Merge pull request #688 from suzuki-shunsuke/ci/slsa-provenance

chore: create SLSA Provenance
suzuki-shunsuke · Jan 4, 2023 · 59bbaa5 · 59bbaa5
2 parents 5452fbf + 75f25f5
commit 59bbaa5
Show file tree

Hide file tree

Showing 5 changed files with 81 additions and 59 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,66 @@
+---
+name: Release
+on:
+  push:
+    tags: [v*]
+permissions:
+  contents: write # required to create a release
+  id-token: write # required for cosign
+env:
+  AQUA_POLICY_CONFIG: ${{ github.workspace }}/aqua-policy.yaml
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    steps:
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        with:
+          go-version: '1.19.4'
+          cache: true
+
+      - name: Generate token
+        id: generate_token
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c # tag=v1.7.0
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: remove changes
+        # Sometimes it is failed to release by goreleaser due to changes of go.sum
+        run: git checkout -- .
+      - name: fetch tags to release
+        run: git fetch --tags -f
+      - name: Unshallow
+        run: git fetch --prune --unshallow
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      - name: Generate hashes
+        id: hash
+        run: |
+          # sha256sum generates sha256 hash for all artifacts.
+          # base64 -w0 encodes to base64 and outputs on a single line.
+          # sha256sum artifact1 artifact2 ... | base64 -w0
+          echo "hashes=$(find dist -name "*.tar.gz" -print0 | xargs -0 sha256sum | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read # Needed for detection of GitHub Actions environment.
+      id-token: write # Needed for provenance signing and ID
+      contents: write # Needed for release uploads
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      # Upload provenance to a new release
+      upload-assets: true
diff --git a/.github/workflows/renovate-config-validator.yaml b/.github/workflows/renovate-config-validator.yaml
@@ -1,5 +1,8 @@
 name: renovate-config-validator
 
+permissions:
+  contents: read # For checkout
+
 on:
   pull_request:
     branches:

diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -3,9 +3,12 @@ name: CI
 on:
   push:
     branches: [main]
-    tags: [v*]
   pull_request:
     branches: [main]
+permissions:
+  contents: read # For checkout
+env:
+  AQUA_POLICY_CONFIG: ${{ github.workspace }}/aqua-policy.yaml
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -22,26 +25,3 @@ jobs:
       - uses: suzuki-shunsuke/github-action-golangci-lint@4b6bb7682772359cf0e7959932803ca2ff998895 # v0.1.4
       - name: dry run
         run: bash scripts/test-dry-run.sh
-
-      - name: remove changes
-        # Sometimes it is failed to release by goreleaser due to changes of go.sum
-        run: git checkout -- .
-        if: startsWith(github.ref, 'refs/tags/')
-
-      - name: Generate token
-        id: generate_token
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c # tag=v1.7.0
-        with:
-          app_id: ${{ secrets.APP_ID }}
-          private_key: ${{ secrets.APP_PRIVATE_KEY }}
-
-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0
-        if: startsWith(github.ref, 'refs/tags/')
-        with:
-          version: latest
-          args: release --rm-dist
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
diff --git a/aqua-policy.yaml b/aqua-policy.yaml
@@ -0,0 +1,8 @@
+---
+# aqua Policy
+# https://aquaproj.github.io/docs/tutorial-extras/policy-as-code
+registries:
+- type: standard
+  ref: semver(">= 3.0.0")
+packages:
+- registry: standard