From 2111703a5bf72fa9316d84f7991dbffa3eeb86e8 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Fri, 7 Jun 2024 15:50:21 +0800
Subject: [PATCH 1/3] fix: attest build artefacts

---
 .github/workflows/build.yaml   | 19 ++++++++++++++
 .github/workflows/release.yaml | 47 +++++++++++++++++-----------------
 .goreleaser.yaml               | 20 ---------------
 3 files changed, 43 insertions(+), 43 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 1d471d8..4baf78f 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -19,6 +19,7 @@ jobs:
         go-version: stable
     - run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV"
     - uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
+      id: goreleaser
       with:
         version: latest
         args: build --clean --debug --single-target --snapshot
@@ -46,3 +47,21 @@ jobs:
         file: Dockerfile
         build-args: BINARY=lagoon-opensearch-sync
         context: dist/lagoon-opensearch-sync_linux_amd64_v1
+  check-tag:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      with:
+        fetch-depth: 0
+    - id: ccv
+      uses: smlx/ccv@c5f6769c943c082c4e8d8ccf2ec4b6f5f517e1f2 # v0.7.3
+      with:
+        write-tag: false
+    - run: |
+        echo "new-tag=$NEW_TAG"
+        echo "new-tag-version=$NEW_TAG_VERSION"
+      env:
+        NEW_TAG: ${{steps.ccv.outputs.new-tag}}
+        NEW_TAG_VERSION: ${{steps.ccv.outputs.new-tag-version}}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index a4c1878..9d6ca54 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -11,40 +11,24 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     outputs:
-      new-tag: ${{ steps.bump-tag.outputs.new }}
-      new-tag-version: ${{ steps.bump-tag.outputs.new_tag_version }}
+      new-tag: ${{ steps.ccv.outputs.new-tag }}
     steps:
     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         fetch-depth: 0
-    - name: Configure git
-      run: |
-        git config --global user.name "$GITHUB_ACTOR"
-        git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
-    - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
-      with:
-        go-version: stable
-    - name: Install ccv
-      run: >
-        curl -sSL https://github.com/smlx/ccv/releases/download/v0.3.2/ccv_0.3.2_linux_amd64.tar.gz
-        | sudo tar -xz -C /usr/local/bin ccv
     - name: Bump tag if necessary
-      id: bump-tag
-      run: |
-        if [ -z "$(git tag -l "$(ccv)")" ]; then
-          git tag "$(ccv)"
-          git push --tags
-          echo "new=true" >> "$GITHUB_OUTPUT"
-          echo "new_tag_version=$(git tag --points-at HEAD)" >> "$GITHUB_OUTPUT"
-        fi
+      id: ccv
+      uses: smlx/ccv@c5f6769c943c082c4e8d8ccf2ec4b6f5f517e1f2 # v0.7.3
   release-build:
     permissions:
       # create release
       contents: write
-      # push docker images to regsitry
+      # push docker images to registry
       packages: write
       # use OIDC token for signing
       id-token: write
+      # required by attest-build-provenance
+      attestations: write
     needs: release-tag
     if: needs.release-tag.outputs.new-tag == 'true'
     runs-on: ubuntu-latest
@@ -63,7 +47,6 @@ jobs:
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Set up environment
       run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV"
-    - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
     - uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1
       id: sbom
       env:
@@ -73,9 +56,27 @@ jobs:
       env:
         GITHUB_SBOM_PATH: ${{ steps.sbom.outputs.fileName }}
     - uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
+      id: goreleaser
       with:
         version: latest
         args: release --clean
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GITHUB_SBOM_PATH: ./sbom.spdx.json
+    # parse artifacts to the format required for image attestation
+    - run: |
+        echo "digest=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.extra.Digest')" >> "$GITHUB_OUTPUT"
+        echo "name=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT"
+      id: image_metadata
+      env:
+        ARTIFACTS: ${{steps.goreleaser.outputs.artifacts}}
+    # attest archives
+    - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+      with:
+        subject-path: "dist/*.tar.gz"
+    # attest images
+    - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
+      with:
+        subject-digest: ${{steps.image_metadata.outputs.digest}}
+        subject-name: ${{steps.image_metadata.outputs.name}}
+        push-to-registry: true
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
index f797cce..54192e2 100644
--- a/.goreleaser.yaml
+++ b/.goreleaser.yaml
@@ -22,18 +22,6 @@ builds:
 changelog:
   use: github-native
 
-signs:
-- cmd: cosign
-  signature: "${artifact}.sig"
-  certificate: "${artifact}.pem"
-  args:
-  - "sign-blob"
-  - "--output-signature=${signature}"
-  - "--output-certificate=${certificate}"
-  - "${artifact}"
-  - "--yes"
-  artifacts: checksum
-
 dockers:
 - ids:
   - lagoon-opensearch-sync
@@ -63,14 +51,6 @@ docker_manifests:
   - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-amd64"
   - "ghcr.io/{{ .Env.GITHUB_REPOSITORY }}:v{{ .Version }}-arm64v8"
 
-docker_signs:
-- args:
-  - "sign"
-  - "${artifact}@${digest}"
-  - "--yes"
-  artifacts: all
-  output: true
-
 release:
   extra_files:
   - glob: "{{ .Env.GITHUB_SBOM_PATH }}"

From 003eb02fbf9b07ff20f83395ed34dfe25e546617 Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Fri, 7 Jun 2024 16:04:06 +0800
Subject: [PATCH 2/3] chore: remove hard-coded repo name

---
 .github/workflows/coverage.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/coverage.yaml b/.github/workflows/coverage.yaml
index d9d4f22..1ce55c8 100644
--- a/.github/workflows/coverage.yaml
+++ b/.github/workflows/coverage.yaml
@@ -23,7 +23,7 @@ jobs:
       uses: vladopajic/go-test-coverage@1079cd4e58dda229c04ffdb6324fc3756b8542ff # v2.10.1
       with:
         profile: cover.out
-        local-prefix: github.com/uselagoon/lagoon-opensearch-sync
+        local-prefix: github.com/${{ github.repository }}
         git-token: ${{ secrets.GITHUB_TOKEN }}
         # orphan branch for storing badges
         git-branch: badges

From c6cfbb98628580c888981c99db722646a4ac0f0b Mon Sep 17 00:00:00 2001
From: Scott Leggett <scott@sl.id.au>
Date: Fri, 7 Jun 2024 16:37:39 +0800
Subject: [PATCH 3/3] chore: bump actionlint to support attestation permission

---
 .github/workflows/lint.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
index b505428..578f92f 100644
--- a/.github/workflows/lint.yaml
+++ b/.github/workflows/lint.yaml
@@ -35,6 +35,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
-    - uses: docker://rhysd/actionlint:latest@sha256:2eb91a78b5a19140be099c7b4262d298c2567f2a9f27e10ed2a4323c5bcface8
+    - uses: docker://rhysd/actionlint:1.7.0@sha256:601d6faeefa07683a4a79f756f430a1850b34d575d734b1d1324692202bf312e # v1.7.0
       with:
         args: -color