From 3fca82acf76beb9a9ba9407efdbb312bdb795c28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADctor=20Cuadrado=20Juan?= Date: Fri, 11 Oct 2024 14:37:57 +0200 Subject: [PATCH] ci: Generate attestations using actions/attest-build-provenance MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: VĂ­ctor Cuadrado Juan --- .github/workflows/build.yml | 123 +++++++++++------------------------- 1 file changed, 36 insertions(+), 87 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index e8fa41fe0..f170ee4b9 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -22,9 +22,8 @@ jobs: artifact-hashes-aarch64: string artifact-hashes-x86_64: string permissions: - packages: write id-token: write - + attestations: write steps: - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 @@ -53,14 +52,17 @@ jobs: - name: fake build run: echo "foo" > kwctl-linux-${{ matrix.targetarch }} - - name: Generate hashes of artifacts for provenance - shell: bash - id: hashes - run: | - set -euo pipefail - # sha256sum generates sha256 hash for all artifacts. - # base64 -w0 encodes to base64 and outputs on a single line. - echo "artifact-hashes-${{ matrix.targetarch }}=$(sha256sum kwctl-linux-${{ matrix.targetarch }} scripts/kubewarden-load-policies.sh scripts/kubewarden-save-policies.sh | base64 -w0)" >> "$GITHUB_OUTPUT" + - name: Generate attestations + uses: actions/attest-build-provenance@v1 + id: attestations + with: + subject-path: kwctl-linux-${{ matrix.targetarch }} + + - name: Upload attestations + uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + with: + name: ${{ steps.attestations.outputs.bundle-path }}/ + path: $(basename ${${{ steps.attestations.outputs.bundle-path }} }) - name: Sign kwctl run: | @@ -124,6 +126,7 @@ jobs: artifact-hashes-x86_64: string permissions: id-token: write + attestations: write steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 @@ -153,14 +156,17 @@ jobs: - name: fake build run: echo "foo" > kwctl-darwin-${{ matrix.targetarch }} - - name: Generate hashes of artifacts for provenance - shell: bash - id: hashes - run: | - set -euo pipefail - # sha256sum generates sha256 hash for all artifacts. - # base64 -w0 encodes to base64 and outputs on a single line. - echo "artifact-hashes-${{ matrix.targetarch }}=$(shasum -a 256 kwctl-darwin-${{ matrix.targetarch }} | base64 -w0)" >> "$GITHUB_OUTPUT" + - name: Generate attestations + uses: actions/attest-build-provenance@v1 + id: attestations + with: + subject-path: kwctl-darwin-${{ matrix.targetarch }} + + - name: Upload attestations + uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + with: + name: ${{ steps.attestations.outputs.bundle-path }}/ + path: $(basename ${${{ steps.attestations.outputs.bundle-path }} }) - name: Sign kwctl run: cosign sign-blob --yes kwctl-darwin-${{ matrix.targetarch }} --output-certificate kwctl-darwin-${{ matrix.targetarch }}.pem --output-signature kwctl-darwin-${{ matrix.targetarch }}.sig @@ -217,6 +223,7 @@ jobs: artifact-hashes-x86_64: string permissions: id-token: write + attestations: write steps: - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0 @@ -246,14 +253,17 @@ jobs: - name: fake build run: echo "foo" > kwctl-windows-x86_64.exe - - name: Generate hashes of artifacts for provenance - shell: bash - id: hashes - run: | - set -euo pipefail - # sha256sum generates sha256 hash for all artifacts. - # base64 -w0 encodes to base64 and outputs on a single line. - echo "artifact-hashes-${{ matrix.targetarch }}=$(sha256sum -t kwctl-windows-${{ matrix.targetarch }} | base64 -w0)" >> "$GITHUB_OUTPUT" + - name: Generate attestations + uses: actions/attest-build-provenance@v1 + id: attestations + with: + subject-path: kwctl-windows-${{ matrix.targetarch }} + + - name: Upload attestations + uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 + with: + name: ${{ steps.attestations.outputs.bundle-path }}/ + path: $(basename ${${{ steps.attestations.outputs.bundle-path }} }) - name: Sign kwctl run: cosign sign-blob --yes kwctl-windows-x86_64.exe --output-certificate kwctl-windows-x86_64.pem --output-signature kwctl-windows-x86_64.sig @@ -300,64 +310,3 @@ jobs: kwctl-windows-x86_64-sbom.spdx kwctl-windows-x86_64-sbom.spdx.cert kwctl-windows-x86_64-sbom.spdx.sig - - combine_hashes: - name: Generate artifact hashes - needs: [build-linux-binaries, build-darwin-binaries, build-windows-x86_64] - runs-on: ubuntu-latest - permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write # To add assets to a release. - steps: - - name: Combine artifact hashes into single file - shell: bash - run: | - # To make sure we catch all the hashes, deal with the job outputs - # globally instead of 1 by 1, by reading all of them as a JSON: - # echo "${{ toJSON(needs.build-linux-binaries.outputs) }}" | jq -r '.[] | @base64d' | sed "/^$/d" >> hashes.txt - # echo "${{ toJSON(needs.build-darwin-binaries.outputs) }}" | jq -r '.[] | @base64d' | sed "/^$/d" >> hashes.txt - # echo "${{ toJSON(needs.build-windows-x64_64.outputs) }}" | jq -r '.[] | @base64d' | sed "/^$/d" >> hashes.txt - - # another option is to appending them 1 by 1: - echo "${{ needs.build-linux-binaries.outputs.artifact-hashes-x86_64 }}" >> hashes.txt - echo "${{ needs.build-linux-binaries.outputs.artifact-hashes-aarch64 }}" >> hashes.txt - echo "${{ needs.build-darwin-binaries.outputs.artifact-hashes-x86_64 }}" >> hashes.txt - echo "${{ needs.build-darwin-binaries.outputs.artifact-hashes-aarch64 }}" >> hashes.txt - echo "${{ needs.build-windows-x86_64.outputs.artifact-hashes-x86_64 }}" >> hashes.txt - - echo "hashes=$(cat hashes.txt | base64 -w0)" >> "$GITHUB_OUTPUT" - - provenance: - needs: [combine_hashes] - permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write # To read hashes, push artifacts (which we don't do but the workflow as for its perms) - # For now, one must use the tag instead of git hash for referencing this GHA. - # See: https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#referencing-the-slsa-generator - # This is one of the reasons we have the generator on its own job. - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 - with: - provenance-name: kwctl-provenance.multiple - base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}" - upload-assets: false # don't upload to release - - upload_provenance: - needs: [provenance] - permissions: - contents: write # To upload artifacts - runs-on: ubuntu-latest - steps: - - name: ls - shell: bash - run: | - ls -la - - - name: Upload provenance files - uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1 - with: - name: kwctl-provenance - path: | - kwctl-provenance.multiple.intoto.json1 - kwctl-provenance.multiple.intoto.json1.sig