disable gh pages

tprasadtp · Apr 15, 2024 · e2066b4 · e2066b4
1 parent bf769e6
commit e2066b4
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 76 deletions.
diff --git a/.github/workflows/build.yml.disable → .github/workflows/build.yml b/.github/workflows/build.yml.disable → .github/workflows/build.yml
diff --git a/.github/workflows/metadata.yml b/.github/workflows/metadata.yml
@@ -12,98 +12,39 @@ on:
         - "no"
   push:
     branches-ignore:
-      - "dependabot**"
+      - "slsa-verify*"
+      - "dependabot*"
+      - "dependabot/**"
     tags-ignore:
       - "**"
   schedule:
     - cron: "30 * * * *"
-
-permissions:
-  contents: read
-
 jobs:
-  generate:
+  metadata:
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-    outputs:
-       base64-subjects: ${{ steps.hash-hashlist.outputs.hashes }}
+      id-token: write
     steps:
-      - name: Checkout project repository
+      - name: Checkout project repo
         uses: actions/checkout@v4
         with:
           persist-credentials: false
 
       - name: Install python dependencies
         run: |
           sudo apt-get install -y \
-            python3-gnupg \
-            python3-requests \
-            python3-bcrypt \
-            python3-coloredlogs
+          python3-gnupg \
+          python3-requests \
+          python3-bcrypt \
+          python3-coloredlogs
 
       - name: Generate metadata
-        run: ./scripts/generate-server-metadata --output ./metadata
+        run: ./scripts/generate-server-metadata --generate-list --output ./metadata
         env:
           PROTON_USERNAME: ${{ secrets.PROTON_USERNAME }}
           PROTON_PASSWORD: ${{ secrets.PROTON_PASSWORD }}
           DEBUG: ${{ inputs.DEBUG }}
 
-      - name: Generate hash of hashlist
-        id: hash-hashlist
-        run: |
-          set -euo pipefail
-          echo "hashes=$(sha256sum metadata/v1/slsa/server/hash-list | base64 -w0)" >> "$GITHUB_OUTPUT"
-
-      - name: Upload Metadata
-        uses: actions/upload-artifact@v4
-        with:
-          name: metadata
-          path: metadata/
-          if-no-files-found: error
-
-  provenance:
-    permissions:
-      contents: write
-      actions: read
-      id-token: write
-    needs:
-      - generate
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
-    with:
-      base64-subjects: ${{ needs.generate.outputs.base64-subjects }}
-
-  deploy:
-    runs-on: ubuntu-latest
-    needs:
-      - provenance
-    permissions:
-      contents: read
-      id-token: write
-    environment:
-      name: github-pages
-      url: ${{ steps.github-pages-deploy.outputs.page_url }}
-    steps:
-      - name: Download Metadata Artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: metadata
-          path: metadata
-
-      - name: Download Provenance
-        uses: actions/download-artifact@v4
-        with:
-          name: ${{ needs.provenance.outputs.provenance-name }}
-          path: provenance
-
-      - name: Copy provenance to metadata
-        run: cp provenance/hash-list.intoto.jsonl metadata/v1/slsa/server/hash-list.intoto.jsonl
-
-      - name: Upload GitHub Pages artifact
-        uses: actions/upload-pages-artifact@v3
-        with:
-          path: metadata
-
       - name: Generate bot token
         uses: actions/create-github-app-token@v1
         id: bot-token
@@ -143,8 +84,3 @@ jobs:
           git add --all
           git commit -m "Updated at - $(date)"
           git push -u origin master
-
-      - name: Deploy to GitHub Pages (if on master)
-        if: github.ref == 'refs/heads/master'
-        id: github-pages-deploy
-        uses: actions/deploy-pages@v4
diff --git a/docs/faq.md b/docs/faq.md
@@ -160,7 +160,6 @@ server is the assigned public IP.
 Bulk of the work is done via `scripts/generate-server-metadata`
 
 - `https://protonwire-api.vercel.app/v1/server` (default)
-- `https://tprasadtp.github.io/protonvpn-docker/v1/server` (beta)
 
 ## LAN/Local DNS Server and API endpoints
 

diff --git a/docs/slsa.md b/docs/slsa.md
@@ -30,6 +30,11 @@ All _artifacts_ provided by this repository meet [SLSA L3][slsa-level3].
         ghcr.io/tprasadtp/protonwire@<IMAGE_DIGEST>
     ```
 
+## SLSA provenance for metadata
+
+Generating slsa provenance for metadata is tricky without leaking all the server names.
+As slsa L3 workflows need to save intermediate artifacts which contain server names.
+
 [cosign]: https://docs.sigstore.dev/system_config/installation/
 [slsa-verifier]: https://github.com/slsa-framework/slsa-verifier
 [slsa-badge-level3]: ./images/slsa-level3-logo.svg