Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: security txt and build integrity #205

Merged
merged 11 commits into from
Dec 23, 2023
Merged
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
ci: add release integrity workflow
silas-x committed Dec 23, 2023
commit 8cc8f7543a5f4a0c4024dff686763a0f21738c76
50 changes: 50 additions & 0 deletions .github/workflows/ci-verified-build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
name: Verifiable Build
on:
push:
tags:
['v*']

env:
APP_NAME: openbook-v2

jobs:
build:
name: Build Verifiable Artifact
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
with:
submodules: 'recursive'

- name: Setup Anchor
run: |
cargo install --git https://github.com/coral-xyz/anchor --rev 4e5280be46d859ba1c57fabe4c3916bec742fd69 anchor-cli --locked --force
- name: Verifiable Build
run: |
anchor build --verifiable --docker-image backpackapp/build:v0.28.0 --solana-version 1.16.14 -- --features enable-gpl
- name: Generate Checksum
run: |
echo "CHECKSUM=$(sha256sum ./target/verifiable/${{ env.APP_NAME }}.so | head -c 64)" >> $GITHUB_ENV
- name: Generate SBOM
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'cyclonedx'
output: '${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json'

- name: Create Release
id: create_release
uses: softprops/action-gh-release@v1
with:
tag_name: ${{ github.ref_name }}
name: ${{ github.ref_name }}
body: |
sha256 checksum: ${{ env.CHECKSUM }}
github commit: ${{ github.sha }}
files: |
./target/verifiable/${{ env.APP_NAME }}-${{ github.ref_name }}-.so
./${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json