Octopus.Script exported 2024-08-29 by ryanrousseau belongs to ‘GitHub’ category.
This step calls the GitHub cli to verify an attestation. It currently supports non-container packages. OCI container images will be added in the future.
More info on Artifact Attestations.
GitHub cli docs for gh attestation verify.
The step will capture the json output from the GitHub cli and store it as an output variable named Json.
The json can also be captured as an artifact on the deployment by checking the Create Artifact? parameter on the step.
Parameters
When steps based on the template are included in a project’s deployment process, the parameters below can be set.
GitHub Access Token
VerifyAttestation.Token =
The access token used to authenticate with GitHub. See the GitHub documentation for more details.
Package to verify
VerifyAttestation.Package =
The package to verify using gh attestation verify
Owner
VerifyAttestation.Owner =
The --owner flag value must match the name of the GitHub organization that the artifact’s linked repository belongs to.
Do not provide both Owner and Repo.
Repo
VerifyAttestation.Repo =
The --repo flag value must match the name of the GitHub repository that the artifact is linked with.
Do not provide both Owner and Repo.
Flags
VerifyAttestation.Flags =
See gh attestation verify for available flags.
Do not provide the --format flag as it is set to json by the step.
Print Command?
VerifyAttestation.PrintCommand = False
Prints the command in the logs using set -x. This will cause a warning when the step runs.
Create Artifact?
VerifyAttestation.CreateArtifact = False
Check to save the attestation result json as an Octopus artifact on the deployment.
Script body
Steps based on this template will execute the following Bash script.
token=$(get_octopusvariable "VerifyAttestation.Token")
package=$(get_octopusvariable "Octopus.Action.Package[VerifyAttestation.Package].PackageFilePath")
owner=$(get_octopusvariable "VerifyAttestation.Owner")
repo=$(get_octopusvariable "VerifyAttestation.Repo")
flags=$(get_octopusvariable "VerifyAttestation.Flags")
printCommand=$(get_octopusvariable "VerifyAttestation.PrintCommand")
createArtifact=$(get_octopusvariable "VerifyAttestation.CreateArtifact")
deploymentId="#{Octopus.Deployment.Id | ToLower}"
stepName=$(get_octopusvariable "Octopus.Step.Name")
echoerror() { echo "$@" 1>&2; }
export GITHUB_TOKEN=$token
if ! command -v gh &> /dev/null
then
echoerror "gh could not be found, please ensure that it is installed on your worker or in the execution container image"
exit 1
fi
if [ "$token" = "" ] ; then
fail_step "'GitHub Access Token' is a required parameter for this step."
fi
if [ "$owner" = "" ] && [ "$repo" = "" ]; then
fail_step "Either 'Owner' or 'Repo' must be provided to this step."
fi
gh_cmd="gh attestation verify $package ${owner:+ -o $owner} ${repo:+ -R $owner} --format json ${flags:+ $flags}"
if [ "$printCommand" = "True" ] ; then
echo $gh_cmd
fi
json=$($gh_cmd)
if [ $? = 0 ]
then
set_octopusvariable "Json" $json
echo "Created output variable: ##{Octopus.Action[$stepName].Output.Json}"
if [ "$createArtifact" = "True" ] ; then
echo $json > "$PWD/attestation-$deploymentId.json"
new_octopusartifact "$PWD/attestation-$deploymentId.json"
fi
else
fail_step "Failed to verify attestation for $package"
fi
Provided under the Apache License version 2.0.
To use this template in Octopus Deploy, copy the JSON below and paste it into the Library → Step templates → Import dialog.
{
"Id": "3c76dffc-b524-438f-b04d-f1a103bdbfc7",
"Name": "Verify GitHub Attestation",
