Verify GitHub Attestation

Octopus.Script exported 2024-08-29 by ryanrousseau belongs to ‘GitHub’ category.

This step calls the GitHub cli to verify an attestation. It currently supports non-container packages. OCI container images will be added in the future.

More info on Artifact Attestations.

GitHub cli docs for gh attestation verify.

The step will capture the json output from the GitHub cli and store it as an output variable named Json.

The json can also be captured as an artifact on the deployment by checking the Create Artifact? parameter on the step.

Parameters

When steps based on the template are included in a project’s deployment process, the parameters below can be set.

GitHub Access Token

VerifyAttestation.Token =

The access token used to authenticate with GitHub. See the GitHub documentation for more details.

Package to verify

VerifyAttestation.Package =

The package to verify using gh attestation verify

Owner

VerifyAttestation.Owner =

The --owner flag value must match the name of the GitHub organization that the artifact’s linked repository belongs to.

Do not provide both Owner and Repo.

Repo

VerifyAttestation.Repo =

The --repo flag value must match the name of the GitHub repository that the artifact is linked with.

Do not provide both Owner and Repo.

Flags

VerifyAttestation.Flags =

See gh attestation verify for available flags.

Do not provide the --format flag as it is set to json by the step.

VerifyAttestation.PrintCommand = False

Prints the command in the logs using set -x. This will cause a warning when the step runs.

Create Artifact?

VerifyAttestation.CreateArtifact = False

Check to save the attestation result json as an Octopus artifact on the deployment.

Script body

Steps based on this template will execute the following Bash script.

token=$(get_octopusvariable "VerifyAttestation.Token")
package=$(get_octopusvariable "Octopus.Action.Package[VerifyAttestation.Package].PackageFilePath")
owner=$(get_octopusvariable "VerifyAttestation.Owner")
repo=$(get_octopusvariable "VerifyAttestation.Repo")
flags=$(get_octopusvariable "VerifyAttestation.Flags")
printCommand=$(get_octopusvariable "VerifyAttestation.PrintCommand")
createArtifact=$(get_octopusvariable "VerifyAttestation.CreateArtifact")
deploymentId="#{Octopus.Deployment.Id | ToLower}"
stepName=$(get_octopusvariable "Octopus.Step.Name")

echoerror() { echo "$@" 1>&2; }

export GITHUB_TOKEN=$token

if ! command -v gh &> /dev/null
then
    echoerror "gh could not be found, please ensure that it is installed on your worker or in the execution container image"
    exit 1
fi

if [ "$token" = "" ] ; then
    fail_step "'GitHub Access Token' is a required parameter for this step."
fi

if [ "$owner" = "" ] &&  [ "$repo" = "" ]; then
    fail_step "Either 'Owner' or 'Repo' must be provided to this step."
fi


gh_cmd="gh attestation verify $package ${owner:+ -o $owner} ${repo:+ -R $owner} --format json ${flags:+ $flags}"

if [ "$printCommand" = "True" ] ; then
  echo $gh_cmd
fi

json=$($gh_cmd)

if [ $? = 0 ]
then
  set_octopusvariable "Json" $json
  echo "Created output variable: ##{Octopus.Action[$stepName].Output.Json}"

  if [ "$createArtifact" = "True" ] ; then
    echo $json > "$PWD/attestation-$deploymentId.json"
    new_octopusartifact "$PWD/attestation-$deploymentId.json"
  fi
else
  fail_step "Failed to verify attestation for $package"
fi

Provided under the Apache License version 2.0.

Report an issue

To use this template in Octopus Deploy, copy the JSON below and paste it into the Library → Step templates → Import dialog.

{
  "Id": "3c76dffc-b524-438f-b04d-f1a103bdbfc7",
  "Name": "Verify GitHub Attestation",
  "Description": "This step calls the GitHub cli to verify an attestation. It currently supports non-container packages. OCI container images will be added in the future.\n\nMore info on [Artifact Attestations](https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/).\n\nGitHub cli docs for [gh attestation verify](https://cli.github.com/manual/gh_attestation_verify).\n\nThe step will capture the json output from the GitHub cli and store it as an [output variable](https://octopus.com/docs/projects/variables/output-variables) named `Json`.\n\nThe json can also be captured as an [artifact](https://octopus.com/docs/projects/deployment-process/artifacts) on the deployment by checking the `Create Artifact?` parameter on the step.",
  "Version": 1,
  "ExportedAt": "2024-08-29T19:36:57.549Z",
  "ActionType": "Octopus.Script",
  "Author": "ryanrousseau",
  "Packages": [
    {
      "Id": "bc290bbb-cc08-4046-b72b-7ef18b2076fd",
      "Name": "VerifyAttestation.Package",
      "PackageId": null,
      "FeedId": null,
      "AcquisitionLocation": "Server",
      "Properties": {
        "Extract": "False",
        "SelectionMode": "deferred",
        "PackageParameterName": "VerifyAttestation.Package",
        "Purpose": ""
      }
    }
  ],
  "Parameters": [
    {
      "Id": "fd8cdcff-09af-41b0-a814-464c52308f48",
      "Name": "VerifyAttestation.Token",
      "Label": "GitHub Access Token",
      "HelpText": "The access token used to authenticate with GitHub. See the [GitHub documentation](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) for more details.",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "Sensitive"
      }
    },
    {
      "Id": "406de5a6-8a71-4a7a-91cf-dc0aee73d89b",
      "Name": "VerifyAttestation.Package",
      "Label": "Package to verify",
      "HelpText": "The package to verify using `gh attestation verify`",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "Package"
      }
    },
    {
      "Id": "e7b6ab3a-3522-4b97-b601-d9e51ef5dea9",
      "Name": "VerifyAttestation.Owner",
      "Label": "Owner",
      "HelpText": "The `--owner` flag value must match the name of the GitHub organization that the artifact's linked repository belongs to.\n\nDo not provide both `Owner` and `Repo`.",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "SingleLineText"
      }
    },
    {
      "Id": "0bdc7d4d-778a-498f-a950-3f2ce4e23b5d",
      "Name": "VerifyAttestation.Repo",
      "Label": "Repo",
      "HelpText": "The `--repo` flag value must match the name of the GitHub repository that the artifact is linked with.\n\nDo not provide both `Owner` and `Repo`.",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "SingleLineText"
      }
    },
    {
