-
Notifications
You must be signed in to change notification settings - Fork 2
112 lines (105 loc) · 3.66 KB
/
Copy pathrelease-slsa.yml
File metadata and controls
112 lines (105 loc) · 3.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
# SPDX-FileCopyrightText: 2025 itiquette/git-provider-sync
#
# SPDX-License-Identifier: CC0-1.0
---
name: SLSA
on:
workflow_call:
inputs:
hashes:
required: true
type: string
image:
required: false
type: string
digest:
required: false
type: string
ref_name:
required: true
type: string
permissions:
contents: read
jobs:
binary-provenance:
permissions:
actions: read # To read the workflow path.
contents: write # To add assets to a release.
id-token: write # To sign the provenance.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
with:
private-repository: true
base64-subjects: "${{ inputs.hashes }}"
upload-assets: true # upload to a new release
image-provenance:
if: ${{ inputs.image != '' && inputs.digest != '' }}
permissions:
actions: read
id-token: write
packages: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
with:
image: ${{ inputs.image }}
digest: ${{ inputs.digest }}
private-repository: true
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
verification-with-slsa-verifier:
needs: [binary-provenance]
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/installer@6657aada084353c65e5dde35394b1a010289fab0 # v2.7.0
- name: Download assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
run: |
set -euo pipefail
gh -R "$GITHUB_REPOSITORY" release download "${{ inputs.ref_name }}" -p '*.*'
- name: Verify assets
env:
CHECKSUMS: ${{ inputs.hashes }}
PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
run: |
set -euo pipefail
# shellcheck disable=SC2153
checksums=$(echo "$CHECKSUMS" | base64 -d)
while read -r line; do
fn=$(echo "$line" | cut -d ' ' -f3)
echo "Verifying $fn"
slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "${{ inputs.ref_name }}" \
"$fn"
done <<<"$checksums"
verification-with-cosign:
if: ${{ inputs.image != '' && inputs.digest != '' }}
needs: [image-provenance]
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
steps:
- name: Login
uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Install Cosign
uses: sigstore/cosign-installer@3454372f43399081ed03b604cb2d021dabca52bb # v3.8.2
- name: Verify image
env:
IMAGE: ${{ inputs.image }}
DIGEST: ${{ inputs.digest }}
run: |
cosign verify-attestation \
--type slsaprovenance \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
"$IMAGE@$DIGEST"