docker-attest-build-provenance/.github/workflows/prober.yml

name: Prober Workflow

on:
  workflow_call:
    inputs:
      sigstore:
        description: 'Which Sigstore instance to use for signing'
        default: 'public-good'
        required: false
        type: string
    secrets:
      trust-domain:
        description: 'Trust domain in which the test is executed'
        required: true
        type: string
      service:
        description: 'Service against which status should be reported'
        required: true
        type: string
      team:
        description: 'Team associated with status report'
        required: true
        type: string

jobs:
  probe:
    runs-on: ubuntu-latest
    permissions:
      attestations: write
      id-token: write

    steps:
      - uses: hmarr/debug-action@v2

      - name: Request OIDC Token
        run: |
          curl "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=nobody" \
            -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" \
            -H "Accept: application/json; api-version=2.0" \
            -H "Content-Type: application/json" \
            --silent | jq -r '.value' | jq -R 'split(".") | .[0],.[1] | @base64d | fromjson'          

      - name: Create artifact
        run: |
          date > artifact          

      - name: Upload build artifact
        uses: actions/upload-artifact@v4
        with:
          path: "artifact"

      - name: Attest build provenance
        uses: actions/attest-build-provenance@v1
        env:
          INPUT_PRIVATE-SIGNING: ${{ inputs.sigstore == 'github' && 'true' || 'false' }}
        with:
          subject-path: artifact

      - name: Verify build artifact
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          gh attestation verify ./artifact --owner "$GITHUB_REPOSITORY_OWNER"          

      - name: Report attestation prober success
        if: ${{ success() }}
        uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
        with:
          api-key: "${{ secrets.DATADOG_API_KEY }}"
          service-checks: |
            - check: "attestation-integration.actions.prober"
              status: 0
              host_name: github.com
              tags:
                - "catalog_service:${{ secrets.service }}"
                - "service:${{ secrets.service }}"
                - "stamp:${{ secrets.trust-domain }}"
                - "env:production"
                - "repo:${{ github.repository }}"
                - "team:${{ secrets.team }}"
                - "sigstore:${{ inputs.sigstore }}"            

      - name: Report attestation prober failure
        if: ${{ failure() }}
        uses: masci/datadog@a5d283e78e33a688ed08a96ba64440505e645a8c # v1.7.1
        with:
          api-key: "${{ secrets.DATADOG_API_KEY }}"
          service-checks: |
            - check: "attestation-integration.actions.prober"
              message: "${{ github.repository_owner }} failed prober check"
              status: 2
              host_name: github.com
              tags:
                - "catalog_service:${{ secrets.service }}"
                - "service:${{ secrets.service }}"
                - "stamp:${{ secrets.trust-domain }}"
                - "env:production"
                - "repo:${{ github.repository }}"
                - "team:${{ secrets.team }}"
                - "sigstore:${{ inputs.sigstore }}"