ci: Adding SLSA provenance for source packages

Adding generation of SLSA provenance for the .zip and .tar.xz source package releases. Signed-off-by: Tyler Erickson <tyler.erickson@seagate.com>
Seagate · Apr 29, 2024 · 7b92b00 · 7b92b00
1 parent d034408
commit 7b92b00
Showing 1 changed file with 36 additions and 0 deletions.
diff --git a/.github/workflows/source-release.yml b/.github/workflows/source-release.yml
@@ -22,6 +22,11 @@ jobs:
             os: ubuntu-latest,
             extension: ".tar.xz",
           }
+    outputs:
+      #store hashes for slsa provenance
+      hash-SourceCode_With_Submodules.zip: ${{ steps.hash.outputs.hash-SourceCode_With_Submodules.zip }}
+      hash-SourceCode_With_Submodules.tar.xz: ${{ steps.hash.outputs.hash-SourceCode_With_Submodules.tar.xz }}
+
     steps:  
     - uses: actions/checkout@v4
       with:
@@ -43,6 +48,19 @@ jobs:
         pip install git-archive-all
         git-archive-all --prefix=${{ env.ARCHIVENAME }} SourceCode_With_Submodules.${{ matrix.config.extension }}
 
+    - name: Generate Hashes
+      shell: bash
+      id: hash
+      run: |
+          # sha256sum generates sha256 hash for all artifacts.
+          # base64 -w0 encodes to base64 and outputs on a single line.
+          # sha256sum artifact | base64 -w0
+          # NOTE: Using suggested method to generate sha across OS's from slsa documentation
+          # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-artifacts-built-across-multiple-operating-systems
+          set -euo pipefail
+          (sha256sum -t ${{ format('SourceCode_With_Submodules.{0}',  matrix.config.extension) }} || shasum -a 256 ${{ format('SourceCode_With_Submodules.{0}',  matrix.config.extension) }}) > checksum
+          echo "hash-SourceCode_With_Submodules.${{ matrix.config.extension }}=$(base64 -w0 checksum || base64 checksum)" >> "${GITHUB_OUTPUT}"
+
     - name: Upload Source Archive as Artifact
       uses: actions/upload-artifact@v4
       with:
@@ -53,3 +71,21 @@ jobs:
       uses: softprops/action-gh-release@v2
       with:
         files: SourceCode_With_Submodules.${{ matrix.config.extension }}
+
+  # Generate the slsa provenance
+  provenance:
+    needs: [archive]
+    strategy:
+      fail-fast: false #don't cancel other jobs if one is failing
+      matrix:
+        package_name: [ "SourceCode_With_Submodules.zip",
+                        "SourceCode_With_Submodules.tar.xz" ]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.build.outputs[format('hash-{0}', matrix.package_name)] }}"
+      # Upload provenance to a new release
+      upload-assets: true