-
Notifications
You must be signed in to change notification settings - Fork 24
123 lines (113 loc) · 4.42 KB
/
reusable_monitoring.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# Copyright 2022 The Sigstore Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# NOTE: This GHA should not be run concurrently.
# TODO: Write identities to issues when found
name: Rekor Monitoring Template
on:
workflow_call:
inputs:
file_issue:
description: 'True to file an issue on monitoring failure'
required: true
type: boolean
artifact_retention_days:
description: 'The number of days to retain an artifact (default: 14). If this workflow runs as a cron job, it must be greater than the frequency of the job'
required: false
type: number
default: 14
identities:
description: 'multiline yaml of certificate subjects and issuers, key subjects, and fingerprints. For certificates, if no issuers are specified, match any OIDC provider'
required: false
type: string
permissions:
contents: read
env:
UPLOADED_LOG_NAME: checkpoint
LOG_FILE: checkpoint_log.txt
jobs:
detect-workflow:
runs-on: ubuntu-latest
permissions:
id-token: write # Needed to detect the current reusable repository and ref.
outputs:
repository: ${{ steps.detect.outputs.repository }}
ref: ${{ steps.detect.outputs.ref }}
steps:
- name: Detect the repository and ref
id: detect
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
monitor:
runs-on: ubuntu-latest
needs: [detect-workflow]
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: ${{ needs.detect-workflow.outputs.repository }}
ref: "${{ needs.detect-workflow.outputs.ref }}"
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: '1.22'
- name: Download artifact
uses: dawidd6/action-download-artifact@bf251b5aa9c2f7eeb574a96ee720e24f801b7c11 # v6
with:
name: ${{ env.UPLOADED_LOG_NAME }}
# Skip on first run since there will be no checkpoint
continue-on-error: true
- name: Log current checkpoints
run: cat ${{ env.LOG_FILE }}
# Skip on first run
continue-on-error: true
- run: go run ./cmd/verifier --file ${{ env.LOG_FILE }} --once --monitored-values "${{ inputs.identities }}"
- name: Upload checkpoint
uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
with:
name: ${{ env.UPLOADED_LOG_NAME }}
path: ${{ env.LOG_FILE }}
retention-days: ${{ inputs.artifact_retention_days }}
- name: Log new checkpoints
run: cat ${{ env.LOG_FILE }}
if-succeeded:
runs-on: ubuntu-latest
needs: [monitor, detect-workflow]
permissions:
issues: 'write'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ISSUE_REPOSITORY: ${{ github.repository }}
if: ${{ needs.monitor.result == 'success' && inputs.file_issue }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: ${{ needs.detect-workflow.outputs.repository }}
ref: "${{ needs.detect-workflow.outputs.ref }}"
- run: |
set -euo pipefail
./.github/workflows/scripts/report_success.sh
if-failed:
runs-on: ubuntu-latest
needs: [monitor, detect-workflow]
permissions:
issues: 'write'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ISSUE_REPOSITORY: ${{ github.repository }}
if: ${{ always() && needs.monitor.result == 'failure' && inputs.file_issue }}
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: ${{ needs.detect-workflow.outputs.repository }}
ref: "${{ needs.detect-workflow.outputs.ref }}"
- run: |
set -euo pipefail
./.github/workflows/scripts/report_failure.sh