From 3c1b43ec5890462ad0a459c9b81c083f4af99c27 Mon Sep 17 00:00:00 2001 From: Lucas TESSON Date: Tue, 23 Apr 2024 21:19:21 +0200 Subject: [PATCH] ci: update dependencies and remove SLSA provenance validation --- .github/workflows/goreleaser.yaml | 91 ------------------------------- .github/workflows/release.yaml | 60 ++++++++++++++++++++ 2 files changed, 60 insertions(+), 91 deletions(-) delete mode 100644 .github/workflows/goreleaser.yaml create mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/goreleaser.yaml b/.github/workflows/goreleaser.yaml deleted file mode 100644 index 812755d..0000000 --- a/.github/workflows/goreleaser.yaml +++ /dev/null @@ -1,91 +0,0 @@ -name: Release website - -on: - push: - tags: - - "v*" - -permissions: - contents: read - -jobs: - goreleaser: - outputs: - hashes: ${{ steps.hash.outputs.hashes }} - permissions: - contents: write # for goreleaser/goreleaser-action to create a GitHub release - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - - name: Set up Go - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 - with: - go-version: "1.21" - check-latest: true - - name: Install Syft - run: | - curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - - name: Run GoReleaser - id: run-goreleaser - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 - with: - version: latest - args: release --clean - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - VERSION_LDFLAGS: ${{ steps.ldflags.outputs.version }} - - name: Generate subject - id: hash - env: - ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" - run: | - set -euo pipefail - - checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') - echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" - - provenance: - needs: [goreleaser] - permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 - with: - base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" - upload-assets: true # upload to a new release - verification: - needs: [goreleaser, provenance] - runs-on: ubuntu-latest - permissions: read-all - steps: - - name: Install the verifier - uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1 - - - name: Download assets - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}" - run: | - set -euo pipefail - gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz" - gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.sbom" - gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE" - - name: Verify assets - env: - CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }} - PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}" - run: | - set -euo pipefail - checksums=$(echo "$CHECKSUMS" | base64 -d) - while read -r line; do - fn=$(echo $line | cut -d ' ' -f2) - echo "Verifying $fn" - slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \ - --source-uri "github.com/$GITHUB_REPOSITORY" \ - --source-tag "$GITHUB_REF_NAME" \ - "$fn" - done <<<"$checksums" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..9adaf8d --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,60 @@ +name: Release + +on: + push: + tags: + - "v*" + +permissions: + contents: read + +jobs: + goreleaser: + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + permissions: + contents: write # for goreleaser/goreleaser-action to create a GitHub release + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3 + with: + # Allow goreleaser to access older tag information. + fetch-depth: 0 + + - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 + with: + go-version-file: 'go.mod' + + - name: Install Syft + uses: anchore/sbom-action/download-syft@ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c # v0.15.10 + + - name: Run GoReleaser + id: run-goreleaser + uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 + with: + args: release --clean + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + VERSION_LDFLAGS: ${{ steps.ldflags.outputs.version }} + + - name: Generate subject + id: hash + env: + ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + + checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') + echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" + + provenance: + needs: [goreleaser] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 # not pinned to avoid breaking it, use it to target refs/tags/vX.Y.Z + with: + base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" + upload-assets: true # upload to a new release