From 61dc64e4c9e72bfcd2401113802e68b40c3d7b74 Mon Sep 17 00:00:00 2001 From: manhtukhang Date: Fri, 6 Dec 2024 19:16:12 +0700 Subject: [PATCH] chrore(ci): added artifacts attestation job to Release workflow Signed-off-by: manhtukhang --- .github/workflows/release.yaml | 52 +++++++++++++++++++++++++++++----- 1 file changed, 45 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9b44893..7afa787 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -8,11 +8,10 @@ on: permissions: contents: read - jobs: goreleaser: permissions: - contents: write # for goreleaser/goreleaser-action to create a GitHub release + contents: write # for goreleaser/goreleaser-action to create a GitHub release runs-on: ubuntu-latest outputs: hashes: ${{ steps.hash.outputs.hashes }} @@ -53,13 +52,48 @@ jobs: echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" echo "project-name=$(echo $GITHUB_REPOSITORY | cut -d'/' -f2)" >> "$GITHUB_OUTPUT" + attestation: + needs: [ goreleaser ] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + attestations: write # To upload attestations. + # contents: write # To add assets to a release. + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + with: + fetch-depth: 0 + + - name: Download artifacts + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PROJECT_NAME: ${{ needs.goreleaser.outputs.project-name }} + VERSION: ${{ github.ref_name }} + run: | + set -euo pipefail + gh release download "${VERSION}" -p "${PROJECT_NAME}_${VERSION}_*" -D ./artifacts + + - name: Generate artifacts attestation + id: gen-att + uses: actions/attest-build-provenance@619dbb2e03e0189af0c55118e7d3c5e129e99726 # v2.0.0 + with: + subject-path: "${{ github.workspace }}/artifacts/*" + # + # - name: Upload attestation + # uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 + # with: + # draft: true + # tag_name: ${{ github.ref_name }} + # files: | + # ${{ steps.gen-att.outputs.bundle-path }} + provenance: - needs: [goreleaser] + needs: [ goreleaser ] permissions: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 # Do not use tag with: base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" provenance-name: "${{ needs.goreleaser.outputs.project-name }}_${{ github.ref_name }}.intoto.jsonl" @@ -67,7 +101,7 @@ jobs: draft-release: true verification: - needs: [goreleaser, provenance] + needs: [ goreleaser, attestation, provenance ] runs-on: ubuntu-latest permissions: contents: write # To download assets from draft release. @@ -100,7 +134,11 @@ jobs: checksums="$(echo ${CHECKSUMS} | base64 -d)" while read -r line; do fn="$(echo ${line} | cut -d ' ' -f2)" - echo "Verifying ${fn}" + + echo "Verifying ${fn} with GH CLI" + gh attestation verify "${fn}" --repo "${GITHUB_REPOSITORY}" + + echo "Verifying ${fn} with slsa-verifier" slsa-verifier verify-artifact --provenance-path "${PROVENANCE}" \ --source-uri "github.com/${GITHUB_REPOSITORY}" \ --source-tag "${VERSION}" \ @@ -108,7 +146,7 @@ jobs: done <<<"$checksums" acceptance-test: - needs: [ goreleaser, provenance ] + needs: [ goreleaser, attestation, provenance ] permissions: contents: write # To download assets from draft release. strategy: