From 95ed7efe0a9526c2537fb4837375f06ca6c67e0c Mon Sep 17 00:00:00 2001 From: RAprogramm Date: Sun, 12 Oct 2025 14:44:36 +0700 Subject: [PATCH] #187 feat: add supply chain security with SBOM and Sigstore Add enterprise-grade supply chain security features to release workflow: - SBOM generation using cargo-cyclonedx (CycloneDX format) - Keyless artifact signing with Sigstore/cosign - Build provenance attestations via GitHub Actions - Automated security artifact uploads to releases - 90-day retention for audit trails Security features: - Dependency transparency via SBOM - Tamper-proof signatures in Rekor transparency log - No secret management required (OIDC-based signing) - Compliance with SLSA provenance standards --- .github/workflows/release.yml | 93 +++++++++++++++++++++++++++++++++++ README.md | 1 - 2 files changed, 93 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e74335d..20189f8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,6 +13,11 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: false +permissions: + contents: write + id-token: write + attestations: write + jobs: checks: uses: ./.github/workflows/reusable-ci.yml @@ -163,3 +168,91 @@ jobs: done echo "Failed to publish masterror after retries." exit 1 + + security: + runs-on: ubuntu-latest + needs: publish + permissions: + contents: write + id-token: write + attestations: write + steps: + - uses: actions/checkout@v5 + + - name: Install Rust (stable) + uses: dtolnay/rust-toolchain@v1 + with: + toolchain: stable + + - name: Install cargo-cyclonedx + uses: taiki-e/install-action@v2 + with: + tool: cargo-cyclonedx + + - name: Install cosign + uses: sigstore/cosign-installer@v3 + + - name: Generate SBOM (CycloneDX) + shell: bash + run: | + set -euo pipefail + cargo cyclonedx --format json --all-features + mv masterror.cdx.json sbom.json + echo "SBOM generated: sbom.json" + + - name: Package crates for release + shell: bash + run: | + set -euo pipefail + cargo package --locked + echo "Crates packaged in target/package/" + + - name: Sign SBOM with Sigstore + shell: bash + run: | + set -euo pipefail + cosign sign-blob \ + --bundle sbom.cosign.bundle \ + --yes \ + sbom.json + echo "SBOM signed with Sigstore" + + - name: Sign crate artifacts + shell: bash + run: | + set -euo pipefail + for crate in target/package/*.crate; do + if [ -f "$crate" ]; then + cosign sign-blob \ + --bundle "${crate}.cosign.bundle" \ + --yes \ + "$crate" + echo "Signed: $crate" + fi + done + + - name: Generate build provenance attestations + uses: actions/attest-build-provenance@v1 + with: + subject-path: | + sbom.json + target/package/*.crate + + - name: Upload SBOM to release + uses: softprops/action-gh-release@v2 + with: + files: | + sbom.json + sbom.cosign.bundle + target/package/*.crate + target/package/*.crate.cosign.bundle + + - name: Upload security artifacts + uses: actions/upload-artifact@v4 + with: + name: security-artifacts + path: | + sbom.json + sbom.cosign.bundle + target/package/*.crate.cosign.bundle + retention-days: 90 diff --git a/README.md b/README.md index 46881af..a4c70ae 100644 --- a/README.md +++ b/README.md @@ -488,4 +488,3 @@ assert_eq!(problem.grpc.expect("grpc").name, "UNAUTHENTICATED"); MSRV: **1.90** · License: **MIT OR Apache-2.0** · No `unsafe` -