch-depth: '0'

	- name: Building ...
	run: \|
	exit 0
	#mkdir ./bin
	#touch ./bin/mybin.exe
	#echo "${{github.event.pull_request.title}}" > ./bin/PR_TITLE.txt
	#echo "$PR_ID" > ./bin/PR_ID.txt
	#ls -lR
	java -version
	mvn -version
	#apt-get update ; apt-get install maven default-jdk -y ; update-alternatives --config javac
	mvn clean package
	ls -l target/*.war
	#env:
	# PR_TITLE: ${{github.event.pull_request.title}}


	- name: Download SALT
	run: \|
	#!/usr/bin/env bash
	echo Downloading SALT ....
	curl -sLO https://get.xygeni.io/latest/salt/salt.zip
	unzip salt.zip -d ./salt_pro
	shopt -s expand_aliases
	alias salt=$PWD/salt_pro/xygeni_salt/salt
	env:
	GITHUB_PAT: ${{ secrets.GH_PAT }}


	#- name: Calc SHA for bin and add as zip to the artifact
	# run: \|
	# #!/usr/bin/env bash
	# #pwd
	# #ls -l
	# #cd bin
	# #ls -l
	# #sha256sum <(find . -type f -exec sha256sum {} \; \| sort)
	# zip -r ./bin.zip ./bin
	# cp ./bin.zip ./bin
	# SHA_SUM=$(sha256sum ./bin.zip \| cut -f1 -d ' ')
	# echo $SHA_SUM


	- name: Generating attestation
	env:
	GITHUB_PAT: ${{ secrets.GH_PAT }}
	run: \|
	#!/usr/bin/env bash

	java -version
	mvn -version

	shopt -s expand_aliases
	alias salt=$PWD/salt_pro/xygeni_salt/salt

	echo " "
	echo "-----------"
	echo "Intiating the attestation with attestors git and env ..."
	#/home/luisgarcia/LGV/xygeni_salt/salt attestation init
	salt attestation init \
	--pipeline ${PIPELINE}_cli \
	--basedir ${BASE_DIR} \
	--attestor environment \
	--attestor git

	echo " "
	echo "-----------"
	echo "Adding materials [src/$SRC_FILE] to attestation ..."
	salt attestation add \
	--pipeline ${PIPELINE}_cli \
	--basedir ${BASE_DIR} \
	--name=my_top_material --type material --file ./src

	echo " "
	echo "-----------"
	echo "REMOVING binaries ... -------------------"
	rm -rf ${BASE_DIR}/bin

	echo " "
	echo "----------- "
	echo "Compiling ... -------------------"
	mkdir ${BASE_DIR}/bin
	salt attestation run \
	--step=compile \
	--pipeline ${PIPELINE}_cli \
	--pretty-print \
	--name my_sources --type material --file ${BASE_DIR}/src \
	--name my_product --type product --file ${BASE_DIR}/target/JavaVulnerableLab.war \
	-- mvn --no-transfer-progress clean package


	echo " "
	echo "-----------"
	echo "Adding product [bin/$BIN_FILE] to attestation ..."
	cp target/JavaVulnerableLab.war ./bin
	salt attestation add \
	--pipeline ${PIPELINE}_cli \
	--basedir ${BASE_DIR}/target \
	--name=my_top_product --type product --file JavaVulnerableLab.war


	echo " "
	echo "------------"
	echo "Commiting the drafted attestation using provided keys ..."
	salt attestation commit \
	--project SALT \
	--pipeline ${PIPELINE}_cli \
	--key="${PRIVATE_KEY}" --public-key=${BASE_DIR}/Test1_public.pem --key-password=${KEY_PASSWD} \
	--output=${BASE_DIR}/${PIPELINE}_cli.signed.json \
	--output-unsigned=${BASE_DIR}/cli_attestattion_${PIPELINE}_unsigned.json \
	--pretty-print \
	> ${GITHUB_WORKSPACE}/lgv.txt

	#--config=$SALT_PATH/conf/salt.yaml \


	cat ${BASE_DIR}/cli_attestattion_${PIPELINE}_unsigned.json

	cat ${BASE_DIR}/lgv.txt
	echo "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

	grep "registry with id" lgv.txt \| awk '{print $14}' > ./bin/att.id
	cat ./bin/att.id
	cp ${BASE_DIR}/cli_attestattion_${PIPELINE}_unsigned.json ./bin



	- name: Generating provenance
	env:
	GITHUB_PAT: ${{ secrets.GH_PAT }}
	run: \|
	#!/usr/bin/env bash
	exit 0

	shopt -s expand_aliases
	alias salt=$PWD/salt_pro/xygeni_salt/salt


	echo " "
	echo "-----------"
	echo "Generating Provenance with CLI ..."
	#$SALT_PATH/salt at provenance
	salt at slsa \
	--basedir ${BASE_DIR} \
	--key="${PRIVATE_KEY}" --public-key=${BASE_DIR}/Test1_public.pem --key-password=${KEY_PASSWD} \
	--output-unsigned=${BASE_DIR}/cli_provenance_${PIPELINE}_unsigned.json \
	--pipeline ${PIPELINE} --pretty-print \
	--file ./bin/bin.zip \
	> ${BASE_DIR}/lgv.txt

	cat ${BASE_DIR}/cli_provenance_${PIPELINE}_unsigned.json
	cat ${BASE_DIR}/lgv.txt
	echo "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

	grep "registry with id" lgv.txt \| awk '{print $14}' > ./bin/att.id





	- name: Archive building artifacts
	uses: actions/upload-artifact@v3
	with:
	name: archive-bin
	path: \|
	bin

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build CI #2

Workflow file

Build CI #2

Jobs

Run details

Workflow file for this run