Merge pull request #1229 from flavio/ci-fix-provenance-signature

flavio · web-flow · commit 2e2fd7a80c0a · 2025-10-22T12:04:46.000+02:00
ci: fix attestation generation
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -115,47 +115,45 @@ jobs:
             jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") | .digest')
           echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
 
-      - name: Sign provenance manifest
-        run: |
-          cosign sign --yes \
-          ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.PROVENANCE_DIGEST}}
-
-          cosign verify \
-            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
-            --certificate-identity="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/release.yml@${{ github.ref }}" \
-            ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.PROVENANCE_DIGEST}}
-
       - name: Find SBOM manifest layer digest
         run: |
           set -e
           DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.ATTESTATION_MANIFEST_DIGEST}} |  \
             jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")')
           echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"
 
+      # We need to upload provenance and SBOM files, plus their signatures under the GitHub Release page.
+      # Moreover, the files have to be named in a certain way.
+      # This is required by [ossf](https://github.com/ossf/scorecard/blob/main/docs/checks.md#signed-releases)
       - name: Download provenance and SBOM files
         run: |
           set -e
           crane blob ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.PROVENANCE_DIGEST}} \
-            > kubewarden-controller-attestation-${{ matrix.arch }}-provenance.json
-          sha256sum kubewarden-controller-attestation-${{ matrix.arch }}-provenance.json \
-            >> kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt
+            > kubewarden-controller-attestation-${{ matrix.arch }}-provenance.intoto.jsonl
 
           crane blob ghcr.io/${{github.repository_owner}}/kubewarden-controller@${{ env.SBOM_DIGEST}} \
             > kubewarden-controller-attestation-${{ matrix.arch }}-sbom.json
-          sha256sum kubewarden-controller-attestation-${{ matrix.arch }}-sbom.json \
-            >> kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt
 
-      - name: Sign checksum file
+      - name: Sign provenance and SBOM files
         run: |
+          set -e
           cosign sign-blob --yes \
-            --bundle kubewarden-controller-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
-            kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt
+            --bundle kubewarden-controller-attestation-${{ matrix.arch }}-provenance.intoto.jsonl.bundle.sigstore \
+            kubewarden-controller-attestation-${{ matrix.arch }}-provenance.intoto.jsonl
+          cosign verify-blob \
+            --bundle kubewarden-controller-attestation-${{ matrix.arch }}-provenance.intoto.jsonl.bundle.sigstore \
+            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+            --certificate-identity="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/release.yml@${{ github.ref }}" \
+            kubewarden-controller-attestation-${{ matrix.arch }}-provenance.intoto.jsonl
 
+          cosign sign-blob --yes \
+            --bundle kubewarden-controller-attestation-${{ matrix.arch }}-sbom.json.bundle.sigstore \
+            kubewarden-controller-attestation-${{ matrix.arch }}-sbom.json
           cosign verify-blob \
-            --bundle kubewarden-controller-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
+            --bundle kubewarden-controller-attestation-${{ matrix.arch }}-sbom.json.bundle.sigstore \
             --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
             --certificate-identity="https://github.com/${{github.repository_owner}}/kubewarden-controller/.github/workflows/release.yml@${{ github.ref }}" \
-            kubewarden-controller-attestation-${{ matrix.arch }}-checksum.txt
+            kubewarden-controller-attestation-${{ matrix.arch }}-sbom.json
 
       - name: Upload SBOMs as artifacts
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -252,12 +250,6 @@ jobs:
       - name: Display structure of downloaded files
         run: ls -R
 
-      - name: Create tarball for the attestation files
-        run: |
-          for arch in "amd64" "arm64"; do
-            tar -czf attestation-$arch.tar.gz $(ls kubewarden-controller-attestation-$arch-*)
-          done
-
       - name: Upload release assets
         id: upload_release_assets
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
@@ -267,8 +259,14 @@ jobs:
             let path = require('path');
 
             let files = [
-              'attestation-amd64.tar.gz',
-              'attestation-arm64.tar.gz',
+              'kubewarden-controller-attestation-amd64-provenance.intoto.jsonl',
+              'kubewarden-controller-attestation-amd64-provenance.intoto.jsonl.bundle.sigstore',
+              'kubewarden-controller-attestation-arm64-provenance.intoto.jsonl',
+              'kubewarden-controller-attestation-arm64-provenance.intoto.jsonl.bundle.sigstore',
+              'kubewarden-controller-attestation-amd64-sbom.json',
+              'kubewarden-controller-attestation-amd64-sbom.json.bundle.sigstore',
+              'kubewarden-controller-attestation-arm64-sbom.json',
+              'kubewarden-controller-attestation-arm64-sbom.json.bundle.sigstore',
               "CRDS.tar.gz"]
             const {RELEASE_ID} = process.env
 
