Add SLSA provenance

MatthiasValvekens · Sep 7, 2023 · fb7b29c · fb7b29c
1 parent 3a73eb8
commit fb7b29c
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/.github/workflows/build-pipeline.yml b/.github/workflows/build-pipeline.yml
@@ -7,6 +7,10 @@ on:
     branches: [ master ]
   workflow_call:
     secrets: {}
+    outputs:
+      hashes:
+        description: "Hashes of the artifacts that were built"
+        value: ${{ jobs.build.outputs.hashes }}
 permissions:
   actions: read
   contents: read
@@ -16,6 +20,8 @@ env:
 jobs:
   build:
     runs-on: ubuntu-22.04
+    outputs:
+      hashes: ${{ steps.artifact-hashes.outputs.hashes }}
     steps:
       - uses: actions/checkout@v3
       - name: Set up Python
@@ -26,6 +32,9 @@ jobs:
         run: pip install --upgrade build setuptools pip wheel
       - name: build
         run: python -m build
+      - name: Record release artifact hashes
+        id: artifact-hashes
+        run: cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT"
       - name: Upload dist artifacts
         uses: actions/upload-artifact@v3
         with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,6 +5,7 @@ on:
     inputs:
       environment:
         type: environment
+        description: "Environment in which to execute the release process"
   push:
     branches: [ "ci/*", "ci-*" ]
 jobs:
@@ -55,9 +56,21 @@ jobs:
         with:
           name: release-body
           path: release.md
+  provenance:
+    name: Generate SLSA provenance data
+    needs: [ci]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write  # https://github.com/slsa-framework/slsa-github-generator/issues/2044 :(
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.ci.outputs.hashes }}"
+      upload-assets: false
+      provenance-name: multiple.intoto.jsonl
   publish:
     name: Publish release artifacts
-    needs: [ci, find-env]
+    needs: [provenance, find-env]
     runs-on: ubuntu-latest
     environment: ${{ needs.find-env.outputs.publish-env }}
     permissions:
@@ -71,6 +84,11 @@ jobs:
       with:
         name: pyhanko-certvalidator-dist
         path: dist/
+    - name: Download provenance data
+      uses: actions/download-artifact@v3
+      with:
+        name: multiple.intoto.jsonl
+        path: provenance/
     - name: Download release body
       uses: actions/download-artifact@v3
       with:
@@ -97,6 +115,7 @@ jobs:
           dist/*.whl
           dist/*.tar.gz
           dist/*.sigstore
+          provenance/multiple.intoto.jsonl
         body_path: release-body/release.md
         fail_on_unmatched_files: true
         prerelease: true