      "Id": "f282b9eb-a6b4-4d79-9fc0-2f985e94b1ec",
      "Name": "VerifyAttestation.Flags",
      "Label": "Flags",
      "HelpText": "See [gh attestation verify](https://cli.github.com/manual/gh_attestation_verify) for available flags.\n\nDo not provide the `--format` flag as it is set to `json` by the step.",
      "DefaultValue": "",
      "DisplaySettings": {
        "Octopus.ControlType": "SingleLineText"
      }
    },
    {
      "Id": "06e3e2ad-f2e0-4ecb-b856-e709d552f3e9",
      "Name": "VerifyAttestation.PrintCommand",
      "Label": "Print Command?",
      "HelpText": "Prints the command in the logs using set -x. This will cause a warning when the step runs.\n",
      "DefaultValue": "False",
      "DisplaySettings": {
        "Octopus.ControlType": "Checkbox"
      }
    },
    {
      "Id": "eb4f5f79-7d44-4511-a8a8-1dc68f2c450d",
      "Name": "VerifyAttestation.CreateArtifact",
      "Label": "Create Artifact?",
      "HelpText": "Check to save the attestation result json as an Octopus artifact on the deployment.",
      "DefaultValue": "False",
      "DisplaySettings": {
        "Octopus.ControlType": "Checkbox"
      }
    }
  ],
  "Properties": {
    "Octopus.Action.RunOnServer": "true",
    "Octopus.Action.Script.ScriptSource": "Inline",
    "Octopus.Action.Script.Syntax": "Bash",
    "Octopus.Action.Script.ScriptBody": "token=$(get_octopusvariable \"VerifyAttestation.Token\")\npackage=$(get_octopusvariable \"Octopus.Action.Package[VerifyAttestation.Package].PackageFilePath\")\nowner=$(get_octopusvariable \"VerifyAttestation.Owner\")\nrepo=$(get_octopusvariable \"VerifyAttestation.Repo\")\nflags=$(get_octopusvariable \"VerifyAttestation.Flags\")\nprintCommand=$(get_octopusvariable \"VerifyAttestation.PrintCommand\")\ncreateArtifact=$(get_octopusvariable \"VerifyAttestation.CreateArtifact\")\ndeploymentId=\"#{Octopus.Deployment.Id | ToLower}\"\nstepName=$(get_octopusvariable \"Octopus.Step.Name\")\n\nechoerror() { echo \"$@\" 1>&2; }\n\nexport GITHUB_TOKEN=$token\n\nif ! command -v gh &> /dev/null\nthen\n    echoerror \"gh could not be found, please ensure that it is installed on your worker or in the execution container image\"\n    exit 1\nfi\n\nif [ \"$token\" = \"\" ] ; then\n    fail_step \"'GitHub Access Token' is a required parameter for this step.\"\nfi\n\nif [ \"$owner\" = \"\" ] &&  [ \"$repo\" = \"\" ]; then\n    fail_step \"Either 'Owner' or 'Repo' must be provided to this step.\"\nfi\n\n\ngh_cmd=\"gh attestation verify $package ${owner:+ -o $owner} ${repo:+ -R $owner} --format json ${flags:+ $flags}\"\n\nif [ \"$printCommand\" = \"True\" ] ; then\n  echo $gh_cmd\nfi\n\njson=$($gh_cmd)\n\nif [ $? = 0 ]\nthen\n  set_octopusvariable \"Json\" $json\n  echo \"Created output variable: ##{Octopus.Action[$stepName].Output.Json}\"\n\n  if [ \"$createArtifact\" = \"True\" ] ; then\n    echo $json > \"$PWD/attestation-$deploymentId.json\"\n    new_octopusartifact \"$PWD/attestation-$deploymentId.json\"\n  fi\nelse\n  fail_step \"Failed to verify attestation for $package\"\nfi",
