Add SLSA source provenance workflow and VSA integration

claude · claude · commit 225ca98dcee3 · 2026-05-13T17:31:57.000Z
New source-provenance.yml workflow runs on push to main, creates a deterministic git archive, and attests it with SLSA build provenance. build.yml gains four steps after existing provenance attestations: generate source archive, verify source provenance (continue-on-error), generate SLSA VSA predicate, and attest binary artifacts with it. VSA steps are skipped gracefully when source attestation is absent (e.g. race on push, non-main commits). https://claude.ai/code/session_01TGzde6LDNw9q7aK9JE5jGf
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -175,6 +175,50 @@ jobs:
               --cert-identity "https://github.com/${{ github.repository }}/.github/workflows/build.yml@${{ github.ref }}" \
               --cert-oidc-issuer https://token.actions.githubusercontent.com
           done
+      - name: Generate source archive for VSA
+        shell: bash
+        run: git archive HEAD --format=tar.gz -o source.tar.gz
+      - name: Verify source provenance
+        id: verify-source
+        continue-on-error: true
+        shell: bash
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh attestation verify source.tar.gz \
+            --repo "${{ github.repository }}" \
+            --predicate-type https://slsa.dev/provenance/v1 \
+            --cert-identity "https://github.com/${{ github.repository }}/.github/workflows/source-provenance.yml@refs/heads/main" \
+            --cert-oidc-issuer https://token.actions.githubusercontent.com
+      - name: Generate VSA predicate
+        if: steps.verify-source.outcome == 'success'
+        shell: bash
+        run: |
+          jq -n \
+            --arg verifier "https://github.com/${{ github.repository }}/.github/workflows/build.yml@${{ github.ref }}" \
+            --arg time "$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
+            --arg resource "git+https://github.com/${{ github.repository }}@${{ github.sha }}" \
+            --arg policy "https://github.com/${{ github.repository }}/.github/workflows/source-provenance.yml@refs/heads/main" \
+            '{
+              verifier: { id: $verifier },
+              timeVerified: $time,
+              resourceUri: $resource,
+              policy: { uri: $policy },
+              inputAttestations: [],
+              verificationResult: "PASSED",
+              verifiedLevels: ["SLSA_BUILD_LEVEL_3"]
+            }' > vsa-predicate.json
+      - name: Attest build artifacts with VSA
+        if: steps.verify-source.outcome == 'success'
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+        with:
+          subject-path: |
+            build/dfetch-package/*.deb
+            build/dfetch-package/*.rpm
+            build/dfetch-package/*.pkg
+            build/dfetch-package/*.msi
+          predicate-type: 'https://slsa.dev/verification_summary/v1'
+          predicate-path: vsa-predicate.json
       - name: Store the distribution packages
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
diff --git a/.github/workflows/source-provenance.yml b/.github/workflows/source-provenance.yml
@@ -0,0 +1,53 @@
+name: Source Provenance
+
+on:
+  push:
+    branches: ["main"]
+
+permissions:
+  contents: read
+
+jobs:
+  attest-source:
+    name: Generate source provenance
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      attestations: write
+      id-token: write
+
+    steps:
+      - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
+        uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
+        with:
+          egress-policy: block
+          allowed-endpoints: >+
+            github.com:443
+            api.github.com:443
+            fulcio.sigstore.dev:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            *.blob.core.windows.net:443
+
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Generate source archive
+        run: git archive HEAD --format=tar.gz -o source.tar.gz
+
+      - name: Attest source provenance
+        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
+        with:
+          subject-path: source.tar.gz
+
+      - name: Verify source provenance
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh attestation verify source.tar.gz \
+            --repo "${{ github.repository }}" \
+            --predicate-type https://slsa.dev/provenance/v1 \
+            --cert-identity "https://github.com/${{ github.repository }}/.github/workflows/source-provenance.yml@refs/heads/main" \
+            --cert-oidc-issuer https://token.actions.githubusercontent.com
