chore: fix goreleaser binary name, add SLSA provenance

Signed-off-by: Matthew Penner <[email protected]>
caddyserver · May 20, 2024 · 77a7e75 · 77a7e75
1 parent 501b056
commit 77a7e75
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 7 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -6,8 +6,8 @@ on:
       - "v*"
 
 jobs:
-  release:
-    name: Release
+  goreleaser:
+    name: Goreleaser
     runs-on: ${{ matrix.os }}
     strategy:
       fail-fast: false
@@ -44,9 +44,37 @@ jobs:
         run: git fetch --tags --force
 
       - name: Run Goreleaser
+        id: run-goreleaser
         uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           COSIGN_EXPERIMENTAL: 1
         with:
           args: release --clean
+
+      - name: Generate SLSA metadata
+        id: slsa
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+
+          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type == "Checksum") | .path')
+          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
+    outputs:
+      hashes: ${{ steps.slsa.outputs.hashes }}
+      # tag_name: ${{ steps.tag.outputs.tag_name }}
+
+  provenance:
+    name: Provenance
+    needs:
+      - goreleaser
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#referencing-the-slsa-generator
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      upload-assets: true
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -13,7 +13,7 @@ report_sizes: true
 
 builds:
   - id: gateway
-    binary: caddy-gateway
+    binary: gateway
     env:
       - CGO_ENABLED=0
     goos:

diff --git a/Containerfile b/Containerfile
@@ -20,13 +20,13 @@ COPY internal/ internal/
 # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO
 # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore,
 # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform.
-RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -v -trimpath -a -o caddy-gateway github.com/caddyserver/gateway
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -v -trimpath -a -o gateway github.com/caddyserver/gateway
 
-# Use distroless as minimal base image to package the caddy-gateway binary
+# Use distroless as minimal base image to package the gateway binary
 # Refer to https://github.com/GoogleContainerTools/distroless for more details
 FROM gcr.io/distroless/static:nonroot
 WORKDIR /
-COPY --from=builder /workspace/caddy-gateway .
+COPY --from=builder /workspace/gateway .
 USER 65532:65532
 
-ENTRYPOINT ["/caddy-gateway"]
+ENTRYPOINT ["/gateway"]