From 497feb44c816dcc5589fa3729f2e76288b533c8d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javier=20Rodr=C3=ADguez?= <javier@chainloop.dev>
Date: Fri, 10 Jan 2025 14:19:23 +0100
Subject: [PATCH] feat(github): Use regular CLI steps in scorecards workflow
 (#1723)

Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
---
 .github/workflows/scorecards.yml | 51 +++++++++++++++++++-------------
 1 file changed, 30 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 5dea953f8..1e3a5f4eb 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -18,20 +18,9 @@ on:
 permissions: read-all
 
 jobs:
-  chainloop_init:
-    name: Chainloop Init
-    uses: chainloop-dev/labs/.github/workflows/chainloop_init.yml@64839eb68c20fefda46929c6c6e893cdf0537619
-    secrets:
-      api_token: ${{ secrets.CHAINLOOP_TOKEN }}
-    with:
-      workflow_name: "chainloop-vault-scorecards"
-      project_name: "chainloop"
-
   analysis:
     name: Scorecard analysis
     runs-on: ubuntu-latest
-    needs:
-      - chainloop_init
     permissions:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write
@@ -39,13 +28,25 @@ jobs:
       id-token: write
       contents: read
       actions: read
+    env:
+      CHAINLOOP_WORKFLOW_NAME: "chainloop-vault-scorecards"
+      CHAINLOOP_PROJECT: "chainloop"
+      CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
 
     steps:
+      - name: Install Chainloop
+        run: |
+          curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s
+
       - name: "Checkout code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
 
+      - name: Initialize Attestation
+        run: |
+          chainloop attestation init --workflow $CHAINLOOP_WORKFLOW_NAME --project $CHAINLOOP_PROJECT
+
       - name: "Run analysis"
         uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
@@ -83,13 +84,21 @@ jobs:
         with:
           sarif_file: results.sarif
 
-  chainloop_push:
-    name: Chainloop Push
-    uses: chainloop-dev/labs/.github/workflows/chainloop_push.yml@25c77318e739c60e86d3dfe7e864f51c665972dd
-    needs:
-      - analysis
-    secrets:
-      api_token: ${{ secrets.CHAINLOOP_TOKEN }}
-    with:
-      attestation_name: "scorecards"
-      workflow_name: "chainloop-vault-scorecards"
+      - name: Attest analysis
+        run: |
+          chainloop attestation add --name sarif-results --value results.sarif
+
+      - name: Finish and Record Attestation
+        if: ${{ success() }}
+        run: |
+          chainloop attestation push
+
+      - name: Mark attestation as failed
+        if: ${{ failure() }}
+        run: |
+          chainloop attestation reset
+
+      - name: Mark attestation as cancelled
+        if: ${{ cancelled() }}
+        run: |
+          chainloop attestation reset --trigger cancellation