From 67b572bdca687caae0255bc5d5d761b029d0ab84 Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 9 Apr 2025 15:02:45 +0200 Subject: [PATCH 1/4] chore(ci): Generate SLSA attestation Signed-off-by: Javier Rodriguez --- .github/workflows/release.yaml | 39 ++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index db78ff220..53e607926 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -44,6 +44,8 @@ jobs: contents: write # required for goreleaser to upload the release assets packages: write # to push container images pull-requests: write + id-token: write # required for SLSA provenance + attestations: write # required for SLSA provenance env: CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }} ATTESTATION_ID: ${{ needs.init_attestation.outputs.attestation_id }} @@ -132,6 +134,43 @@ jobs: chainloop attestation add --name $material_name --value $entry --kind ARTIFACT --attestation-id ${{ env.ATTESTATION_ID }} done + - name: Calculate checksum for SLSA attestation + run: | + # Create an empty checksum file + checksum_file="subjects-checksum.txt" + touch "$checksum_file" + + # First the binaries + binaries=$(cat dist/artifacts.json | jq -r '.[] | select(.type=="Binary") | select(.name=="chainloop"| not) | "\(.path) \(.name)"') + echo "$binaries" | while IFS= read -r entry; do + # Extract the path and name from the entry + path=$(echo "$entry" | awk '{print $1}') + # Calculate the checksum of the file + checksum=$(sha256sum "$path" | awk '{print $1}') + # Get the name from the entry + name=$(echo "$entry" | awk '{print $2}') + # Add it to the checksum file + echo "$checksum *$name" >> $checksum_file + done + + # Then the docker images + images=$(cat dist/artifacts.json | jq -r '.[] | select(.type=="Docker Manifest") | select(.name | endswith(":latest") | not) | "\(.extra.Digest | split("sha256:")[1]) \(.name)"') + echo "$images" | while IFS= read -r entry; do + # Extract the digest and name from the entry + name=$(echo "$entry" | awk '{print $2}') + digest=$(echo "$entry" | awk '{print $1}') + echo "$digest $name" >> $checksum_file + done + + - uses: actions/attest-build-provenance@v2 + id: slsa-attest + with: + subject-checksums: subjects-checksum.txt + + - name: Attest SLSA attestation + run: | + chainloop attestation --name slsa-attestation add --value ${{ steps.slsa-attest.outputs.bundle-path }} --kind SLSA_PROVENANCE --attestation-id ${{ env.ATTESTATION_ID }} + - name: Bump Chart and Dagger Version run: .github/workflows/utils/bump-chart-and-dagger-version.sh deployment/chainloop extras/dagger ${{ github.ref_name }} - name: Bump Project Version From e28991876e5923b513b29f0cdea8078c6a363f6b Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 9 Apr 2025 15:04:50 +0200 Subject: [PATCH 2/4] remove extra space Signed-off-by: Javier Rodriguez --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 53e607926..4f0e973be 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -150,7 +150,7 @@ jobs: # Get the name from the entry name=$(echo "$entry" | awk '{print $2}') # Add it to the checksum file - echo "$checksum *$name" >> $checksum_file + echo "$checksum *$name" >> $checksum_file done # Then the docker images From 70e18edaa7af7874dd9fea08227ca4c43e3a172e Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 9 Apr 2025 16:32:10 +0200 Subject: [PATCH 3/4] add comment Signed-off-by: Javier Rodriguez --- .github/workflows/release.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 4f0e973be..739598617 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -136,6 +136,11 @@ jobs: - name: Calculate checksum for SLSA attestation run: | + # We're generating a checksum file for the SLSA attestation as a workaround for the current limitations of the SLSA attestation action. + # Until it's possible to include multiple container images and binaries in a single attestation, this approach serves as a temporary solution. + # An open issue suggests that if pushing the attestation to an OCI registry isn't required, using a checksum file is a valid alternative. + # Link: https://github.com/actions/attest-build-provenance/issues/454 + # Create an empty checksum file checksum_file="subjects-checksum.txt" touch "$checksum_file" From eeae5597cb047175842cb4d39196b4aabd3b091a Mon Sep 17 00:00:00 2001 From: Javier Rodriguez Date: Wed, 9 Apr 2025 16:39:43 +0200 Subject: [PATCH 4/4] pin action version Signed-off-by: Javier Rodriguez --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 739598617..69615426f 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -167,7 +167,7 @@ jobs: echo "$digest $name" >> $checksum_file done - - uses: actions/attest-build-provenance@v2 + - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 id: slsa-attest with: subject-checksums: subjects-checksum.txt