From 77a7e7589a59ee34affc61bce06bf70d51c99d00 Mon Sep 17 00:00:00 2001 From: Matthew Penner Date: Sun, 19 May 2024 20:10:26 -0600 Subject: [PATCH] chore: fix goreleaser binary name, add SLSA provenance Signed-off-by: Matthew Penner --- .github/workflows/release.yaml | 32 ++++++++++++++++++++++++++++++-- .goreleaser.yaml | 2 +- Containerfile | 8 ++++---- 3 files changed, 35 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8adfe1a..07e8069 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,8 +6,8 @@ on: - "v*" jobs: - release: - name: Release + goreleaser: + name: Goreleaser runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -44,9 +44,37 @@ jobs: run: git fetch --tags --force - name: Run Goreleaser + id: run-goreleaser uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} COSIGN_EXPERIMENTAL: 1 with: args: release --clean + + - name: Generate SLSA metadata + id: slsa + env: + ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + + checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type == "Checksum") | .path') + echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" + outputs: + hashes: ${{ steps.slsa.outputs.hashes }} + # tag_name: ${{ steps.tag.outputs.tag_name }} + + provenance: + name: Provenance + needs: + - goreleaser + permissions: + actions: read + id-token: write + contents: write + # Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#referencing-the-slsa-generator + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" + upload-assets: true diff --git a/.goreleaser.yaml b/.goreleaser.yaml index 480ee8c..4e7abdd 100644 --- a/.goreleaser.yaml +++ b/.goreleaser.yaml @@ -13,7 +13,7 @@ report_sizes: true builds: - id: gateway - binary: caddy-gateway + binary: gateway env: - CGO_ENABLED=0 goos: diff --git a/Containerfile b/Containerfile index 9fbf69e..bc05b5c 100644 --- a/Containerfile +++ b/Containerfile @@ -20,13 +20,13 @@ COPY internal/ internal/ # was called. For example, if we call make docker-build in a local env which has the Apple Silicon M1 SO # the docker BUILDPLATFORM arg will be linux/arm64 when for Apple x86 it will be linux/amd64. Therefore, # by leaving it empty we can ensure that the container and binary shipped on it will have the same platform. -RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -v -trimpath -a -o caddy-gateway github.com/caddyserver/gateway +RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -v -trimpath -a -o gateway github.com/caddyserver/gateway -# Use distroless as minimal base image to package the caddy-gateway binary +# Use distroless as minimal base image to package the gateway binary # Refer to https://github.com/GoogleContainerTools/distroless for more details FROM gcr.io/distroless/static:nonroot WORKDIR / -COPY --from=builder /workspace/caddy-gateway . +COPY --from=builder /workspace/gateway . USER 65532:65532 -ENTRYPOINT ["/caddy-gateway"] +ENTRYPOINT ["/gateway"]