From 3f78673780fdbdafe6dda71cdc4ed12c5a4e5ee8 Mon Sep 17 00:00:00 2001 From: Shunsuke Suzuki Date: Mon, 23 Sep 2024 21:44:21 +0900 Subject: [PATCH 1/3] feat(suzuki-shunsuke/mkghtag): verify GitHub Artifact Attestations --- pkgs/suzuki-shunsuke/mkghtag/registry.yaml | 29 ++++++++++++++++++++++ registry.yaml | 29 ++++++++++++++++++++++ 2 files changed, 58 insertions(+) diff --git a/pkgs/suzuki-shunsuke/mkghtag/registry.yaml b/pkgs/suzuki-shunsuke/mkghtag/registry.yaml index 556d8fb9df3..fdbae600c01 100644 --- a/pkgs/suzuki-shunsuke/mkghtag/registry.yaml +++ b/pkgs/suzuki-shunsuke/mkghtag/registry.yaml @@ -15,6 +15,8 @@ packages: type: github_release asset: mkghtag_{{trimV .Version}}_checksums.txt algorithm: sha256 + github_artifact_attestations: + signer-workflow: terraform-linters/tflint/.github/workflows/release.yml cosign: opts: - --certificate-identity-regexp @@ -30,6 +32,29 @@ packages: format: zip slsa_provenance: enabled: false + - version_constraint: semver("<= 0.1.4") + asset: mkghtag_{{.OS}}_{{.Arch}}.{{.Format}} + format: tar.gz + overrides: + - goos: windows + format: zip + slsa_provenance: + type: github_release + asset: multiple.intoto.jsonl + checksum: + type: github_release + asset: mkghtag_{{trimV .Version}}_checksums.txt + algorithm: sha256 + cosign: + opts: + - --certificate-identity-regexp + - "https://github\\.com/suzuki-shunsuke/go-release-workflow/\\.github/workflows/release\\.yaml@.*" + - --certificate-oidc-issuer + - "https://token.actions.githubusercontent.com" + - --signature + - https://github.com/suzuki-shunsuke/mkghtag/releases/download/{{.Version}}/mkghtag_{{trimV .Version}}_checksums.txt.sig + - --certificate + - https://github.com/suzuki-shunsuke/mkghtag/releases/download/{{.Version}}/mkghtag_{{trimV .Version}}_checksums.txt.pem - version_constraint: "true" asset: mkghtag_{{.OS}}_{{.Arch}}.{{.Format}} format: tar.gz @@ -39,10 +64,14 @@ packages: slsa_provenance: type: github_release asset: multiple.intoto.jsonl + github_artifact_attestations: + signer-workflow: suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml checksum: type: github_release asset: mkghtag_{{trimV .Version}}_checksums.txt algorithm: sha256 + github_artifact_attestations: + signer-workflow: suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml cosign: opts: - --certificate-identity-regexp diff --git a/registry.yaml b/registry.yaml index 7dc85c387e0..523f92709fa 100644 --- a/registry.yaml +++ b/registry.yaml @@ -43446,6 +43446,8 @@ packages: type: github_release asset: mkghtag_{{trimV .Version}}_checksums.txt algorithm: sha256 + github_artifact_attestations: + signer-workflow: terraform-linters/tflint/.github/workflows/release.yml cosign: opts: - --certificate-identity-regexp @@ -43461,6 +43463,29 @@ packages: format: zip slsa_provenance: enabled: false + - version_constraint: semver("<= 0.1.4") + asset: mkghtag_{{.OS}}_{{.Arch}}.{{.Format}} + format: tar.gz + overrides: + - goos: windows + format: zip + slsa_provenance: + type: github_release + asset: multiple.intoto.jsonl + checksum: + type: github_release + asset: mkghtag_{{trimV .Version}}_checksums.txt + algorithm: sha256 + cosign: + opts: + - --certificate-identity-regexp + - "https://github\\.com/suzuki-shunsuke/go-release-workflow/\\.github/workflows/release\\.yaml@.*" + - --certificate-oidc-issuer + - "https://token.actions.githubusercontent.com" + - --signature + - https://github.com/suzuki-shunsuke/mkghtag/releases/download/{{.Version}}/mkghtag_{{trimV .Version}}_checksums.txt.sig + - --certificate + - https://github.com/suzuki-shunsuke/mkghtag/releases/download/{{.Version}}/mkghtag_{{trimV .Version}}_checksums.txt.pem - version_constraint: "true" asset: mkghtag_{{.OS}}_{{.Arch}}.{{.Format}} format: tar.gz @@ -43470,10 +43495,14 @@ packages: slsa_provenance: type: github_release asset: multiple.intoto.jsonl + github_artifact_attestations: + signer-workflow: suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml checksum: type: github_release asset: mkghtag_{{trimV .Version}}_checksums.txt algorithm: sha256 + github_artifact_attestations: + signer-workflow: suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml cosign: opts: - --certificate-identity-regexp From 336a3f3e2283fa712afa0b49c40e95c928e34697 Mon Sep 17 00:00:00 2001 From: Shunsuke Suzuki Date: Mon, 23 Sep 2024 21:46:30 +0900 Subject: [PATCH 2/3] test(suzuki-shunsuke/mkghtag): add testdata --- pkgs/suzuki-shunsuke/mkghtag/pkg.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/suzuki-shunsuke/mkghtag/pkg.yaml b/pkgs/suzuki-shunsuke/mkghtag/pkg.yaml index 66c8fd41143..a877e5fb0da 100644 --- a/pkgs/suzuki-shunsuke/mkghtag/pkg.yaml +++ b/pkgs/suzuki-shunsuke/mkghtag/pkg.yaml @@ -1,4 +1,6 @@ packages: - - name: suzuki-shunsuke/mkghtag@v0.1.4 + - name: suzuki-shunsuke/mkghtag@v0.1.5-3 + - name: suzuki-shunsuke/mkghtag + version: v0.1.4 - name: suzuki-shunsuke/mkghtag version: v0.1.0 From f9cce37273a70e2f5664fb4c3708169ffe7e320c Mon Sep 17 00:00:00 2001 From: Shunsuke Suzuki Date: Mon, 23 Sep 2024 21:51:29 +0900 Subject: [PATCH 3/3] fix(suzuki-shunsuke/mkghtag): remove the invalid setting --- pkgs/suzuki-shunsuke/mkghtag/registry.yaml | 2 -- registry.yaml | 2 -- 2 files changed, 4 deletions(-) diff --git a/pkgs/suzuki-shunsuke/mkghtag/registry.yaml b/pkgs/suzuki-shunsuke/mkghtag/registry.yaml index fdbae600c01..cb469c6cc96 100644 --- a/pkgs/suzuki-shunsuke/mkghtag/registry.yaml +++ b/pkgs/suzuki-shunsuke/mkghtag/registry.yaml @@ -15,8 +15,6 @@ packages: type: github_release asset: mkghtag_{{trimV .Version}}_checksums.txt algorithm: sha256 - github_artifact_attestations: - signer-workflow: terraform-linters/tflint/.github/workflows/release.yml cosign: opts: - --certificate-identity-regexp diff --git a/registry.yaml b/registry.yaml index 523f92709fa..d91c4a3ae75 100644 --- a/registry.yaml +++ b/registry.yaml @@ -43446,8 +43446,6 @@ packages: type: github_release asset: mkghtag_{{trimV .Version}}_checksums.txt algorithm: sha256 - github_artifact_attestations: - signer-workflow: terraform-linters/tflint/.github/workflows/release.yml cosign: opts: - --certificate-identity-regexp