Merge pull request #840 from google/signing

jaqx0r · web-flow · commit d4761fe83a83 · 2024-04-23T12:03:31.000Z
ci: Sign release artifacts.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,12 +9,6 @@ on:
     tags:
       - v*
 
-env:
-  # Use docker.io for Docker Hub if empty
-  REGISTRY: ghcr.io
-  # github.repository as <account>/<repo>
-  IMAGE_NAME: ${{ github.repository }}
-
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
@@ -23,6 +17,8 @@ jobs:
       contents: write
     env:
       flags: ""
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     steps:
       - if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         run: echo "flags=--snapshot" >> $GITHUB_ENV
@@ -35,16 +31,42 @@ jobs:
           go-version-file: 'go.mod'
           cache: true
       - uses: goreleaser/goreleaser-action@v5
+        id: run-goreleaser
         with:
           version: latest
-          args: release --rm-dist ${{ env.flags }}
+          args: release --clean ${{ env.flags }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate subject
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+
+  provenance:
+    needs: [goreleaser]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      upload-assets: true # upload to a new release
+
   docker-release:
     runs-on: ubuntu-latest
     permissions:
       # docker writes packages to container registry
       packages: write
+    env:
+      # Use docker.io for Docker Hub if empty
+      REGISTRY: ghcr.io
+      # github.repository as <account>/<repo>
+      IMAGE_NAME: ${{ github.repository }}
     steps:
       - uses: actions/checkout@v4
         with:
