-
Notifications
You must be signed in to change notification settings - Fork 0
184 lines (169 loc) · 7.53 KB
/
slsa-go-releaser.yml
File metadata and controls
184 lines (169 loc) · 7.53 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
# =============================================================================
# NFTBan v1.0.0 - SLSA Level 3 Go Builder
# =============================================================================
# SPDX-License-Identifier: MPL-2.0
# Purpose: Build Go binaries with SLSA Level 3 compliance and provenance
# Triggers: After Release Packages workflow completes OR manual dispatch
#
# This workflow uses OpenSSF's SLSA Go builder instead of manual go build.
# Benefits:
# - Isolated, hermetic build environment
# - Signed provenance (.intoto.jsonl files)
# - Cryptographically verifiable artifacts
# - SLSA Level 3 compliance (high security standard)
#
# Builds:
# - nftban-core (main CLI for firewall operations)
#
# COORDINATION: This workflow runs AFTER Release Packages completes to avoid
# race conditions when uploading assets to the same GitHub release.
# =============================================================================
name: SLSA Go Releaser
on:
# Run after Release Packages workflow completes (avoids race condition)
workflow_run:
workflows: ["Release Packages"]
types: [completed]
workflow_dispatch:
inputs:
version:
description: 'Version tag (e.g., v1.0.0)'
required: true
default: 'v1.0.0'
concurrency:
group: slsa-${{ github.ref }}
cancel-in-progress: false
# Minimal top-level permissions (OpenSSF Scorecard compliance)
# Job-level permissions are set for each job that needs write access
permissions:
contents: read
actions: read
jobs:
# ============================================================================
# Job 0: Get release tag from triggering workflow
# ============================================================================
get-tag:
name: Get Release Tag
runs-on: ubuntu-latest
# Only run if Release Packages succeeded (for workflow_run trigger)
if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
outputs:
tag: ${{ steps.get-tag.outputs.tag }}
steps:
- name: Get tag from event
id: get-tag
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
echo "tag=${{ github.event.inputs.version }}" >> $GITHUB_OUTPUT
else
# workflow_run: get tag from the triggering workflow's head branch
echo "tag=${{ github.event.workflow_run.head_branch }}" >> $GITHUB_OUTPUT
fi
echo "Resolved tag: $(cat $GITHUB_OUTPUT)"
# ============================================================================
# Job 1: Build nftban-core with SLSA provenance
# ============================================================================
build-nftban-core:
name: Build nftban-core (SLSA3)
needs: get-tag
permissions:
id-token: write
contents: write
actions: read
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v2.1.0
with:
go-version: "1.25"
# Config file specifies build parameters
config-file: .github/slsa/nftban-core.yml
evaluated-envs: "VERSION:${{ needs.get-tag.outputs.tag }}"
# Upload provenance directly to release (fixes workflow_run trigger skip)
upload-tag-name: ${{ needs.get-tag.outputs.tag }}
# ============================================================================
# Job 2: Assemble all artifacts and upload to release
# ============================================================================
assemble-release:
name: Assemble Release Artifacts
needs: [get-tag, build-nftban-core]
runs-on: ubuntu-latest
# Run for workflow_run (after Release Packages) but not for manual dispatch
if: ${{ github.event_name == 'workflow_run' }}
permissions:
contents: write # To upload release assets
steps:
- name: Download nftban-core artifacts
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: ${{ needs.build-nftban-core.outputs.go-binary-name }}
path: dist/
- name: Download nftban-core provenance
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
with:
name: ${{ needs.build-nftban-core.outputs.go-provenance-name }}
path: dist/
- name: List artifacts
run: ls -la dist/
# NOTE: SHA256SUMS not generated here - Release Packages workflow provides
# complete checksums for all packages. SLSA provenance (.intoto.jsonl)
# provides cryptographic verification for these binaries.
- name: Upload to GitHub Release
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
with:
tag_name: ${{ needs.get-tag.outputs.tag }}
# Use single pattern to avoid duplicates (nftban-* matches .intoto.jsonl too)
files: dist/*
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# v1.19.0: Verify SLSA provenance after build (R26)
- name: Install SLSA Verifier
run: |
curl -sSfL https://github.com/slsa-framework/slsa-verifier/releases/download/v2.7.0/slsa-verifier-linux-amd64 \
-o /usr/local/bin/slsa-verifier
chmod +x /usr/local/bin/slsa-verifier
- name: Verify SLSA Provenance
run: |
echo "Verifying SLSA provenance..."
VERIFY_FAILED=0
for binary in dist/nftban-*; do
if [[ ! "$binary" =~ \.intoto\.jsonl$ ]] && [[ ! "$binary" =~ SHA256SUMS$ ]]; then
provenance="${binary}.intoto.jsonl"
if [ -f "$provenance" ]; then
echo "Verifying $(basename "$binary")..."
slsa-verifier verify-artifact "$binary" \
--provenance-path "$provenance" \
--source-uri github.com/itcmsgr/nftban || {
echo "::error::Provenance verification failed for $(basename "$binary")"
VERIFY_FAILED=1
}
fi
fi
done
if [[ "$VERIFY_FAILED" -ne 0 ]]; then
echo "::error::One or more SLSA provenance verifications failed"
exit 1
fi
- name: Generate SLSA Summary
run: |
echo "## SLSA Level 3 Build Complete" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Artifacts Built" >> $GITHUB_STEP_SUMMARY
echo "| Binary | Architecture | Provenance |" >> $GITHUB_STEP_SUMMARY
echo "|--------|--------------|------------|" >> $GITHUB_STEP_SUMMARY
for f in dist/nftban-*; do
if [[ ! "$f" =~ \.intoto\.jsonl$ ]] && [[ ! "$f" =~ SHA256SUMS$ ]]; then
basename=$(basename "$f")
provenance="${basename}.intoto.jsonl"
if [ -f "dist/$provenance" ]; then
echo "| $basename | linux | ✅ Signed |" >> $GITHUB_STEP_SUMMARY
else
echo "| $basename | linux | ❌ Missing |" >> $GITHUB_STEP_SUMMARY
fi
fi
done
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Verification" >> $GITHUB_STEP_SUMMARY
echo "Users can verify provenance using:" >> $GITHUB_STEP_SUMMARY
echo '```bash' >> $GITHUB_STEP_SUMMARY
echo 'slsa-verifier verify-artifact nftban-core-linux-amd64 \' >> $GITHUB_STEP_SUMMARY
echo ' --provenance-path nftban-core-linux-amd64.intoto.jsonl \' >> $GITHUB_STEP_SUMMARY
echo ' --source-uri github.com/itcmsgr/nftban' >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY