Skip to content

Commit

Permalink
ci: Generate attestations using actions/attest-build-provenance
Browse files Browse the repository at this point in the history
Signed-off-by: Víctor Cuadrado Juan <vcuadradojuan@suse.de>
  • Loading branch information
viccuad committed Oct 11, 2024
1 parent 8993483 commit cf970aa
Showing 1 changed file with 34 additions and 85 deletions.
119 changes: 34 additions & 85 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ jobs:
permissions:
packages: write
id-token: write
attestations: write

steps:
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
Expand Down Expand Up @@ -53,14 +54,17 @@ jobs:
- name: fake build
run: echo "foo" > kwctl-linux-${{ matrix.targetarch }}

- name: Generate hashes of artifacts for provenance
shell: bash
id: hashes
run: |
set -euo pipefail
# sha256sum generates sha256 hash for all artifacts.
# base64 -w0 encodes to base64 and outputs on a single line.
echo "artifact-hashes-${{ matrix.targetarch }}=$(sha256sum kwctl-linux-${{ matrix.targetarch }} scripts/kubewarden-load-policies.sh scripts/kubewarden-save-policies.sh | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Generate attestations
uses: actions/attest-build-provenance@v1
id: attestations
with:
subject-path: kwctl-linux-${{ matrix.targetarch }}

- name: Upload attestations
uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
with:
name: ${{ steps.attestations.outputs.bundle-path }}/
path: $(basename ${${{ steps.attestations.outputs.bundle-path }} })

- name: Sign kwctl
run: |
Expand Down Expand Up @@ -153,14 +157,17 @@ jobs:
- name: fake build
run: echo "foo" > kwctl-darwin-${{ matrix.targetarch }}

- name: Generate hashes of artifacts for provenance
shell: bash
id: hashes
run: |
set -euo pipefail
# sha256sum generates sha256 hash for all artifacts.
# base64 -w0 encodes to base64 and outputs on a single line.
echo "artifact-hashes-${{ matrix.targetarch }}=$(shasum -a 256 kwctl-darwin-${{ matrix.targetarch }} | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Generate attestations
uses: actions/attest-build-provenance@v1
id: attestations
with:
subject-path: kwctl-darwin-${{ matrix.targetarch }}

- name: Upload attestations
uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
with:
name: ${{ steps.attestations.outputs.bundle-path }}/
path: $(basename ${${{ steps.attestations.outputs.bundle-path }} })

- name: Sign kwctl
run: cosign sign-blob --yes kwctl-darwin-${{ matrix.targetarch }} --output-certificate kwctl-darwin-${{ matrix.targetarch }}.pem --output-signature kwctl-darwin-${{ matrix.targetarch }}.sig
Expand Down Expand Up @@ -246,14 +253,17 @@ jobs:
- name: fake build
run: echo "foo" > kwctl-windows-x86_64.exe

- name: Generate hashes of artifacts for provenance
shell: bash
id: hashes
run: |
set -euo pipefail
# sha256sum generates sha256 hash for all artifacts.
# base64 -w0 encodes to base64 and outputs on a single line.
echo "artifact-hashes-${{ matrix.targetarch }}=$(sha256sum -t kwctl-windows-${{ matrix.targetarch }} | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Generate attestations
uses: actions/attest-build-provenance@v1
id: attestations
with:
subject-path: kwctl-windows-${{ matrix.targetarch }}

- name: Upload attestations
uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
with:
name: ${{ steps.attestations.outputs.bundle-path }}/
path: $(basename ${${{ steps.attestations.outputs.bundle-path }} })

- name: Sign kwctl
run: cosign sign-blob --yes kwctl-windows-x86_64.exe --output-certificate kwctl-windows-x86_64.pem --output-signature kwctl-windows-x86_64.sig
Expand Down Expand Up @@ -300,64 +310,3 @@ jobs:
kwctl-windows-x86_64-sbom.spdx
kwctl-windows-x86_64-sbom.spdx.cert
kwctl-windows-x86_64-sbom.spdx.sig
combine_hashes:
name: Generate artifact hashes
needs: [build-linux-binaries, build-darwin-binaries, build-windows-x86_64]
runs-on: ubuntu-latest
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
steps:
- name: Combine artifact hashes into single file
shell: bash
run: |
# To make sure we catch all the hashes, deal with the job outputs
# globally instead of 1 by 1, by reading all of them as a JSON:
# echo "${{ toJSON(needs.build-linux-binaries.outputs) }}" | jq -r '.[] | @base64d' | sed "/^$/d" >> hashes.txt
# echo "${{ toJSON(needs.build-darwin-binaries.outputs) }}" | jq -r '.[] | @base64d' | sed "/^$/d" >> hashes.txt
# echo "${{ toJSON(needs.build-windows-x64_64.outputs) }}" | jq -r '.[] | @base64d' | sed "/^$/d" >> hashes.txt
# another option is to appending them 1 by 1:
echo "${{ needs.build-linux-binaries.outputs.artifact-hashes-x86_64 }}" >> hashes.txt
echo "${{ needs.build-linux-binaries.outputs.artifact-hashes-aarch64 }}" >> hashes.txt
echo "${{ needs.build-darwin-binaries.outputs.artifact-hashes-x86_64 }}" >> hashes.txt
echo "${{ needs.build-darwin-binaries.outputs.artifact-hashes-aarch64 }}" >> hashes.txt
echo "${{ needs.build-windows-x86_64.outputs.artifact-hashes-x86_64 }}" >> hashes.txt
echo "hashes=$(cat hashes.txt | base64 -w0)" >> "$GITHUB_OUTPUT"
provenance:
needs: [combine_hashes]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To read hashes, push artifacts (which we don't do but the workflow as for its perms)
# For now, one must use the tag instead of git hash for referencing this GHA.
# See: https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#referencing-the-slsa-generator
# This is one of the reasons we have the generator on its own job.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
with:
provenance-name: kwctl-provenance.multiple
base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}"
upload-assets: false # don't upload to release

upload_provenance:
needs: [provenance]
permissions:
contents: write # To upload artifacts
runs-on: ubuntu-latest
steps:
- name: ls
shell: bash
run: |
ls -la
- name: Upload provenance files
uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
with:
name: kwctl-provenance
path: |
kwctl-provenance.multiple.intoto.json1
kwctl-provenance.multiple.intoto.json1.sig

0 comments on commit cf970aa

Please sign in to comment.