Skip to content

Commit

Permalink
Merge pull request #481 from tangrufus/gh-attest
Browse files Browse the repository at this point in the history
Add GitHub attestation
  • Loading branch information
swalkinshaw authored Sep 30, 2024
2 parents 1d4457a + b9c5142 commit 5f93ee8
Show file tree
Hide file tree
Showing 4 changed files with 130 additions and 4 deletions.
1 change: 1 addition & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ jobs:
- uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
- uses: anchore/sbom-action/download-syft@v0
- name: Install GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
Expand Down
98 changes: 94 additions & 4 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,24 +6,114 @@ on:
- '*'
workflow_dispatch:

permissions:
contents: write
permissions: {}

jobs:
goreleaser:
runs-on: ubuntu-latest
permissions:
contents: write
outputs:
build-provenance-artifact-id: ${{ steps.upload-build-provenance.outputs.artifact-id }}
sbom-artifact-id: ${{ steps.upload-sbom.outputs.artifact-id }}
sbom-attestations: ${{ steps.upload-sbom.outputs.attestations }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
- uses: anchore/sbom-action/download-syft@v0
- name: GoReleaser release
uses: goreleaser/goreleaser-action@v6
with:
distribution: goreleaser
version: latest
version: '~> v2'
args: release
env:
GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_ACCESS_TOKEN }}
- uses: actions/upload-artifact@v4
id: upload-build-provenance
with:
name: build-provenance
path: |
dist/trellis_*/trellis
dist/trellis_*/trellis.exe
dist/trellis_*.tar.gz
dist/trellis_*.zip
dist/**/*.sbom.json
- uses: typisttech/upload-goreleaser-sboms-action@v0
id: upload-sbom

attest-build-provenance:
needs: [goreleaser]
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
steps:
- uses: actions/download-artifact@v4
with:
path: dist
name: build-provenance
- uses: actions/attest-build-provenance@v1
with:
subject-path: |
dist/trellis_*/trellis
dist/trellis_*/trellis.exe
dist/trellis_*.tar.gz
dist/trellis_*.zip
dist/**/*.sbom.json
attest-sbom:
needs: [goreleaser]
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
strategy:
matrix:
attestation: ${{ fromJSON(needs.goreleaser.outputs.sbom-attestations) }}
steps:
- uses: actions/download-artifact@v4
with:
name: sboms
- uses: actions/attest-sbom@v1
with:
subject-path: ${{ matrix.attestation.subject }}
sbom-path: ${{ matrix.attestation.sbom }}

verify:
needs: [goreleaser, attest-build-provenance, attest-sbom]
runs-on: ubuntu-latest
steps:
- run: gh release download --clobber --dir artifacts -p '*.tar.gz' -p '*.zip' -p '*.sbom.json' --repo $REPO $TAG
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
TAG: ${{ github.ref_name }}
- run: tree artifacts
- run: ls | xargs -I {} gh attestation verify --repo $REPO {}
working-directory: artifacts
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}

cleanup:
needs: [goreleaser, verify]
runs-on: ubuntu-latest
permissions:
actions: write
steps:
- run: >
gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/$REPO/actions/artifacts/$ARTIFACT_ID
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
ARTIFACT_ID: ${{ needs.goreleaser.outputs.build-provenance-artifact-id }}
- run: >
gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/$REPO/actions/artifacts/$ARTIFACT_ID
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
ARTIFACT_ID: ${{ needs.goreleaser.outputs.sbom-artifact-id }}
2 changes: 2 additions & 0 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ archives:
format: zip
checksum:
name_template: '{{ .ProjectName }}_checksums.txt'
sboms:
- artifacts: archive
changelog:
sort: asc
filters:
Expand Down
33 changes: 33 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,39 @@ setup after downloading the Windows build:
4. Edit path from system variables and add new named `%TRELLIS%`
5. Save the changes

## Verify Attestation
trellis-cli artifacts can be [cryptographically verified via GitHub CLI](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli).

```console
# The archive with both predicates
$ gh attestation verify --repo roots/trellis-cli /path/to/trellis_Darwin_arm64.tar.gz
## ...snipped...
✓ Verification succeeded!

sha256:xxx was attested by:
REPO PREDICATE_TYPE WORKFLOW
roots/trellis-cli https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/tags/v9.8.7
roots/trellis-cli https://spdx.dev/Document/v2.3 .github/workflows/release.yml@refs/tags/v9.8.7

# The binary
$ gh attestation verify --repo roots/trellis-cli /path/to/trellis
## ...snipped...
✓ Verification succeeded!

sha256:xxx was attested by:
REPO PREDICATE_TYPE WORKFLOW
roots/trellis-cli https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/tags/v9.8.7

# The SBOM
$ gh attestation verify --repo roots/trellis-cli /path/to/trellis_Darwin_arm64.tar.gz.sbom.json
## ...snipped...
✓ Verification succeeded!

sha256:xxx was attested by:
REPO PREDICATE_TYPE WORKFLOW
roots/trellis-cli https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/tags/v9.8.7
```

## Shell Integration

### Autocompletes
Expand Down

0 comments on commit 5f93ee8

Please sign in to comment.