From 79bd59a8e0c458a9cbb1e980ba9d88222e11ff6c Mon Sep 17 00:00:00 2001
From: Gaius <gaius.qi@gmail.com>
Date: Wed, 18 Sep 2024 16:04:53 +0800
Subject: [PATCH] chore: generate SLSA3 provenance for GoReleaser (#3516)

Signed-off-by: Gaius <gaius.qi@gmail.com>
---
 .github/workflows/docker.yml  |  3 ++-
 .github/workflows/release.yml | 27 +++++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 9162c5498..e903531bc 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -13,6 +13,7 @@ permissions:
 jobs:
   push_image_to_registry:
     name: Push Image
+    permissions: write-all
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -91,7 +92,7 @@ jobs:
             org.opencontainers.image.title="dragonfly"
             org.opencontainers.image.description=${{ github.event.repository.description }}
             org.opencontainers.image.url=${{ github.event.repository.html_url }}
-            org.opencontainers.image.source="https://github.com/dragonflyoss/Dragonfly2"
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
             org.opencontainers.image.revision=${{ github.sha }}
             org.opencontainers.image.version=${{ steps.get_version.outputs.VERSION }}
           build-args: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3649f86cc..f2a8cb696 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,6 +14,8 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     timeout-minutes: 60
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4.1.7
@@ -34,9 +36,34 @@ jobs:
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@v6.0.0
+        id: run-goreleaser
         with:
           distribution: goreleaser
           version: latest
           args: release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate subject
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          if test "$hashes" = ""; then # goreleaser < v1.13.0
+            checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+            hashes=$(cat $checksum_file | base64 -w0)
+          fi
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+
+  provenance:
+    needs: [goreleaser]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      upload-assets: true # upload to a new release