From c0f6fc5b5dcda56a2d37bd25114d9b227d2506f5 Mon Sep 17 00:00:00 2001 From: zhzhuang-zju Date: Fri, 9 Aug 2024 15:10:38 +0800 Subject: [PATCH] chore: add slsa provenance to release assets Signed-off-by: zhzhuang-zju --- .github/workflows/release.yml | 96 +++++++++++++++++++++++++++++++++-- 1 file changed, 92 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e5c30b86c180..e498b80d35b9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,10 +33,11 @@ jobs: GOOS: ${{ matrix.os }} GOARCH: ${{ matrix.arch }} run: make release-${{ matrix.target }} - - name: Making helm charts - env: - VERSION: ${{ github.ref_name }} - run: make package-chart + - name: upload cli + uses: actions/upload-artifact@v4 + with: + name: cli-${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz + path: _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz - name: Uploading assets... if: ${{ !env.ACT }} uses: softprops/action-gh-release@v2 @@ -44,10 +45,39 @@ jobs: files: | _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz _output/release/${{ matrix.target }}-${{ matrix.os }}-${{ matrix.arch }}.tgz.sha256 + cli-provenance: + needs: [release-assests] + runs-on: ubuntu-22.04 + permissions: + actions: read # for detecting the Github Actions environment + id-token: write # Needed for provenance signing and ID + contents: write # Needed for release uploads + steps: + - name: download cli + uses: actions/download-artifact@v4 + with: + path: _output/release + pattern: cli-* + merge-multiple: true + - name: generate cli hash + id: hash + run: | + cd _output/release + # sha256sum generates sha256 hash for cli. + # base64 -w0 encodes to base64 and outputs on a single line. + echo "hashes=$(sha256sum *.tgz|base64 -w0)" >> "$GITHUB_OUTPUT" + # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator + - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects: "${{ steps.hash.outputs.hashes }}" + provenance-name: "karmada-cli.intoto.jsonl" + upload-assets: true release-crds-assests: permissions: contents: write # for softprops/action-gh-release to create GitHub release name: release crds + outputs: + hashes: ${{ steps.hash.outputs.hashes }} runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 @@ -61,15 +91,35 @@ jobs: cwd: ./charts/karmada/ files: crds outPath: crds.tar.gz + - name: generate crds hash + id: hash + run: | + # sha256sum generates sha256 hash for crds. + # base64 -w0 encodes to base64 and outputs on a single line. + echo "hashes=$(sha256sum crds.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT" - name: Uploading crd assets... uses: softprops/action-gh-release@v2 with: files: | crds.tar.gz + crds-provenance: + needs: [release-crds-assests] + permissions: + actions: read # for detecting the Github Actions environment + id-token: write # Needed for provenance signing and ID + contents: write # Needed for release uploads + # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects: "${{ needs.release-crds-assests.outputs.hashes }}" + provenance-name: "karmada-crds.intoto.jsonl" + upload-assets: true release-charts: permissions: contents: write # for softprops/action-gh-release to create GitHub release name: Release charts + outputs: + hashes: ${{ steps.hash.outputs.hashes }} runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 @@ -86,10 +136,29 @@ jobs: _output/charts/karmada-chart-${{ github.ref_name }}.tgz.sha256 _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz _output/charts/karmada-operator-chart-${{ github.ref_name }}.tgz.sha256 + - name: generate charts hash + id: hash + run: | + cd _output/charts + echo "hashes=$(sha256sum *.tgz|base64 -w0)" >> "$GITHUB_OUTPUT" + charts-provenance: + needs: [release-charts] + permissions: + actions: read # for detecting the Github Actions environment + id-token: write # Needed for provenance signing and ID + contents: write # Needed for release uploads + # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects: "${{ needs.release-charts.outputs.hashes }}" + provenance-name: "karmada-charts.intoto.jsonl" + upload-assets: true sbom-assests: permissions: contents: write # for softprops/action-gh-release to create GitHub release name: Release sbom + outputs: + hashes: ${{ steps.sbom-hash.outputs.hashes}} runs-on: ubuntu-22.04 steps: - uses: actions/checkout@v4 @@ -103,11 +172,30 @@ jobs: - name: Tar the sbom files run: | tar -zcf sbom.tar.gz *.spdx + - name: Generate SBOM hash + shell: bash + id: sbom-hash + run: | + # sha256sum generates sha256 hash for sbom. + # base64 -w0 encodes to base64 and outputs on a single line. + echo "hashes=$(sha256sum sbom.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT" - name: Uploading sbom assets... uses: softprops/action-gh-release@v2 with: files: | sbom.tar.gz + sbom-provenance: + needs: [sbom-assests] + permissions: + actions: read # for detecting the Github Actions environment + id-token: write # Needed for provenance signing and ID + contents: write # Needed for release uploads + # Must be referenced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects: "${{ needs.sbom-assests.outputs.hashes }}" + provenance-name: "karmada-sbom.intoto.jsonl" + upload-assets: true update-krew-index: needs: release-assests name: Update krew-index