-
Notifications
You must be signed in to change notification settings - Fork 0
74 lines (72 loc) · 2.89 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
outputs:
path-info: ${{ steps.build.outputs.path-info }}
steps:
- uses: DeterminateSystems/nix-installer-action@main
- uses: DeterminateSystems/magic-nix-cache-action@main
- uses: actions/checkout@v4
- id: build
name: Build
env:
installable: .#example^*
run: |
set -o pipefail
hook=$(nix build .#hook --print-out-paths)
new_hook=$(mktemp)
cat <<EOF > "$new_hook"
#!/bin/sh
builderId="$GITHUB_SERVER_URL/$GITHUB_WORKFLOW_REF"
invocationId="$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
export builderId invocationId
exec "$hook" "\$@"
EOF
chmod +x "$new_hook"
build=$(nix --post-build-hook "$new_hook" build --json --print-build-logs "$installable")
echo "build=$build" >> "$GITHUB_OUTPUT"
# NOTE: the attestation contains multiple subjects (one for each output)
# but the actions/attest action only supports one subject. So we need to
# pick one. We pick the first one.
# TODO: Make a custom action for this that does support multiple actions
# NOTE: We're using the NAR hash here, not the SRI hash. So a verifier should
# get the NAR serialisation of the nix store path for verification.
- id: get-subject
name: Get subject
run: |
set -o pipefail
jq . "$statementPath"
subjectDigest=$(jq -r '.subject[0].digest.sha256' "$statementPath")
subjectName=$(jq -r '.subject[0].name' "$statementPath")
echo "subject-digest=sha256:$subjectDigest" >> "$GITHUB_OUTPUT"
echo "subject-name=$subjectName" >> "$GITHUB_OUTPUT"
jq '.predicate' "$statementPath" > predicate.slsa.json
env:
# TODO: maybe we should generate a statement per outPath instead of per drv
statementPath: "/nix/var/nix/provenance${{fromJson(steps.build.outputs.build)[0].drvPath}}.slsa.json"
- name: Attest
uses: actions/attest@v2
with:
subject-name: ${{ steps.get-subject.outputs.subject-name }}
# NOTE: This is the NAR hash, not the SRI hash. So a verifier should
# get the NAR serialisation of the nix store path
# TODO: Should we name NAR files differently?
subject-digest: ${{ steps.get-subject.outputs.subject-digest }}
predicate-type: https://slsa.dev/provenance/v1
predicate-path: predicate.slsa.json
- name: Verify
run: |
set -o pipefail
gh attestation verify --repo "$GITHUB_REPOSITORY" <(nix store dump-path "$outPath")
env:
outPath: ${{ steps.build.outputs.build[0].outPath }}