Upload binary and provenance to GCS

Change-Id: I4c277283400a26a95d21b4cb9bd46da5aad88f86
project-oak · Apr 23, 2024 · 05fd339 · 05fd339
1 parent 33c8aa4
commit 05fd339
Showing 1 changed file with 24 additions and 2 deletions.
diff --git a/.github/workflows/reusable_provenance.yaml b/.github/workflows/reusable_provenance.yaml
@@ -38,7 +38,7 @@ jobs:
 
     steps:
       - name: Mount main branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Parse build config
         id: parse-build-config
@@ -101,6 +101,23 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: 'Set up Google Cloud SDK'
+        uses: 'google-github-actions/setup-gcloud@v2'
+
+      - name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@v2'
+        with:
+          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
+
+      - name: 'Google Cloud info'
+        run: |
+          set -o errexit
+          set -o nounset
+          set -o xtrace
+          set -o pipefail
+          gcloud --version
+          gsutil --version
+
       # See https://github.com/google/ent
       - name: Download Ent CLI
         if: steps.cache-ent.outputs.cache-hit != 'true'
@@ -139,7 +156,7 @@ jobs:
           path: downloads
 
       - name: Debug step - Display structure of downloaded files
-        run: ls -R
+        run: ls --recursive
         working-directory: downloads
 
       - name: Upload binary, provenance, signed tag to Ent
@@ -154,6 +171,9 @@ jobs:
           set -o nounset
           set -o xtrace
           set -o pipefail
+
+          bucket_name=oak-bins
+      
           provenance_file="attestation.intoto"
           if [[ "${{ github.event_name }}" != "pull_request" ]]; then
             provenance_file="${provenance_file}.build.slsa"
@@ -168,6 +188,8 @@ jobs:
           ent tag set --public-key=${{ inputs.ent-public-key }} \
             --label="provenance_${GITHUB_SHA}_${package_name}" \
             --target=${provenance_digest}
+          gsutil cp "${binary_file}" "gs://${bucket_name}/binary/${GITHUB_SHA}/${package_name}/$(basename ${binary_file})"
+          gsutil cp "${provenance_file}" "gs://${bucket_name}/provenance/${GITHUB_SHA}/${package_name}/$(basename ${provenance_file})"
 
   # Debug step similar to `upload_provenance`, but runs on pull-request events.
   # Differs from `upload_provenance` in that it does not publish the binary