From c4c262a69c96ef6baaaee4fec325dcc5c536fa73 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Batuhan=20Apayd=C4=B1n?= Date: Wed, 22 Mar 2023 15:24:52 +0300 Subject: [PATCH] feat: verify provenance MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Batuhan Apaydın Co-authored-by: Furkan Türkal Signed-off-by: Batuhan Apaydın --- .github/workflows/goreleaser.yml | 54 +++++++++++++++++++++++++++++--- .goreleaser.yml | 16 +++++----- 2 files changed, 57 insertions(+), 13 deletions(-) diff --git a/.github/workflows/goreleaser.yml b/.github/workflows/goreleaser.yml index 6fc0fc7523..f02a1b6f49 100644 --- a/.github/workflows/goreleaser.yml +++ b/.github/workflows/goreleaser.yml @@ -24,10 +24,10 @@ jobs: uses: actions/checkout@24cb9080177205b6e8c946b17badbe402adc938f # v3.4.0 with: fetch-depth: 0 - - name: Run Tests - uses: ./.github/workflows/test.yaml - - name: Run Lints - uses: ./.github/workflows/lint.yaml + # - name: Run Tests + # uses: ./.github/workflows/test.yaml + # - name: Run Lints + # uses: ./.github/workflows/lint.yaml - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2 - uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2 - name: Set up Go @@ -49,9 +49,11 @@ jobs: args: release --rm-dist env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + OWNER: ${{ github.repository_owner }} - name: Generate subject id: hash env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" run: | set -euo pipefail @@ -63,7 +65,49 @@ jobs: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + uses: developer-guy/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 with: base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" upload-assets: true # upload to a new release + draft-release: true + verification: + needs: [goreleaser, provenance] + runs-on: ubuntu-latest + permissions: + contents: write # To add assets to a release. + steps: + - name: Install SLSA verifier + uses: slsa-framework/slsa-verifier/actions/installer@v2.1.0 + - name: Download assets + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}" + run: | + set -euo pipefail + TAG=${GITHUB_REF#refs/tags/} + echo "Downloading assets for tag $TAG" + for i in $(gh api "repos/$GITHUB_REPOSITORY/releases" | jq -r '.[] | select(.tag_name=='\"$TAG\"').assets[].id') + do + echo "Downloading asset $i" + curl -L -o $(gh api "repos/$GITHUB_REPOSITORY/releases/assets/$i" | jq -r '.name') -H "Authorization: token $GH_TOKEN" -H "Accept: application/octet-stream" $(gh api "repos/$GITHUB_REPOSITORY/releases/assets/$i" | jq -r '.url') + done + echo "Downloading provenance $PROVENANCE" + gh -R $GITHUB_REPOSITORY release download --clobber $GITHUB_REF_NAME -p $PROVENANCE + - name: Verify assets + env: + CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }} + PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}" + run: | + set -euo pipefail + checksums=$(echo "$CHECKSUMS" | base64 -d) + while read -r line; do + fn=$(echo $line | cut -d ' ' -f2) + echo "Verifying $fn" + slsa-verifier verify-artifact "$fn" \ + --provenance-path "$PROVENANCE" \ + --source-uri "github.com/$GITHUB_REPOSITORY" \ + --source-tag "$GITHUB_REF_NAME" \ + --builder-id "https://github.com/developer-guy/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.5.0" + done <<<"$checksums" + + diff --git a/.goreleaser.yml b/.goreleaser.yml index bb94f661fb..c330e407dd 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -32,7 +32,7 @@ builds: dockers: # Arch: amd64 - image_templates: - - 'ghcr.io/google/osv-scanner:{{ .Tag }}-amd64' + - 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}-amd64' dockerfile: goreleaser.dockerfile use: buildx build_flag_templates: @@ -49,7 +49,7 @@ dockers: - "--platform=linux/amd64" # Arch: arm64 - image_templates: - - 'ghcr.io/google/osv-scanner:{{ .Tag }}-arm64' + - 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}-arm64' dockerfile: goreleaser.dockerfile use: buildx build_flag_templates: @@ -67,14 +67,14 @@ dockers: goarch: arm64 docker_manifests: - - name_template: 'ghcr.io/google/osv-scanner:{{ .Tag }}' + - name_template: 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}' image_templates: - - 'ghcr.io/google/osv-scanner:{{ .Tag }}-amd64' - - 'ghcr.io/google/osv-scanner:{{ .Tag }}-arm64' - - name_template: 'ghcr.io/google/osv-scanner:latest' + - 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}-amd64' + - 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}-arm64' + - name_template: 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:latest' image_templates: - - 'ghcr.io/google/osv-scanner:{{ .Tag }}-amd64' - - 'ghcr.io/google/osv-scanner:{{ .Tag }}-arm64' + - 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}-amd64' + - 'ghcr.io/{{ .Env.OWNER }}/osv-scanner:{{ .Tag }}-arm64' archives: - format: binary