    "OctopusUseBundledTooling": "False"
  },
  "Category": "GitHub",
  "HistoryUrl": "https://github.com/OctopusDeploy/Library/commits/master/step-templates//opt/buildagent/work/75443764cd38076d/step-templates/github-verify-attestation.json",
  "Website": "/step-templates/3c76dffc-b524-438f-b04d-f1a103bdbfc7",
  "Logo": "iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAMAAACahl6sAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAADZQTFRF////GBYW8fDwUlBQi4qKJiUlqKenNTMzxcXFb25u4uLiQ0JC1NPTYF9fmpmZt7a2fXx8qKioXgENRQAABcNJREFUeNrsXel2tSoMPcyDovb9X/b2W7c9PYMIQhJsV/bvVs42IwnE243BYDAYDAaDwWAwGAwGg8Fg/EFEb7VO6o6ktfXxV1GQXqdJZDAl7eVvIGFDlsMDm2AvTWbWFSTuZPR8UZvYnDgJt8XradQkmjBdSsfiZkQzzGXEMgfRiXAFa5mVAIAaLZUYBBDCSCpSC0DoYWa/OgEKt47RqiTAkQYIZTUCAYZaKDIJJNAKZXYCDY4wqFiBCkvFIwhkBBrzmAQ6JgJDiQQ8Ppmgx/nZCBKY+W/wwGZCxwOXCSUPTCa0PPCYRGIen0zib40fJPFEiQFQvzAvIcpWrBgE4AxyFsMA6rqkG0fESXQD+edTvN0ASLrN+qxfBDST9Vh9Yx+Xn1J2xhDB9vEyEwkfZL42O2f18DNlJi5CKVem0DA9/ZFvoqL800MyMTfB8PC5yuDr352mMvmXR+Qqlx6EiKt+un3RQadU0F8ISr08yNjqd+YgeGTruzuaK7ev36i2Za+DG/2yqS+2297/i0rpA1q6MPt66FywhRg22+DcvrZkF5NIIQQnnzvITLuDSRTXICIilkBwqmhoy8WDvgwGkYPOUUR6Q2IjrsZ2iUTSbt6Ot6ESR9L0RHp0+SirNRhEjgo1HeH9eH+LUOGQSLve4/4aQrtvPe7KIfheJLe1Ha/Y6oGXws4Onkhhp7k0PrZQWjTgRiILRdkJRbOAdjtV+5E+3Vpw5Ey/ZsJxIfSLEhtIlZnA6ytaU9+C26VG8B/dvrIl31LEHqtKExSwibgbIhyskczDjr1Y2CaDJU58K1Pg869wo48hNbFkA7V15ANVFtTaHUI6DZDkOUinZW7IMIBua6YuO9Sq9Vm35ZHKGd2OxgMaHDoRDehoNG3Vob4GoQGJeGwinomccxxDiSgm8oeJoHstS0RkaBxhIlRNt0cEQCLpqkljApSuwybiiCK7wCYiqIggBxIPSWQlL8T/YIFs+HnSU8X1Tuu0NkQxztodaK+H7lDxqRqngH0tyzATOa8MalBXofAKzwdjPUq3jjXrfJ63ikF+KwAft4g4hxAGrGvGiORYIC3V2jREJAWBtDQ0NPntp6KzbNvTlS7xoDRJSjegmrxl4YQLxiXB0pXNtoZGaawD/CXB4lXHhCJmeDMp3ttoU2dZvP8RKD1vRze5PDJESUK9au8mV1yinMCSrrniKnCro5QV16UNkBdeataSeEorYEZjxarrWe0m6UUVeudJycoLzR3Fm7c9jtvVgK4xctWzxnoqBXbH2NawRyY1unhbf+evxxqfzf37lewPOjPJnpTLvJyZCdV3ilLvW1vOV7qw1Cnyv3GnJ0dI9DUzXjxw+H4r8kAjnNr0gWyiTi23YXuPtb5o0c/1wdRcLmobutDbXXoLiltFRhEAwhP4OWOd+5X5MSmlmQAt8wr6233vq4ZSRdCe9Oo1MQQgO7XZH6qaA9dpkYBkdG+/93umT2ZjWlEYXk7ygNnCzdnnfrQWiuJJIkCbBZ2V9EdrgXsitvTcsncz+Gjswm9neMDV/ue88XnXZJd2gGLtKtePZ5L6yeSnpcpR+hGKteu5/GMqHv4Xi0tLbJYxUdHpLVPprQQR5iaFVxiJiID3xiysxElD+nHOulAQQeknJcgTgXU8cC6qvO5AjMcmgjVk9m0vZXGJ4A3LfWPSPsB6KI8dJqa1yjiWx+5OPaxPK3ogIthDmHdrDlP6GqKlptrjO6N5VEyMByFCMj0+4BOhGVNe2EwAECEbHH84yL+biCEc5X9U+u0lomi/eLFgEVluxMh2YbuITCM+O6QNNBGjb0Ow34ttJzLw00l7X+mpylF2jocM+kLP3ehNE5G3cpBZboMhX02lhYjRV/jim1zc6RM8T6rllst8uO6hW17Z1v/hruztSrh/gK/SZNfvMxMX/LrjGpQK1QUJnz7/er0xGAwGg8FgMBgMBoPBYDAYjL+A/wQYAOpBPtnxn830AAAAAElFTkSuQmCC",
  "$Meta": {
    "Type": "ActionTemplate"
  }
}

History

Page updated on Thursday, August 29, 2024