From ebf69a5a8340f2609b1373e0035d6ae0678c0ac6 Mon Sep 17 00:00:00 2001 From: Lucas TESSON Date: Tue, 9 Apr 2024 21:44:08 +0200 Subject: [PATCH] ci(release): fix SLSA provenance --- .github/workflows/release.yaml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 76e8792..9215f24 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -20,12 +20,15 @@ jobs: uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: fetch-depth: 0 + - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: 'go.mod' + - name: Install Syft uses: anchore/sbom-action/download-syft@ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c # v0.15.10 + - name: Run GoReleaser id: run-goreleaser uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 @@ -36,12 +39,13 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VERSION_LDFLAGS: ${{ steps.ldflags.outputs.version }} - slsa: + provenance: needs: [goreleaser] permissions: - id-token: write # To sign. - contents: write # To upload release assets. - actions: read # To read workflow path. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@c747fe7769adf3656dc7d588b161cb614d7abfee # v1.10.0 + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 # not pinned to avoid breaking it, use it to target refs/tags/vX.Y.Z with: - go-version-file: 'go.mod' + base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" + upload-assets: true # upload to a new release