chore: add slsa provenance back (#326)

Signed-off-by: Charles-Edouard Brétéché <[email protected]>

.github/workflows/release-goreleaser.yaml

@@ -13,6 +13,8 @@ jobs:
       packages: write
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
+      image: ${{ steps.digest.outputs.image }}
+      digest: ${{ steps.digest.outputs.digest }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
@@ -51,22 +53,11 @@ jobs:
         #   args: release --clean --timeout 90m
         #   workdir: backend
         run: |
+          set -e
           go install github.com/goreleaser/goreleaser@d0cf457136ebae8ced6b64c9be061ab302cbb1a8
-          cd backend && goreleaser release --clean --timeout 90m
+          cd backend && goreleaser release --clean --timeout 90m && echo "artifacts=$(cat dist/artifacts.json)" >> $GITHUB_OUTPUT
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      # - name: Generate subject
-      #   id: hash
-      #   env:
-      #     ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
-      #   run: |
-      #     set -euo pipefail
-      #     hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
-      #     if test "$hashes" = ""; then # goreleaser < v1.13.0
-      #       checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
-      #       hashes=$(cat $checksum_file | base64 -w0)
-      #     fi
-      #     echo "hashes=$hashes" >> $GITHUB_OUTPUT
       - name: Upload artifacts.json
         uses: svenstaro/upload-release-action@58d525808845e4c8ff229ea1d5d7c496504a79bc # 2.6.0
         with:
@@ -81,15 +72,50 @@ jobs:
           file: backend/dist/metadata.json
           asset_name: metadata.json
           tag: ${{ github.ref }}
+      - name: Generate subject
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+          hashes=$(cat $checksum_file | base64 -w0)
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+      - name: Image digest
+        id: digest
+        env:
+          ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+          image_and_digest=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Docker Manifest") | .path')
+          image=$(echo "${image_and_digest}" | cut -d'@' -f1 | cut -d':' -f1)
+          digest=$(echo "${image_and_digest}" | cut -d'@' -f2)
+          echo "image=$image" >> "$GITHUB_OUTPUT"
+          echo "digest=$digest" >> "$GITHUB_OUTPUT"
+
+  provenance:
+    needs:
+      - goreleaser
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      upload-assets: true
 
-  # provenance:
-  #   needs:
-  #     - goreleaser
-  #   permissions:
-  #     actions: read
-  #     id-token: write
-  #     contents: write
-  #   uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-  #   with:
-  #     base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
-  #     upload-assets: true
+  image-provenance:
+    needs:
+      - goreleaser
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ${{ needs.goreleaser.outputs.image }}
+      digest: ${{ needs.goreleaser.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}