From c4c262a69c96ef6baaaee4fec325dcc5c536fa73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= <batuhan.apaydin@trendyol.com>
Date: Wed, 22 Mar 2023 15:24:52 +0300
Subject: [PATCH] feat: verify provenance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
Co-authored-by: Furkan Türkal <furkan.turkal@trendyol.com>
Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
---
 .github/workflows/goreleaser.yml | 54 +++++++++++++++++++++++++++++---
 .goreleaser.yml                  | 16 +++++-----
 2 files changed, 57 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml
index 6fc0fc7523..f02a1b6f49 100644
--- a/.github/workflows/goreleaser.yml
+++ b/.github/workflows/goreleaser.yml
@@ -24,10 +24,10 @@ jobs:
         uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0
         with:
           fetch-depth: 0
-      - name: Run Tests
-        uses: ./.github/workflows/test.yaml
-      - name: Run Lints
-        uses: ./.github/workflows/lint.yaml
+      # - name: Run Tests
+      #   uses: ./.github/workflows/test.yaml
+      # - name: Run Lints
+      #   uses: ./.github/workflows/lint.yaml
       - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2
       - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2
       - name: Set up Go
@@ -49,9 +49,11 @@ jobs:
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OWNER: ${{ github.repository_owner }}
       - name: Generate subject
         id: hash
         env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
         run: |
           set -euo pipefail
@@ -63,7 +65,49 @@ jobs:
       actions: read # To read the workflow path.
       id-token: write # To sign the provenance.
       contents: write # To add assets to a release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
+    uses: developer-guy/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
     with:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
       upload-assets: true # upload to a new release
+      draft-release: true
+  verification:
+    needs: [goreleaser, provenance]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # To add assets to a release.
+    steps:
+      - name: Install SLSA verifier
+        uses: slsa-framework/slsa-verifier/actions/installer@v2.1.0
+      - name: Download assets
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
+        run: |
+          set -euo pipefail
+          TAG=${GITHUB_REF#refs/tags/}
+          echo "Downloading assets for tag $TAG"
+          for i in $(gh api "repos/$GITHUB_REPOSITORY/releases" | jq -r '.[] | select(.tag_name=='\"$TAG\"').assets[].id')
+          do
+            echo "Downloading asset $i"
+            curl -L -o $(gh api "repos/$GITHUB_REPOSITORY/releases/assets/$i" | jq -r '.name') -H "Authorization: token $GH_TOKEN" -H "Accept: application/octet-stream" $(gh api "repos/$GITHUB_REPOSITORY/releases/assets/$i" | jq -r '.url')
+          done
+          echo "Downloading provenance $PROVENANCE"
+          gh -R $GITHUB_REPOSITORY release download --clobber $GITHUB_REF_NAME -p $PROVENANCE
+      - name: Verify assets
+        env:
+          CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
+          PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
+        run: |
+          set -euo pipefail
+          checksums=$(echo "$CHECKSUMS" | base64 -d)
+          while read -r line; do
+              fn=$(echo $line | cut -d ' ' -f2)
+              echo "Verifying $fn"
+              slsa-verifier verify-artifact "$fn" \
+                            --provenance-path "$PROVENANCE" \
+                            --source-uri "github.com/$GITHUB_REPOSITORY" \
+                            --source-tag "$GITHUB_REF_NAME" \
+                            --builder-id "https://github.com/developer-guy/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.5.0"
+          done <<<"$checksums"
+  
+
diff --git a/.goreleaser.yml b/.goreleaser.yml
index bb94f661fb..c330e407dd 100644
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -32,7 +32,7 @@ builds:
 dockers:
   # Arch: amd64
   - image_templates:
-      - 'ghcr.io/google/osv-scanner:{{ .Tag }}-amd64'
+      - 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}-amd64'
     dockerfile: goreleaser.dockerfile
     use: buildx
     build_flag_templates:
@@ -49,7 +49,7 @@ dockers:
       - "--platform=linux/amd64"
   # Arch: arm64
   - image_templates:
-      - 'ghcr.io/google/osv-scanner:{{ .Tag }}-arm64'
+      - 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}-arm64'
     dockerfile: goreleaser.dockerfile
     use: buildx
     build_flag_templates:
@@ -67,14 +67,14 @@ dockers:
     goarch: arm64
 
 docker_manifests:
-  - name_template: 'ghcr.io/google/osv-scanner:{{ .Tag }}'
+  - name_template: 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}'
     image_templates:
-      - 'ghcr.io/google/osv-scanner:{{ .Tag }}-amd64'
-      - 'ghcr.io/google/osv-scanner:{{ .Tag }}-arm64'
-  - name_template: 'ghcr.io/google/osv-scanner:latest'
+      - 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}-amd64'
+      - 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}-arm64'
+  - name_template: 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:latest'
     image_templates:
-      - 'ghcr.io/google/osv-scanner:{{ .Tag }}-amd64'
-      - 'ghcr.io/google/osv-scanner:{{ .Tag }}-arm64'
+      - 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}-amd64'
+      - 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}-arm64'
 
 archives:
   - format: binary