"Description": "This step calls the GitHub cli to verify an attestation. It currently supports non-container packages. OCI container images will be added in the future.\n\nMore info on [Artifact Attestations](https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/).\n\nGitHub cli docs for [gh attestation verify](https://cli.github.com/manual/gh_attestation_verify).\n\nThe step will capture the json output from the GitHub cli and store it as an [output variable](https://octopus.com/docs/projects/variables/output-variables) named `Json`.\n\nThe json can also be captured as an [artifact](https://octopus.com/docs/projects/deployment-process/artifacts) on the deployment by checking the `Create Artifact?` parameter on the step.",
"Version": 1,
"ExportedAt": "2024-08-29T19:36:57.549Z",
"ActionType": "Octopus.Script",
"Author": "ryanrousseau",
"Packages": [
{
"Id": "bc290bbb-cc08-4046-b72b-7ef18b2076fd",
"Name": "VerifyAttestation.Package",
"PackageId": null,
"FeedId": null,
"AcquisitionLocation": "Server",
"Properties": {
"Extract": "False",
"SelectionMode": "deferred",
"PackageParameterName": "VerifyAttestation.Package",
"Purpose": ""
}
}
],
"Parameters": [
{
"Id": "fd8cdcff-09af-41b0-a814-464c52308f48",
"Name": "VerifyAttestation.Token",
"Label": "GitHub Access Token",
"HelpText": "The access token used to authenticate with GitHub. See the [GitHub documentation](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) for more details.",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "Sensitive"
}
},
{
"Id": "406de5a6-8a71-4a7a-91cf-dc0aee73d89b",
"Name": "VerifyAttestation.Package",
"Label": "Package to verify",
"HelpText": "The package to verify using `gh attestation verify`",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "Package"
}
},
{
"Id": "e7b6ab3a-3522-4b97-b601-d9e51ef5dea9",
"Name": "VerifyAttestation.Owner",
"Label": "Owner",
"HelpText": "The `--owner` flag value must match the name of the GitHub organization that the artifact's linked repository belongs to.\n\nDo not provide both `Owner` and `Repo`.",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
}
},
{
"Id": "0bdc7d4d-778a-498f-a950-3f2ce4e23b5d",
"Name": "VerifyAttestation.Repo",
"Label": "Repo",
"HelpText": "The `--repo` flag value must match the name of the GitHub repository that the artifact is linked with.\n\nDo not provide both `Owner` and `Repo`.",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
}
},
{
"Id": "f282b9eb-a6b4-4d79-9fc0-2f985e94b1ec",
"Name": "VerifyAttestation.Flags",
"Label": "Flags",
"HelpText": "See [gh attestation verify](https://cli.github.com/manual/gh_attestation_verify) for available flags.\n\nDo not provide the `--format` flag as it is set to `json` by the step.",
"DefaultValue": "",
"DisplaySettings": {
"Octopus.ControlType": "SingleLineText"
}
},
{
"Id": "06e3e2ad-f2e0-4ecb-b856-e709d552f3e9",
"Name": "VerifyAttestation.PrintCommand",
"Label": "Print Command?",
"HelpText": "Prints the command in the logs using set -x. This will cause a warning when the step runs.\n",
"DefaultValue": "False",
"DisplaySettings": {
"Octopus.ControlType": "Checkbox"
}
},
{
"Id": "eb4f5f79-7d44-4511-a8a8-1dc68f2c450d",
"Name": "VerifyAttestation.CreateArtifact",
"Label": "Create Artifact?",
"HelpText": "Check to save the attestation result json as an Octopus artifact on the deployment.",
"DefaultValue": "False",
"DisplaySettings": {
"Octopus.ControlType": "Checkbox"
}
}
],
"Properties": {
"Octopus.Action.RunOnServer": "true",
"Octopus.Action.Script.ScriptSource": "Inline",
"Octopus.Action.Script.Syntax": "Bash",
