chore: generate SLSA3 provenance for GoReleaser (#3516)

Signed-off-by: Gaius <gaius.qi@gmail.com>
2024-09-18 16:04:53 +08:00 · 2024-09-18 16:04:53 +08:00 · 79bd59a8e0
parent 608b6a200b
commit 79bd59a8e0
2 changed files with 29 additions and 1 deletions
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -13,6 +13,7 @@ permissions:
 jobs:
  push_image_to_registry:
    name: Push Image
+    permissions: write-all
    runs-on: ubuntu-latest
    strategy:
      matrix:
@ -91,7 +92,7 @@ jobs:
            org.opencontainers.image.title="dragonfly"
            org.opencontainers.image.description=${{ github.event.repository.description }}
            org.opencontainers.image.url=${{ github.event.repository.html_url }}
-            org.opencontainers.image.source="https://github.com/dragonflyoss/Dragonfly2"
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
            org.opencontainers.image.revision=${{ github.sha }}
            org.opencontainers.image.version=${{ steps.get_version.outputs.VERSION }}
          build-args: |
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -14,6 +14,8 @@ jobs:
      contents: write
    runs-on: ubuntu-latest
    timeout-minutes: 60
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4.1.7
@ -34,9 +36,34 @@ jobs:

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v6.0.0
+        id: run-goreleaser
        with:
          distribution: goreleaser
          version: latest
          args: release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Generate subject
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          if test "$hashes" = ""; then # goreleaser < v1.13.0
+            checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+            hashes=$(cat $checksum_file | base64 -w0)
+          fi
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+
+  provenance:
+    needs: [goreleaser]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      upload-assets: true # upload to a new release