GitHub Actions: Simplify attest

tangrufus · tangrufus · commit dcd16d8ce662 · 2026-04-15T23:48:58.000+01:00
- Follow GoReleaser's [recommended attest workflow](https://goreleaser.com/customization/publish/attestations/) - Remove [depercated](https://github.com/actions/attest-sbom/blob/c604332985a26aa8cf1bdc465b92731239ec6b9e/README.md#L4-L7) `attest-sbom` action
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -30,70 +30,6 @@ jobs:
           args: release
         env:
           GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_ACCESS_TOKEN }}
-
-      - uses: actions/attest-build-provenance@v4
-        with:
-          show-summary: false
-          subject-checksums: ./dist/trellis_checksums.txt
-
-      - uses: actions/attest-sbom@v4
-        with:
-          show-summary: false
-          subject-checksums: ./dist/trellis_checksums.txt
-          sbom-path: ./dist/trellis_Darwin_arm64.tar.gz.sbom.json
-      - uses: actions/attest-sbom@v4
-        with:
-          show-summary: false
-          subject-checksums: ./dist/trellis_checksums.txt
-          sbom-path: ./dist/trellis_Darwin_x86_64.tar.gz.sbom.json
-      - uses: actions/attest-sbom@v4
-        with:
-          show-summary: false
-          subject-checksums: ./dist/trellis_checksums.txt
-          sbom-path: ./dist/trellis_Linux_arm64.tar.gz.sbom.json
-      - uses: actions/attest-sbom@v4
-        with:
-          show-summary: false
-          subject-checksums: ./dist/trellis_checksums.txt
-          sbom-path: ./dist/trellis_Linux_i386.tar.gz.sbom.json
-      - uses: actions/attest-sbom@v4
+      - uses: actions/attest@v4
         with:
-          show-summary: false
           subject-checksums: ./dist/trellis_checksums.txt
-          sbom-path: ./dist/trellis_Linux_x86_64.tar.gz.sbom.json
-      - uses: actions/attest-sbom@v4
-        with:
-          show-summary: false
-          subject-checksums: ./dist/trellis_checksums.txt
-          sbom-path: ./dist/trellis_Windows_arm64.zip.sbom.json
-      - uses: actions/attest-sbom@v4
-        with:
-          show-summary: false
-          subject-checksums: ./dist/trellis_checksums.txt
-          sbom-path: ./dist/trellis_Windows_i386.zip.sbom.json
-      - uses: actions/attest-sbom@v4
-        with:
-          show-summary: false
-          subject-checksums: ./dist/trellis_checksums.txt
-          sbom-path: ./dist/trellis_Windows_x86_64.zip.sbom.json
-
-  verify:
-    needs: [goreleaser]
-    runs-on: ubuntu-latest
-    steps:
-      - run: gh release download --clobber --dir artifacts -p '*.tar.gz' -p '*.zip' -p '*.sbom.json' --repo $REPO $TAG
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          REPO: ${{ github.repository }}
-          TAG: ${{ github.ref_name }}
-      - run: tree artifacts
-      - run: ls | xargs -I {} gh attestation verify --repo $REPO {}
-        working-directory: artifacts
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          REPO: ${{ github.repository }}
-      - run: ls *.sbom.json | xargs -I {} gh attestation verify --predicate-type https://spdx.dev/Document/v2.3 --repo $REPO {}
-        working-directory: artifacts
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          REPO: ${{ github.repository }}
diff --git a/README.md b/README.md
@@ -85,33 +85,27 @@ setup after downloading the Windows build:
 trellis-cli artifacts can be [cryptographically verified via GitHub CLI](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli).
 
 ```console
-# The archive with both predicates
 $ gh attestation verify --repo roots/trellis-cli /path/to/trellis_Darwin_arm64.tar.gz
-## ...snipped...
-✓ Verification succeeded!
-
-sha256:xxx was attested by:
-REPO                   PREDICATE_TYPE                  WORKFLOW
-roots/trellis-cli  https://slsa.dev/provenance/v1  .github/workflows/release.yml@refs/tags/v9.8.7
-roots/trellis-cli  https://spdx.dev/Document/v2.3  .github/workflows/release.yml@refs/tags/v9.8.7
 
-# The binary
-$ gh attestation verify --repo roots/trellis-cli /path/to/trellis
-## ...snipped...
-✓ Verification succeeded!
+Loaded digest sha256:xxxxxxx for file://path/to/trellis_Darwin_arm64.tar.gz
+Loaded 1 attestation from GitHub API
 
-sha256:xxx was attested by:
-REPO                   PREDICATE_TYPE                  WORKFLOW
-roots/trellis-cli  https://slsa.dev/provenance/v1  .github/workflows/release.yml@refs/tags/v9.8.7
+The following policy criteria will be enforced:
+- Predicate type must match:................ https://slsa.dev/provenance/v1
+- Source Repository Owner URI must match:... https://github.com/roots
+- Source Repository URI must match:......... https://github.com/roots/trellis-cli
+- Subject Alternative Name must match regex: (?i)^https://github.com/roots/trellis-cli/
+- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
 
-# The SBOM
-$ gh attestation verify --repo roots/trellis-cli /path/to/trellis_Darwin_arm64.tar.gz.sbom.json
-## ...snipped...
 ✓ Verification succeeded!
 
-sha256:xxx was attested by:
-REPO                   PREDICATE_TYPE                  WORKFLOW
-roots/trellis-cli  https://slsa.dev/provenance/v1  .github/workflows/release.yml@refs/tags/v9.8.7
+The following 1 attestation matched the policy criteria
+
+- Attestation #1
+  - Build repo:..... roots/trellis-cli
+  - Build workflow:. .github/workflows/release.yml@refs/tags/v0.0.1
+  - Signer repo:.... roots/trellis-cli
+  - Signer workflow: .github/workflows/release.yml@refs/tags/v0.0.1
 ```
 
 ## Shell Integration
@@ -309,4 +303,3 @@ Keep track of development and community news.
 - Follow [@rootswp on Twitter](https://twitter.com/rootswp)
 - Follow the [Roots Blog](https://roots.io/blog/)
 - Subscribe to the [Roots Newsletter](https://roots.io/subscribe/)
-