"Octopus.Action.Script.ScriptBody": "token=$(get_octopusvariable \"VerifyAttestation.Token\")\npackage=$(get_octopusvariable \"Octopus.Action.Package[VerifyAttestation.Package].PackageFilePath\")\nowner=$(get_octopusvariable \"VerifyAttestation.Owner\")\nrepo=$(get_octopusvariable \"VerifyAttestation.Repo\")\nflags=$(get_octopusvariable \"VerifyAttestation.Flags\")\nprintCommand=$(get_octopusvariable \"VerifyAttestation.PrintCommand\")\ncreateArtifact=$(get_octopusvariable \"VerifyAttestation.CreateArtifact\")\ndeploymentId=\"#{Octopus.Deployment.Id | ToLower}\"\nstepName=$(get_octopusvariable \"Octopus.Step.Name\")\n\nechoerror() { echo \"$@\" 1>&2; }\n\nexport GITHUB_TOKEN=$token\n\nif ! command -v gh &> /dev/null\nthen\n echoerror \"gh could not be found, please ensure that it is installed on your worker or in the execution container image\"\n exit 1\nfi\n\nif [ \"$token\" = \"\" ] ; then\n fail_step \"'GitHub Access Token' is a required parameter for this step.\"\nfi\n\nif [ \"$owner\" = \"\" ] && [ \"$repo\" = \"\" ]; then\n fail_step \"Either 'Owner' or 'Repo' must be provided to this step.\"\nfi\n\n\ngh_cmd=\"gh attestation verify $package ${owner:+ -o $owner} ${repo:+ -R $owner} --format json ${flags:+ $flags}\"\n\nif [ \"$printCommand\" = \"True\" ] ; then\n echo $gh_cmd\nfi\n\njson=$($gh_cmd)\n\nif [ $? = 0 ]\nthen\n set_octopusvariable \"Json\" $json\n echo \"Created output variable: ##{Octopus.Action[$stepName].Output.Json}\"\n\n if [ \"$createArtifact\" = \"True\" ] ; then\n echo $json > \"$PWD/attestation-$deploymentId.json\"\n new_octopusartifact \"$PWD/attestation-$deploymentId.json\"\n fi\nelse\n fail_step \"Failed to verify attestation for $package\"\nfi",
"OctopusUseBundledTooling": "False"
},
"Category": "GitHub",
"HistoryUrl": "https://github.com/OctopusDeploy/Library/commits/master/step-templates//opt/buildagent/work/75443764cd38076d/step-templates/github-verify-attestation.json",
"Website": "/step-templates/3c76dffc-b524-438f-b04d-f1a103bdbfc7",
"Logo": "iVBORw0KGgoAAAANSUhEUgAAAMgAAADICAMAAACahl6sAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAADZQTFRF////GBYW8fDwUlBQi4qKJiUlqKenNTMzxcXFb25u4uLiQ0JC1NPTYF9fmpmZt7a2fXx8qKioXgENRQAABcNJREFUeNrsXel2tSoMPcyDovb9X/b2W7c9PYMIQhJsV/bvVs42IwnE243BYDAYDAaDwWAwGAwGg8Fg/EFEb7VO6o6ktfXxV1GQXqdJZDAl7eVvIGFDlsMDm2AvTWbWFSTuZPR8UZvYnDgJt8XradQkmjBdSsfiZkQzzGXEMgfRiXAFa5mVAIAaLZUYBBDCSCpSC0DoYWa/OgEKt47RqiTAkQYIZTUCAYZaKDIJJNAKZXYCDY4wqFiBCkvFIwhkBBrzmAQ6JgJDiQQ8Ppmgx/nZCBKY+W/wwGZCxwOXCSUPTCa0PPCYRGIen0zib40fJPFEiQFQvzAvIcpWrBgE4AxyFsMA6rqkG0fESXQD+edTvN0ASLrN+qxfBDST9Vh9Yx+Xn1J2xhDB9vEyEwkfZL42O2f18DNlJi5CKVem0DA9/ZFvoqL800MyMTfB8PC5yuDr352mMvmXR+Qqlx6EiKt+un3RQadU0F8ISr08yNjqd+YgeGTruzuaK7ev36i2Za+DG/2yqS+2297/i0rpA1q6MPt66FywhRg22+DcvrZkF5NIIQQnnzvITLuDSRTXICIilkBwqmhoy8WDvgwGkYPOUUR6Q2IjrsZ2iUTSbt6Ot6ESR9L0RHp0+SirNRhEjgo1HeH9eH+LUOGQSLve4/4aQrtvPe7KIfheJLe1Ha/Y6oGXws4Onkhhp7k0PrZQWjTgRiILRdkJRbOAdjtV+5E+3Vpw5Ey/ZsJxIfSLEhtIlZnA6ytaU9+C26VG8B/dvrIl31LEHqtKExSwibgbIhyskczDjr1Y2CaDJU58K1Pg869wo48hNbFkA7V15ANVFtTaHUI6DZDkOUinZW7IMIBua6YuO9Sq9Vm35ZHKGd2OxgMaHDoRDehoNG3Vob4GoQGJeGwinomccxxDiSgm8oeJoHstS0RkaBxhIlRNt0cEQCLpqkljApSuwybiiCK7wCYiqIggBxIPSWQlL8T/YIFs+HnSU8X1Tuu0NkQxztodaK+H7lDxqRqngH0tyzATOa8MalBXofAKzwdjPUq3jjXrfJ63ikF+KwAft4g4hxAGrGvGiORYIC3V2jREJAWBtDQ0NPntp6KzbNvTlS7xoDRJSjegmrxl4YQLxiXB0pXNtoZGaawD/CXB4lXHhCJmeDMp3ttoU2dZvP8RKD1vRze5PDJESUK9au8mV1yinMCSrrniKnCro5QV16UNkBdeataSeEorYEZjxarrWe0m6UUVeudJycoLzR3Fm7c9jtvVgK4xctWzxnoqBXbH2NawRyY1unhbf+evxxqfzf37lewPOjPJnpTLvJyZCdV3ilLvW1vOV7qw1Cnyv3GnJ0dI9DUzXjxw+H4r8kAjnNr0gWyiTi23YXuPtb5o0c/1wdRcLmobutDbXXoLiltFRhEAwhP4OWOd+5X5MSmlmQAt8wr6233vq4ZSRdCe9Oo1MQQgO7XZH6qaA9dpkYBkdG+/93umT2ZjWlEYXk7ygNnCzdnnfrQWiuJJIkCbBZ2V9EdrgXsitvTcsncz+Gjswm9neMDV/ue88XnXZJd2gGLtKtePZ5L6yeSnpcpR+hGKteu5/GMqHv4Xi0tLbJYxUdHpLVPprQQR5iaFVxiJiID3xiysxElD+nHOulAQQeknJcgTgXU8cC6qvO5AjMcmgjVk9m0vZXGJ4A3LfWPSPsB6KI8dJqa1yjiWx+5OPaxPK3ogIthDmHdrDlP6GqKlptrjO6N5VEyMByFCMj0+4BOhGVNe2EwAECEbHH84yL+biCEc5X9U+u0lomi/eLFgEVluxMh2YbuITCM+O6QNNBGjb0Ow34ttJzLw00l7X+mpylF2jocM+kLP3ehNE5G3cpBZboMhX02lhYjRV/jim1zc6RM8T6rllst8uO6hW17Z1v/hruztSrh/gK/SZNfvMxMX/LrjGpQK1QUJnz7/er0xGAwGg8FgMBgMBoPBYDAYjL+A/wQYAOpBPtnxn830AAAAAElFTkSuQmCC",
"$Meta": {
"Type": "ActionTemplate"
}
}
Page updated on Thursday, August 29, 2024