.github/workflows/release.yml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78

name: goreleaser

on:
  push:
    tags: ['*']

jobs:
  goreleaser:
    runs-on: ubuntu-latest
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - uses: actions/checkout@v3
      - name: Unshallow
        run: git fetch --prune --unshallow
      - uses: actions/setup-go@v3
        with:
          go-version: 1.18
          check-latest: true
      - uses: goreleaser/goreleaser-action@v4.2.0
        id: run-goreleaser
        with:
          version: latest
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Generate subject
        id: hash
        env:
          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
        run: |
          set -euo pipefail

          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
          echo "::set-output name=hashes::$(cat $checksum_file | base64 -w0)"

  provenance:
    needs: [goreleaser]
    permissions:
      actions: read # To read the workflow path.
      id-token: write # To sign the provenance.
      contents: write # To add assets to a release.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
    with:
      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
      upload-assets: true # upload to a new release

  verification:
    needs: [goreleaser, provenance]
    runs-on: ubuntu-latest
    permissions: read-all
    steps:
      # Note: this will be replaced with the GHA in the future.
      # See https://github.com/slsa-framework/slsa-verifier/issues/95
      - name: Install SLSA verifier
        uses: slsa-framework/slsa-verifier/actions/installer@v2.0.1
      - name: Download assets
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          set -euo pipefail
          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "multiple.intoto.jsonl"
      - name: Verify assets
        env:
          CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
          PROVENANCE: "${{ needs.provenance.outputs.attestation-name }}"
        run: |
          set -euo pipefail
          checksums=$(echo "$CHECKSUMS" | base64 -d)
          while read -r line; do
              fn=$(echo $line | cut -d ' ' -f2)
              echo "Verifying $fn"
              ./slsa-verifier-linux-amd64 -artifact-path "$fn" \
                                      -provenance "$PROVENANCE" \
                                      -source "github.com/$GITHUB_REPOSITORY" \
                                      -tag "$GITHUB_REF_NAME"
          done <<<"$checksums"