Add SLSA3 provenance to FC builds

JoshArmi · JoshArmi · commit ad8d10c6005b · 2023-04-18T10:01:11.000+08:00
diff --git a/.github/workflows/aws_cicd.yaml b/.github/workflows/aws_cicd.yaml
@@ -1,13 +1,10 @@
 name: aws-cicd
 on:
-  push:
-    branches:
-      - main
   workflow_dispatch:
-  pull_request:
+  workflow_call:
 concurrency:
   group: "AWS"
-  # cancel-in-progress: true
+  cancel-in-progress: true
 jobs:
   deploy:
     name: AWS
diff --git a/.github/workflows/cicd.yaml b/.github/workflows/cicd.yaml
@@ -0,0 +1,20 @@
+
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+  workflow_dispatch:
+  
+jobs:
+  aws:
+    uses: ./.github/workflows/aws_cicd.yaml
+
+  gcp:
+    uses: ./.github/workflows/gcp_cicd.yaml
+
+  slsa:
+    uses: ./.github/workflows/provenance.yaml
+    needs: [aws, gcp]
diff --git a/.github/workflows/gcp_cicd.yaml b/.github/workflows/gcp_cicd.yaml
@@ -1,10 +1,11 @@
+<<<<<<< HEAD
 name: gcp-cicd
+=======
+name: gcp
+>>>>>>> b0b73b43 (Add SLSA3 provenance to FC builds)
 on:
-  push:
-    branches:
-      - main
   workflow_dispatch:
-  pull_request:
+  workflow_call:
 concurrency:
   group: "GCP"
   cancel-in-progress: true
diff --git a/.github/workflows/provenance.yaml b/.github/workflows/provenance.yaml
@@ -0,0 +1,25 @@
+on:
+  workflow_call:
+
+jobs:
+  build:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Generate hashes
+        shell: bash
+        id: hash
+        run: |
+          make synth
+          echo "hashes=$(tar cf - infrastructure | sha256sum | base64 -w0)" >> "$GITHUB_OUTPUT"
+  provenance:
+    needs: [build]
+    permissions:
+        actions: read
+        id-token: write
+        contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
+    with:
+        base64-subjects: "${{ needs.build.outputs.hashes }}"
+        upload-assets: true
