Upload binary and provenance to GCS

Change-Id: I4c277283400a26a95d21b4cb9bd46da5aad88f86

.github/workflows/provenance.yaml

@@ -55,3 +55,4 @@ jobs:
       ENT_API_KEY: ${{ secrets.ENT_API_KEY }}
       # Secret key corresponding to `ent-public-key` above, used to sign Ent tags.
       ENT_SECRET_KEY: ${{ secrets.ENT_SECRET_KEY }}
+      GCP_SERVICE_ACCOUNT_KEY_JSON: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}

.github/workflows/reusable_provenance.yaml

@@ -19,6 +19,8 @@ on:
       # of a binary to its provenance.
       ENT_SECRET_KEY:
         required: true
+      GCP_SERVICE_ACCOUNT_KEY_JSON:
+        required: true
 
 jobs:
   get_inputs:
@@ -38,7 +40,7 @@ jobs:
 
     steps:
       - name: Mount main branch
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Parse build config
         id: parse-build-config
@@ -101,6 +103,23 @@ jobs:
       pull-requests: write
 
     steps:
+      - name: 'Authenticate to Google Cloud'
+        uses: 'google-github-actions/auth@v2'
+        with:
+          credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }}
+
+      - name: 'Set up Google Cloud SDK'
+        uses: 'google-github-actions/setup-gcloud@v2'
+
+      - name: 'Google Cloud info'
+        run: |
+          set -o errexit
+          set -o nounset
+          set -o xtrace
+          set -o pipefail
+          gcloud --version
+          gsutil --version
+
       # See https://github.com/google/ent
       - name: Download Ent CLI
         if: steps.cache-ent.outputs.cache-hit != 'true'
@@ -139,7 +158,7 @@ jobs:
           path: downloads
 
       - name: Debug step - Display structure of downloaded files
-        run: ls -R
+        run: ls --recursive
         working-directory: downloads
 
       - name: Upload binary, provenance, signed tag to Ent
@@ -154,6 +173,9 @@ jobs:
           set -o nounset
           set -o xtrace
           set -o pipefail
+
+          bucket_name=oak-bins
+      
           provenance_file="attestation.intoto"
           if [[ "${{ github.event_name }}" != "pull_request" ]]; then
             provenance_file="${provenance_file}.build.slsa"
@@ -169,6 +191,22 @@ jobs:
             --label="provenance_${GITHUB_SHA}_${package_name}" \
             --target=${provenance_digest}
 
+          gsutil cp "${binary_file}" "gs://${bucket_name}/binary/${GITHUB_SHA}/${package_name}/$(basename ${binary_file})"
+          binary_url="https://storage.googleapis.com/${bucket_name}/${destination}/${base_file_name}"
+          curl --fail \
+            --request POST \
+            --header 'Content-Type: application/json' \
+            --data "{ \"url\": \"${binary_url}\" }" \
+            https://api.static.space/v1/snapshot
+
+          gsutil cp "${provenance_file}" "gs://${bucket_name}/provenance/${GITHUB_SHA}/${package_name}/$(basename ${provenance_file})"
+          provenance_url="https://storage.googleapis.com/${bucket_name}/${destination}/${base_file_name}"
+          curl --fail \
+            --request POST \
+            --header 'Content-Type: application/json' \
+            --data "{ \"url\": \"${provenance_url}\" }" \
+            https://api.static.space/v1/snapshot
+
   # Debug step similar to `upload_provenance`, but runs on pull-request events.
   # Differs from `upload_provenance` in that it does not publish the binary
   # and its provenance into Ent and that it does not post a comment on the PR.
@@ -192,7 +230,7 @@ jobs:
           path: downloads
 
       - name: Display structure after downloading the files (debug step)
-        run: ls -R
+        run: ls --recursive
         working-directory: downloads
 
       - name: Print binary digest