diff --git a/.github/workflows/README.md b/.github/workflows/README.md index f3fe06a..9266749 100644 --- a/.github/workflows/README.md +++ b/.github/workflows/README.md @@ -75,7 +75,7 @@ The release workflow includes multiple jobs to create a release of the project. ### Go Release This repository uses [goreleaser](https://goreleaser.com/) to create all the release artifacts. GoReleaser can build and release Go binaries for multiple platforms, create archives/container images/SBOMs and more. All the configuration for the release is stored in the file [.goreleaser.yml](./../../.goreleaser.yml). -For all the release artifacts (`*.tar.gz`, `*.zip`, `*.sbom`), provenance is generated using the [SLSA Generic Generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md). The provenance file is uploaded to the release assets and can be verified using the `slsa-verifier` tool (see [Release Verification](./../../SECURITY.md#release-verification)). +For all the release artifacts (`*.tar.gz`, `*.zip`, `*.sbom.json`), provenance is generated using the [SLSA Generic Generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md). The provenance file is uploaded to the release assets and can be verified using the `slsa-verifier` tool (see [Release Verification](./../../SECURITY.md#release-verification)). ### Container Release diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 37b2bfb..299f562 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,6 +32,7 @@ jobs: with: go-version-file: 'go.mod' check-latest: true + cache: false - name: Install Syft uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0 - name: Install Cosign @@ -40,7 +41,7 @@ jobs: id: goreleaser uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0 with: - version: latest + version: '~> v1' args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} @@ -72,6 +73,7 @@ jobs: with: go-version-file: 'go.mod' check-latest: true + cache: false - name: Install Cosign uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 - name: Publish podsalsa @@ -136,7 +138,7 @@ jobs: set -euo pipefail gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz" gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.zip" - gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.sbom" + gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.sbom.json" gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE" # verify each artifact in checksum.txt file with the provenance - name: Verify assets diff --git a/SECURITY.md b/SECURITY.md index 8f6b3ba..dd08e9d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -40,7 +40,7 @@ cat multiple.intoto.jsonl | jq -r '.payload' | base64 -d | jq ### Verify provenance of release artifacts -To verify the release artifacts (go binaries and SBOMs) you can use the `slsa-verifier`. This verification works for all release artifcats (`*.tar.gz`, `*.zip`, `*.sbom`). +To verify the release artifacts (go binaries and SBOMs) you can use the `slsa-verifier`. This verification works for all release artifcats (`*.tar.gz`, `*.zip`, `*.sbom.json`). ```bash # example for the "podsalsa-darwin-amd64.tar.gz" artifact @@ -191,7 +191,7 @@ The Software Bill of Materials (SBOM) is generated in CycloneDX JSON format for #### Go binary archives -The SBOMs of the Go binary archives are provided in the `*.tar.gz.sbom` files of the release and can be verified using the `slsa-verifier` (see [Verify the provenance of release artifacts](#verify-provenance-of-release-artifacts)). +The SBOMs of the Go binary archives are provided in the `*.tar.gz.sbom.json` files of the release and can be verified using the `slsa-verifier` (see [Verify the provenance of release artifacts](#verify-provenance-of-release-artifacts)). #### Container images