Support Github Artifact Attestations #4852
Comments
smlx
added
enhancement
|
This is actually pretty simple to do yourself in case anyone else is interested: - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
id: goreleaser
with:
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# parse artifacts to the format required for image attestation
- run: |
echo "digest=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.extra.Digest')" >> "$GITHUB_OUTPUT"
echo "name=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT"
id: image_metadata
env:
ARTIFACTS: ${{steps.goreleaser.outputs.artifacts}}
# attest archives
- uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-path: "dist/*.tar.gz"
# attest image
- uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
with:
subject-digest: ${{steps.image_metadata.outputs.digest}}
subject-name: ${{steps.image_metadata.outputs.name}}
push-to-registry: true |
|
yeah, as far as I looked there's no github api to use these attestation-related things, so I think this will be the only way. @smlx are interested in writing a docs page or guest blog post in our blog about your solution? totally cool if not, thought I'd ask before trying to come up with something similar myself :) |
|
Ah that's a shame about the missing API! Sorry I don't really have time in the near future to write such docs or blog post but please feel free to take whatever you need from my YAML snippet 👍 |
|
played with it a bit, and it's pretty much what you did indeed. I think this issue is documentation enough of it for now, will add a blog post in the future if needed. But, basically:
tldr, besides fiddling with |
caarlos0
added
docs
|
I don't know if you saw this already but there does seem to be an API for attestations: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#create-an-attestation Possibly this is new since the feature went GA: https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/ |
|
I haven't! Thanks for sharing, will reopen to investigate 🙏 |
|
For anyone wants to attest both build provenance and SBOMs, here is an example: |
|
There is now support for this (see https://goreleaser.com/customization/attestations/). But for it to work, you must also configure this in your # Configure the checksums filename, to allow the attestation to pick up the correct filename
checksum:
name_template: checksums.txtOtherwise, you'd get the following error: |
|
https://goreleaser.com/customization/attestations/ It's documented already, might need to add this extra bit about the checksum name, default name is 'ProjectName_checksums.txt' |
Is your feature request related to a problem? Please describe.
Github recently added a new feature called "Artifact Attestations". From what I can tell, it isn't straightforward to integrate this feature with Goreleaser.
Describe the solution you'd like
Github recently introduced native integration of sigstore signatures. They're calling this "Artifact Attestations". It would be very cool if Goreleaser supported automatic artifact attestations for all release artifacts. Or at least documented the recommended integration approach.
https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
Describe alternatives you've considered
Goreleaser already supports signing various artifacts using sigstore's cosign. However checking signatures is not straightforward and requires a fairly complex cosign command.
Search
Supporter
Code of Conduct
Additional context
No response
The text was updated successfully, but these errors were encountered: