Add JFrog RLM evidence workflow example

Author: jmatias

.github/workflows/jfrog-rlm-evidence.yml

@@ -0,0 +1,120 @@
+name: "JFrog RLM Evidence Collection Example"
+
+on:
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  JF_URL: ${{ vars.JF_URL }}
+  JF_PROJECT: ${{ vars.JF_PROJECT }}
+  BUILD_NAME: podinfo
+  BUILD_NUMBER: ${{ github.run_number }}
+  RC_REPO: libs-rc-local
+  RELEASE_REPO: libs-release-local
+  RELEASE_BUNDLE_NAME: podinfo-rlm
+
+jobs:
+  build_and_attest:
+    name: Build + attest RC
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup JFrog CLI (OIDC)
+        uses: jfrog/setup-jfrog-cli@v4
+        env:
+          JF_URL: ${{ env.JF_URL }}
+        with:
+          oidc-provider-name: ${{ vars.JF_OIDC_PROVIDER_NAME }}
+
+      - name: Build binary
+        run: |
+          make build
+
+      - name: Upload RC artifact to dedicated repo
+        run: |
+          jf rt upload "./dist/**" "${RC_REPO}/podinfo/${GITHUB_SHA}/" \
+            --project="${JF_PROJECT}" \
+            --build-name="${BUILD_NAME}" \
+            --build-number="${BUILD_NUMBER}"
+
+      - name: Capture build info & git metadata
+        run: |
+          jf rt build-collect-env "${BUILD_NAME}" "${BUILD_NUMBER}"
+          jf rt build-add-git "${BUILD_NAME}" "${BUILD_NUMBER}"
+
+      - name: Generate SBOM (example evidence)
+        uses: anchore/sbom-action@v0
+        with:
+          path: .
+          output-file: sbom.spdx.json
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@v3
+
+      - name: Create signed attestation (keyless via OIDC)
+        env:
+          COSIGN_EXPERIMENTAL: "1"
+        run: |
+          cosign attest \
+            --predicate sbom.spdx.json \
+            --type spdx \
+            --yes \
+            "${RC_REPO}/podinfo/${GITHUB_SHA}/"
+
+      - name: Attach signed evidence to build
+        run: |
+          # Evidence Collection: attach SBOM + provenance to the build
+          # Replace arguments with your preferred predicate/subject types.
+          jf evc add \
+            --build-name="${BUILD_NAME}" \
+            --build-number="${BUILD_NUMBER}" \
+            --predicate="sbom.spdx.json" \
+            --predicate-type="spdx"
+
+      - name: Publish build info
+        run: |
+          jf rt build-publish "${BUILD_NAME}" "${BUILD_NUMBER}" \
+            --project="${JF_PROJECT}"
+
+      - name: Create Release Bundle v2 (RC)
+        run: |
+          jf rbc create "${RELEASE_BUNDLE_NAME}" "${BUILD_NUMBER}" \
+            --builds "${BUILD_NAME}/${BUILD_NUMBER}" \
+            --project "${JF_PROJECT}"
+
+  verify_and_promote:
+    name: Verify + promote to production
+    runs-on: ubuntu-latest
+    needs: build_and_attest
+    environment: production
+    steps:
+      - name: Setup JFrog CLI (OIDC)
+        uses: jfrog/setup-jfrog-cli@v4
+        env:
+          JF_URL: ${{ env.JF_URL }}
+        with:
+          oidc-provider-name: ${{ vars.JF_OIDC_PROVIDER_NAME }}
+
+      - name: Verify release integrity
+        run: |
+          # Verify the evidence chain before promoting to production.
+          # This guards against tampering or accidental changes.
+          jf evc verify \
+            --release-bundle "${RELEASE_BUNDLE_NAME}" \
+            --version "${BUILD_NUMBER}" \
+            --project "${JF_PROJECT}"
+
+      - name: Promote Release Bundle to production repo
+        run: |
+          # Promote binaries to dedicated production repo after verification.
+          jf rbd "${RELEASE_BUNDLE_NAME}" "${BUILD_NUMBER}" \
+            --project "${JF_PROJECT}" \
+            --repo "${RELEASE_REPO}"