From 21b1bd3eaa36aceb81636e76b767e9e4592447a1 Mon Sep 17 00:00:00 2001 From: Jamie Wilkinson Date: Tue, 23 Apr 2024 21:16:17 +1000 Subject: [PATCH] ci: Add SLSA3 provenance support. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser and https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator --- .github/workflows/release.yml | 34 ++++++++++++++++++++++++++++------ 1 file changed, 28 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 27fcf185c..25ea60b0c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -9,12 +9,6 @@ on: tags: - v* -env: - # Use docker.io for Docker Hub if empty - REGISTRY: ghcr.io - # github.repository as / - IMAGE_NAME: ${{ github.repository }} - jobs: goreleaser: runs-on: ubuntu-latest @@ -23,6 +17,8 @@ jobs: contents: write env: flags: "" + outputs: + hashes: ${{ steps.hash.outputs.hashes }} steps: - if: ${{ !startsWith(github.ref, 'refs/tags/v') }} run: echo "flags=--snapshot" >> $GITHUB_ENV @@ -35,16 +31,42 @@ jobs: go-version-file: 'go.mod' cache: true - uses: goreleaser/goreleaser-action@v5 + id: run-goreleaser with: version: latest args: release --rm-dist ${{ env.flags }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Generate subject + id: hash + env: + ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) + echo "hashes=$hashes" >> $GITHUB_OUTPUT + + provenance: + needs: [goreleaser] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" + upload-assets: true # upload to a new release + docker-release: runs-on: ubuntu-latest permissions: # docker writes packages to container registry packages: write + env: + # Use docker.io for Docker Hub if empty + REGISTRY: ghcr.io + # github.repository as / + IMAGE_NAME: ${{ github.repository }} steps: - uses: actions/checkout@v4 with: