ci: Generate attestations using actions/attest-build-provenance

Signed-off-by: Víctor Cuadrado Juan <[email protected]>
viccuad · Oct 11, 2024 · 8a4fc19 · 8a4fc19
1 parent 8993483
commit 8a4fc19
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 87 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -22,9 +22,8 @@ jobs:
       artifact-hashes-aarch64: string
       artifact-hashes-x86_64: string
     permissions:
-      packages: write
       id-token: write
-
+      attestations: write
     steps:
       - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
@@ -53,14 +52,17 @@ jobs:
       - name: fake build
         run: echo "foo" > kwctl-linux-${{ matrix.targetarch }}
 
-      - name: Generate hashes of artifacts for provenance
-        shell: bash
-        id: hashes
-        run: |
-          set -euo pipefail
-          # sha256sum generates sha256 hash for all artifacts.
-          # base64 -w0 encodes to base64 and outputs on a single line.
-          echo "artifact-hashes-${{ matrix.targetarch }}=$(sha256sum kwctl-linux-${{ matrix.targetarch }} scripts/kubewarden-load-policies.sh scripts/kubewarden-save-policies.sh | base64 -w0)" >> "$GITHUB_OUTPUT"
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@v1
+        id: attestations
+        with:
+          subject-path: kwctl-linux-${{ matrix.targetarch }}
+
+      - name: Upload attestations
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
+        with:
+          path: ${{ steps.attestations.outputs.bundle-path }}
+          name: kwctl-linux-${{ matrix.targetarch }}.attestation.sigstore.json
 
       - name: Sign kwctl
         run: |
@@ -124,6 +126,7 @@ jobs:
       artifact-hashes-x86_64: string
     permissions:
       id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
@@ -153,14 +156,17 @@ jobs:
       - name: fake build
         run: echo "foo" > kwctl-darwin-${{ matrix.targetarch }}
 
-      - name: Generate hashes of artifacts for provenance
-        shell: bash
-        id: hashes
-        run: |
-          set -euo pipefail
-          # sha256sum generates sha256 hash for all artifacts.
-          # base64 -w0 encodes to base64 and outputs on a single line.
-          echo "artifact-hashes-${{ matrix.targetarch }}=$(shasum -a 256 kwctl-darwin-${{ matrix.targetarch }} | base64 -w0)" >> "$GITHUB_OUTPUT"
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@v1
+        id: attestations
+        with:
+          subject-path: kwctl-darwin-${{ matrix.targetarch }}
+
+      - name: Upload attestations
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
+        with:
+          path: ${{ steps.attestations.outputs.bundle-path }}
+          name: kwctl-darwin-${{ matrix.targetarch }}.attestation.sigstore.json
 
       - name: Sign kwctl
         run: cosign sign-blob --yes kwctl-darwin-${{ matrix.targetarch }} --output-certificate kwctl-darwin-${{ matrix.targetarch }}.pem --output-signature kwctl-darwin-${{ matrix.targetarch }}.sig
@@ -217,6 +223,7 @@ jobs:
       artifact-hashes-x86_64: string
     permissions:
       id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.0
 
@@ -246,14 +253,17 @@ jobs:
       - name: fake build
         run: echo "foo" > kwctl-windows-x86_64.exe
 
-      - name: Generate hashes of artifacts for provenance
-        shell: bash
-        id: hashes
-        run: |
-          set -euo pipefail
-          # sha256sum generates sha256 hash for all artifacts.
-          # base64 -w0 encodes to base64 and outputs on a single line.
-          echo "artifact-hashes-${{ matrix.targetarch }}=$(sha256sum -t kwctl-windows-${{ matrix.targetarch }} | base64 -w0)" >> "$GITHUB_OUTPUT"
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@v1
+        id: attestations
+        with:
+          subject-path: kwctl-windows-${{ matrix.targetarch }}.exe
+
+      - name: Upload attestations
+        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
+        with:
+          path: ${{ steps.attestations.outputs.bundle-path }}
+          name: kwctl-windows-${{ matrix.targetarch }}.exe.attestation.sigstore.json
 
       - name: Sign kwctl
         run: cosign sign-blob --yes kwctl-windows-x86_64.exe --output-certificate kwctl-windows-x86_64.pem --output-signature kwctl-windows-x86_64.sig
@@ -300,64 +310,3 @@ jobs:
             kwctl-windows-x86_64-sbom.spdx
             kwctl-windows-x86_64-sbom.spdx.cert
             kwctl-windows-x86_64-sbom.spdx.sig
-
-  combine_hashes:
-    name: Generate artifact hashes
-    needs: [build-linux-binaries, build-darwin-binaries, build-windows-x86_64]
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write # To add assets to a release.
-    steps:
-      - name: Combine artifact hashes into single file
-        shell: bash
-        run: |
-          # To make sure we catch all the hashes, deal with the job outputs
-          # globally instead of 1 by 1, by reading all of them as a JSON:
-          # echo "${{ toJSON(needs.build-linux-binaries.outputs) }}" | jq -r '.[] | @base64d' | sed "/^$/d" >> hashes.txt
-          # echo "${{ toJSON(needs.build-darwin-binaries.outputs) }}" | jq -r '.[] | @base64d' | sed "/^$/d" >> hashes.txt
-          # echo "${{ toJSON(needs.build-windows-x64_64.outputs) }}" | jq -r '.[] | @base64d' | sed "/^$/d" >> hashes.txt
-
-          # another option is to appending them 1 by 1:
-          echo "${{ needs.build-linux-binaries.outputs.artifact-hashes-x86_64 }}" >> hashes.txt
-          echo "${{ needs.build-linux-binaries.outputs.artifact-hashes-aarch64 }}" >> hashes.txt
-          echo "${{ needs.build-darwin-binaries.outputs.artifact-hashes-x86_64 }}" >> hashes.txt
-          echo "${{ needs.build-darwin-binaries.outputs.artifact-hashes-aarch64 }}" >> hashes.txt
-          echo "${{ needs.build-windows-x86_64.outputs.artifact-hashes-x86_64 }}" >> hashes.txt
-
-          echo "hashes=$(cat hashes.txt | base64 -w0)" >> "$GITHUB_OUTPUT"
-
-  provenance:
-    needs: [combine_hashes]
-    permissions:
-      actions: read # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write # To read hashes, push artifacts (which we don't do but the workflow as for its perms)
-    # For now, one must use the tag instead of git hash for referencing this GHA.
-    # See: https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#referencing-the-slsa-generator
-    # This is one of the reasons we have the generator on its own job.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      provenance-name: kwctl-provenance.multiple
-      base64-subjects: "${{ needs.combine_hashes.outputs.hashes }}"
-      upload-assets: false # don't upload to release
-
-  upload_provenance:
-    needs: [provenance]
-    permissions:
-      contents: write # To upload artifacts
-    runs-on: ubuntu-latest
-    steps:
-      - name: ls
-        shell: bash
-        run: |
-          ls -la
-
-      - name: Upload provenance files
-        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
-        with:
-          name: kwctl-provenance
-          path: |
-            kwctl-provenance.multiple.intoto.json1
-            kwctl-provenance.multiple.intoto.json1.sig
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -23,6 +23,7 @@ jobs:
       packages: write
       actions: read
       contents: write
+      attestations: write
 
   release:
     name: Create release