From cc4e1134d193b661d83ebc6d64b0e196ca0917da Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Sun, 19 Mar 2023 17:10:05 +0300 Subject: [PATCH 1/2] feature: enable verification for provenance MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın --- .github/workflows/go-ossf-slsa3-publish.yml | 36 ++++++++++++++++++++- 1 file changed, 35 insertions(+), 1 deletion(-) diff --git a/.github/workflows/go-ossf-slsa3-publish.yml b/.github/workflows/go-ossf-slsa3-publish.yml index 8547734..bb179c2 100644 --- a/.github/workflows/go-ossf-slsa3-publish.yml +++ b/.github/workflows/go-ossf-slsa3-publish.yml @@ -57,9 +57,43 @@ jobs: arch: - amd64 - arm64 - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.2 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0 with: go-version: 1.17 # Optional: only needed if using ldflags. evaluated-envs: "COMMIT_DATE:${{needs.args.outputs.commit-date}}, COMMIT:${{needs.args.outputs.commit}}, VERSION:${{needs.args.outputs.version}}, TREE_STATE:${{needs.args.outputs.tree-state}}" config-file: slsa/goreleaser-${{matrix.os}}-${{matrix.arch}}.yml + + verification: + needs: + - build + runs-on: ubuntu-latest + permissions: read-all + steps: + # Note: this will be replaced with the GHA in the future. + - name: Install the verifier + uses: slsa-framework/slsa-verifier/actions/installer@v2.0.1 + + - name: Download assets + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + ATT_FILE_NAME: "${{ needs.build.outputs.go-binary-name }}.intoto.jsonl" + ARTIFACT: ${{ needs.build.outputs.go-binary-name }} + run: | + set -euo pipefail + + gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p $ARTIFACT + gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME" + + - name: Verify assets + env: + ARTIFACT: ${{ needs.build.outputs.go-binary-name }} + ATT_FILE_NAME: "${{ needs.build.outputs.go-binary-name }}.intoto.jsonl" + run: | + set -euo pipefail + + echo "Verifying $ARTIFACT using $ATT_FILE_NAME" + slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \ + --source-uri "github.com/$GITHUB_REPOSITORY" \ + --source-tag "$GITHUB_REF_NAME" \ + "$ARTIFACT" From c7f7a1de3873fee980e19f74547ab480d79dd764 Mon Sep 17 00:00:00 2001 From: Justin Abrahms Date: Sun, 19 Mar 2023 20:35:33 -0700 Subject: [PATCH 2/2] Update .github/workflows/go-ossf-slsa3-publish.yml --- .github/workflows/go-ossf-slsa3-publish.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/go-ossf-slsa3-publish.yml b/.github/workflows/go-ossf-slsa3-publish.yml index bb179c2..1ad7402 100644 --- a/.github/workflows/go-ossf-slsa3-publish.yml +++ b/.github/workflows/go-ossf-slsa3-publish.yml @@ -70,7 +70,6 @@ jobs: runs-on: ubuntu-latest permissions: read-all steps: - # Note: this will be replaced with the GHA in the future. - name: Install the verifier uses: slsa-framework/slsa-verifier/actions/installer@v2.0.1