✨ Add support for uploading assets

.github/workflows/slsa3_builder.yml

@@ -36,6 +36,11 @@ on:
         description: "The go version to use"
         required: true
         type: string
+      upload-assets:
+        description: "Whether to upload assets to a GitHub release or not"
+        required: false
+        type: boolean
+        default: true
       env:
         description: "Env variables to pass to the builder"
         required: false
@@ -360,6 +365,9 @@ jobs:
     permissions:
       id-token: write # Needed for keyless.
       contents: read
+    outputs:
+      go-provenance-name: ${{ steps.sign-prov.outputs.signed-provenance-name }}
+      go-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }}
     steps:
       - name: Download builder
         uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0
@@ -410,3 +418,60 @@ jobs:
           path: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
           if-no-files-found: error
           retention-days: 5
+
+###################################################################
+#                                                                 #
+#           Upload binaries and provenances as assets             #
+#                                                                 #
+###################################################################
+  upload-assets:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    needs: [build,build-dry,provenance]
+    if: startsWith(github.ref, 'refs/tags/') && inputs.upload-assets == true
+    steps:
+      # Verify binary hash.
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: ${{ needs.build-dry.outputs.go-binary-name }}
+      - name: Verify binary hash
+        env:
+          UNTRUSTED_BINARY_HASH: "${{ needs.build.outputs.go-binary-sha256 }}"
+          UNTRUSTED_BINARY_NAME: "${{ needs.build-dry.outputs.go-binary-name }}"
+        run: |
+          set -euo pipefail
+
+          echo "hash of binary $UNTRUSTED_BINARY_NAME should be $UNTRUSTED_BINARY_HASH"
+
+          COMPUTED_HASH=$(sha256sum "$UNTRUSTED_BINARY_NAME" | awk '{print $1}')
+          echo "binary hash computed is $COMPUTED_HASH"
+
+          # Compare hashes. Explicit exit to be safe.
+          echo "$UNTRUSTED_BINARY_HASH $UNTRUSTED_BINARY_NAME" | sha256sum --strict --check --status || exit -2
+
+      # Verify provenance hash.
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: ${{ needs.provenance.outputs.go-provenance-name }}
+      - name: Verify provenance hash
+        env:
+          UNTRUSTED_PROVENANCE_HASH: "${{ needs.provenance.outputs.go-provenance-sha256 }}"
+          UNTRUSTED_PROVENANCE_NAME: "${{ needs.provenance.outputs.go-provenance-name }}"
+        run: |
+          set -euo pipefail
+
+          echo "hash of provenance $UNTRUSTED_PROVENANCE_NAME should be $UNTRUSTED_PROVENANCE_HASH"
+
+          COMPUTED_HASH=$(sha256sum "$UNTRUSTED_PROVENANCE_NAME" | awk '{print $1}')
+          echo "provenance hash computed is $COMPUTED_HASH"
+
+          # Compare hashes. Explicit exit to be safe.
+          echo "$UNTRUSTED_PROVENANCE_HASH $UNTRUSTED_PROVENANCE_NAME" | sha256sum --strict --check --status || exit -2
+
+      - name: Release
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
+        with:
+          files: |
+            ${{ needs.build-dry.outputs.go-binary-name }}
+            ${{ needs.provenance.outputs.go-provenance-name }}

main.go

@@ -15,8 +15,11 @@
 package main
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"flag"
 	"fmt"
+	"io"
 	"io/ioutil"
 	"os"
 	"os/exec"
@@ -95,8 +98,27 @@ func main() {
 		check(err)
 
 		fmt.Printf("::set-output name=signed-provenance-name::%s\n", filename)
+
+		h, err := computeSHA256(filename)
+		check(err)
+		fmt.Printf("::set-output name=signed-provenance-sha256::%s\n", h)
+
 	default:
 		fmt.Println("expected 'build' or 'provenance' subcommands")
 		os.Exit(1)
 	}
 }
+
+func computeSHA256(filePath string) (string, error) {
+	file, err := os.Open(filePath)
+	if err != nil {
+		return "", err
+	}
+	defer file.Close()
+
+	hash := sha256.New()
+	if _, err := io.Copy(hash, file); err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(hash.Sum(nil)), nil
+}