chore: add slsa provenance to release assets #90

Workflow file for this run

.github/workflows/release.yml at c0f6fc5

	on:
	release:
	types:
	- published
	name: Build Release
	permissions:
	contents: read
	jobs:
	release-assests:
	permissions:
	contents: write # for softprops/action-gh-release to create GitHub release
	name: release kubectl-karmada
	runs-on: ubuntu-22.04
	strategy:
	matrix:
	target:
	- karmadactl
	- kubectl-karmada
	os:
	- linux
	- darwin
	arch:
	- amd64
	- arm64
	steps:
	- uses: actions/checkout@v4
	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version-file: go.mod
	- name: Making and packaging
	env:
	GOOS: ${{ matrix.os }}
	GOARCH: ${{ matrix.arch }}
	run: make release-${{ matrix.target }}
	- name: upload cli
	uses: actions/upload-artifact@v4
	with:
	name: cli-${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz
	path: _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz
	- name: Uploading assets...
	if: ${{ !env.ACT }}
	uses: softprops/action-gh-release@v2
	with:
	files: \|
	_output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz
	_output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz.sha256
	cli-provenance:
	needs: [release-assests]
	runs-on: ubuntu-22.04
	permissions:
	actions: read # for detecting the Github Actions environment
	id-token: write # Needed for provenance signing and ID
	contents: write # Needed for release uploads
	steps:
	- name: download cli
	uses: actions/download-artifact@v4
	with:
	path: _output/release
	pattern: cli-*
	merge-multiple: true
	- name: generate cli hash
	id: hash
	run: \|
	cd _output/release
	# sha256sum generates sha256 hash for cli.
	# base64 -w0 encodes to base64 and outputs on a single line.
	echo "hashes=$(sha256sum *.tgz\|base64 -w0)" >> "$GITHUB_OUTPUT"
	# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
	- uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	base64-subjects: "${{ steps.hash.outputs.hashes }}"
	provenance-name: "karmada-cli.intoto.jsonl"
	upload-assets: true
	release-crds-assests:
	permissions:
	contents: write # for softprops/action-gh-release to create GitHub release
	name: release crds
	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}
	runs-on: ubuntu-22.04
	steps:
	- uses: actions/checkout@v4
	- name: Rename the crds directory
	run: \|
	mv ./charts/karmada/_crds ./charts/karmada/crds
	- name: Tar the crds
	uses: a7ul/[email protected]
	with:
	command: c
	cwd: ./charts/karmada/
	files: crds
	outPath: crds.tar.gz
	- name: generate crds hash
	id: hash
	run: \|
	# sha256sum generates sha256 hash for crds.
	# base64 -w0 encodes to base64 and outputs on a single line.
	echo "hashes=$(sha256sum crds.tar.gz \| base64 -w0)" >> "$GITHUB_OUTPUT"
	- name: Uploading crd assets...
	uses: softprops/action-gh-release@v2
	with:
	files: \|
	crds.tar.gz
	crds-provenance:
	needs: [release-crds-assests]
	permissions:
	actions: read # for detecting the Github Actions environment
	id-token: write # Needed for provenance signing and ID
	contents: write # Needed for release uploads
	# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	base64-subjects: "${{ needs.release-crds-assests.outputs.hashes }}"
	provenance-name: "karmada-crds.intoto.jsonl"
	upload-assets: true
	release-charts:
	permissions:
	contents: write # for softprops/action-gh-release to create GitHub release
	name: Release charts
	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}
	runs-on: ubuntu-22.04
	steps:
	- uses: actions/checkout@v4
	- name: Making helm charts
	env:
	VERSION: ${{ github.ref_name }}
	run: make package-chart
	- name: Uploading assets...
	if: ${{ !env.ACT }}
	uses: softprops/action-gh-release@v2
	with:
	files: \|
	_output/charts/karmada-chart-${{ github.ref_name }}.tgz
	_output/charts/karmada-chart-${{ github.ref_name }}.tgz.sha256
	_output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz
	_output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz.sha256
	- name: generate charts hash
	id: hash
	run: \|
	cd _output/charts
	echo "hashes=$(sha256sum *.tgz\|base64 -w0)" >> "$GITHUB_OUTPUT"
	charts-provenance:
	needs: [release-charts]
	permissions:
	actions: read # for detecting the Github Actions environment
	id-token: write # Needed for provenance signing and ID
	contents: write # Needed for release uploads
	# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	base64-subjects: "${{ needs.release-charts.outputs.hashes }}"
	provenance-name: "karmada-charts.intoto.jsonl"
	upload-assets: true
	sbom-assests:
	permissions:
	contents: write # for softprops/action-gh-release to create GitHub release
	name: Release sbom
	outputs:
	hashes: ${{ steps.sbom-hash.outputs.hashes}}
	runs-on: ubuntu-22.04
	steps:
	- uses: actions/checkout@v4
	- name: Generate sbom for karmada file system
	uses: aquasecurity/[email protected]
	with:
	scan-type: 'fs'
	format: 'spdx'
	output: 'sbom-karmada.spdx'
	scan-ref: "/github/workspace/"
	- name: Tar the sbom files
	run: \|
	tar -zcf sbom.tar.gz *.spdx
	- name: Generate SBOM hash
	shell: bash
	id: sbom-hash
	run: \|
	# sha256sum generates sha256 hash for sbom.
	# base64 -w0 encodes to base64 and outputs on a single line.
	echo "hashes=$(sha256sum sbom.tar.gz \| base64 -w0)" >> "$GITHUB_OUTPUT"
	- name: Uploading sbom assets...
	uses: softprops/action-gh-release@v2
	with:
	files: \|
	sbom.tar.gz
	sbom-provenance:
	needs: [sbom-assests]
	permissions:
	actions: read # for detecting the Github Actions environment
	id-token: write # Needed for provenance signing and ID
	contents: write # Needed for release uploads
	# Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	base64-subjects: "${{ needs.sbom-assests.outputs.hashes }}"
	provenance-name: "karmada-sbom.intoto.jsonl"
	upload-assets: true
	update-krew-index:
	needs: release-assests
	name: Update krew-index
	runs-on: ubuntu-22.04
	steps:
	- uses: actions/checkout@v4
	- name: Update new version in krew-index
	uses: rajatjindal/[email protected]

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: add slsa provenance to release assets #90

Workflow file

chore: add slsa provenance to release assets #90

Jobs

Run details

Workflow file for this run