Skip to content

Commit

Permalink
Add SLSA verification step to release workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@marcransome
marcransome committed Mar 24, 2024
1 parent 985a046 commit 48f7aaa
Showing 1 changed file with 19 additions and 0 deletions.
19 changes: 19 additions & 0 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,25 @@ jobs:
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.sha256-filename-darwin-arm64 }}
- name: Install SLSA verifier
uses: slsa-framework/slsa-verifier/actions/installer@7e1e47d7d793930ab0082c15c2b971fdb53a3c95 # v2.4.1
- name: Verify SLSA provenance
env:
CHECKSUMS: ${{ needs.combine-checksums.outputs.checksums }}
PROVENANCE: ${{ needs.provenance.outputs.provenance-name }}
run: |
set -euo pipefail
checksums=$(echo "${CHECKSUMS}" | base64 -d)
while read -r line; do
filename=$(echo ${line} | cut -d ' ' -f2)
echo "Verifying ${filename}.."
slsa-verifier verify-artifact \
--provenance-path "${PROVENANCE}" \
--source-uri "github.com/${GITHUB_REPOSITORY}" \
--source-tag "${GITHUB_REF_NAME}" \
"${filename}"
echo
done <<< "${checksums}"
- name: Upload release assets
uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
with:
Expand Down

0 comments on commit 48f7aaa

Please sign in to comment.