image provenance #7

Workflow file for this run

.github/workflows/goreleaser.yml at f15c870

	name: goreleaser

	on:
	push:
	tags:
	- "v*" # triggers only if push new tag version, like `0.8.4` or else

	permissions:
	contents: read

	jobs:
	goreleaser:
	outputs:
	hashes: ${{ steps.binary.outputs.hashes }}
	image: ${{ steps.image.outputs.name }}
	digest: ${{ steps.image.outputs.digest }}
	permissions:
	contents: write # for goreleaser/goreleaser-action to create a GitHub release
	runs-on: ubuntu-latest
	steps:
	- name: Checkout
	uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v2.3.4
	with:
	fetch-depth: 0
	- name: Set up Go
	uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
	with:
	go-version: "1.20"
	check-latest: true
	- name: Run GoReleaser
	id: goreleaser
	uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v2.5.0
	with:
	version: latest
	args: release --rm-dist
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Generate binary hashes
	id: binary
	env:
	ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
	run: \|
	set -euo pipefail

	checksum_file=$(echo "$ARTIFACTS" \| jq -r '.[] \| select (.type=="Checksum") \| .path')
	echo "hashes=$(cat $checksum_file \| base64 -w0)" >> "$GITHUB_OUTPUT"
	- name: Image digest
	id: image
	env:
	ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
	run: \|
	set -euo pipefail
	image_and_digest=$(echo "$ARTIFACTS" \| jq -r '.[] \| select (.type=="Docker Manifest") \| .path')
	image=$(echo "${image_and_digest}" \| cut -d'@' -f1 \| cut -d':' -f1)
	digest=$(echo "${image_and_digest}" \| cut -d'@' -f2)
	echo "name=$image" >> "$GITHUB_OUTPUT"
	echo "digest=$digest" >> "$GITHUB_OUTPUT"

	binary-provenance:
	needs: [goreleaser]
	permissions:
	actions: read # To read the workflow path.
	id-token: write # To sign the provenance.
	contents: write # To add assets to a release.
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
	upload-assets: true # upload to a new release

	image-provenance:
	needs: [goreleaser]
	permissions:
	actions: read
	id-token: write
	packages: write
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	image: ${{ needs.goreleaser.outputs.image }}
	digest: ${{ needs.goreleaser.outputs.digest }}
	registry-username: ${{ github.actor }}
	secrets:
	registry-password: ${{ secrets.GITHUB_TOKEN }}

	verification-with-slsa-verifier:
	needs: [goreleaser, binary-provenance]
	runs-on: ubuntu-latest
	permissions: read-all
	steps:
	- name: Install the verifier
	uses: slsa-framework/slsa-verifier/actions/[email protected]

	- name: Download assets
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
	run: \|
	set -euo pipefail
	gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
	gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.zip"
	gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"
	- name: Verify assets
	env:
	CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
	PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
	run: \|
	set -euo pipefail
	checksums=$(echo "$CHECKSUMS" \| base64 -d)
	while read -r line; do
	fn=$(echo $line \| cut -d ' ' -f2)
	echo "Verifying $fn"
	slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
	--source-uri "github.com/$GITHUB_REPOSITORY" \
	--source-tag "$GITHUB_REF_NAME" \
	"$fn"
	done <<<"$checksums"

	verification-with-cosign:
	needs: [goreleaser, image-provenance]
	runs-on: ubuntu-latest
	permissions: read-all
	steps:
	- name: Login
	uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Install Cosign
	uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2

	- name: Verify image
	env:
	IMAGE: ${{ needs.goreleaser.outputs.image }}
	DIGEST: ${{ needs.goreleaser.outputs.digest }}
	run: \|
	cosign verify-attestation \
	--type slsaprovenance \
	--certificate-oidc-issuer https://token.actions.githubusercontent.com \
	--certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
	$IMAGE@$DIGEST

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

image provenance #7

Workflow file

image provenance #7

Jobs

Run details

Workflow file for this run