-
Notifications
You must be signed in to change notification settings - Fork 21
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Generate SLSA Provenance on Release using SLSA Go Releaser (#98)
* chore: configure slsa-provenance generation Signed-off-by: Joyce Brum <[email protected]> * chore: add SLSA Provenance to cross build Signed-off-by: Joyce Brum <[email protected]> * fix: .goreleaser.yml to ignore linux build Signed-off-by: Joyce Brum <[email protected]> * fix: trying to configure slsa-goreleaser at least to linux Signed-off-by: Joyce Brum <[email protected]> * feat: enable run on push Signed-off-by: Joyce Brum <[email protected]> * fix: use slsa git provenance generator 1.2.1 Signed-off-by: Joyce Brum <[email protected]> * fix: generate ldflags dynamically Signed-off-by: Joyce Brum <[email protected]> * feat: create darwin and windows slsa files Signed-off-by: Joyce Brum <[email protected]> * fix: windows build name on yml file Signed-off-by: Joyce Brum <[email protected]> * fix: restore run release on tag push only Signed-off-by: Joyce Brum <[email protected]> * fix: error on push releaser yml file Signed-off-by: Joyce Brum <[email protected]> * chore: update README file to mention the Provenance Signed-off-by: Joyce Brum <[email protected]> Signed-off-by: Joyce Brum <[email protected]> Signed-off-by: Joyce Brum <[email protected]>
- Loading branch information
Showing
6 changed files
with
189 additions
and
83 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| name: SLSA go releaser | ||
| on: | ||
| push: | ||
| tags: | ||
| # available only for tags like `v1.2.3` or `v1.2.3-rc1` | ||
| - "v[0-9]+.[0-9]+.[0-9]+" | ||
| - "v[0-9]+.[0-9]+.[0-9]+-*" | ||
|
|
||
| permissions: read-all | ||
|
|
||
| jobs: | ||
| # Generate ldflags dynamically. | ||
| # Optional: only needed for ldflags. | ||
| args: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| commit-date: ${{ steps.ldflags.outputs.commit-date }} | ||
| commit: ${{ steps.ldflags.outputs.commit }} | ||
| version: ${{ steps.ldflags.outputs.version }} | ||
| tree-state: ${{ steps.ldflags.outputs.tree-state }} | ||
| steps: | ||
| - id: checkout | ||
| uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.3.4 | ||
| with: | ||
| fetch-depth: 0 | ||
| - id: ldflags | ||
| run: | | ||
| echo "::set-output name=commit-date::$(git log --date=iso8601-strict -1 --pretty=%ct)" | ||
| echo "::set-output name=commit::$GITHUB_SHA" | ||
| echo "::set-output name=version::$(git describe --tags --always --dirty | cut -c2-)" | ||
| echo "::set-output name=tree-state::$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi)" | ||
| # Trusted builder. | ||
| build-linux-amd64: | ||
| permissions: | ||
| id-token: write # To sign the provenance. | ||
| contents: write # To upload assets to release. | ||
| actions: read # To read the workflow path. | ||
| needs: args | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
| with: | ||
| config-file: .slsa-goreleaser-linux-amd64.yml | ||
| go-version: 1.18 | ||
| evaluated-envs: "COMMIT_DATE:${{needs.args.outputs.commit-date}}, COMMIT:${{needs.args.outputs.commit}}, VERSION:${{needs.args.outputs.version}}, TREE_STATE:${{needs.args.outputs.tree-state}}" | ||
|
|
||
| build-darwin-amd64: | ||
| permissions: | ||
| id-token: write # To sign the provenance. | ||
| contents: write # To upload assets to release. | ||
| actions: read # To read the workflow path. | ||
| needs: args | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
| with: | ||
| config-file: .slsa-goreleaser-darwin-amd64.yml | ||
| go-version: 1.18 | ||
| evaluated-envs: "COMMIT_DATE:${{needs.args.outputs.commit-date}}, COMMIT:${{needs.args.outputs.commit}}, VERSION:${{needs.args.outputs.version}}, TREE_STATE:${{needs.args.outputs.tree-state}}" | ||
|
|
||
| build-windows-amd64: | ||
| permissions: | ||
| id-token: write # To sign the provenance. | ||
| contents: write # To upload assets to release. | ||
| actions: read # To read the workflow path. | ||
| needs: args | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
| with: | ||
| config-file: .slsa-goreleaser-windows-amd64.yml | ||
| go-version: 1.18 | ||
| evaluated-envs: "COMMIT_DATE:${{needs.args.outputs.commit-date}}, COMMIT:${{needs.args.outputs.commit}}, VERSION:${{needs.args.outputs.version}}, TREE_STATE:${{needs.args.outputs.tree-state}}" | ||
|
|
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| # Version for this file. | ||
| version: 1 | ||
|
|
||
| # (Optional) List of env variables used during compilation. | ||
| env: | ||
| - GO111MODULE=on | ||
| - CGO_ENABLED=0 | ||
|
|
||
| # (Optional) Flags for the compiler. | ||
| flags: | ||
| - -trimpath | ||
| - -tags=netgo | ||
|
|
||
| # The OS to compile for. `GOOS` env variable will be set to this value. | ||
| goos: darwin | ||
|
|
||
| # The architecture to compile for. `GOARCH` env variable will be set to this value. | ||
| goarch: amd64 | ||
|
|
||
| # (Optional) Entrypoint to compile. | ||
| main: ./cmd/kubectl-sigstore | ||
|
|
||
| # (Optional) Working directory. (default: root of the project) | ||
| # dir: ./relative/path/to/dir | ||
|
|
||
| # Binary output name. | ||
| # {{ .Os }} will be replaced by goos field in the config file. | ||
| # {{ .Arch }} will be replaced by goarch field in the config file. | ||
| binary: kubectl-sigstore-darwin-amd64 | ||
|
|
||
| # (Optional) ldflags generated dynamically in the workflow, and set as the `evaluated-envs` input variables in the workflow. | ||
| ldflags: | ||
| - "-X main.Version={{ .Env.VERSION }}" | ||
| - "-X main.Commit={{ .Env.COMMIT }}" | ||
| - "-X main.CommitDate={{ .Env.COMMIT_DATE }}" | ||
| - "-X main.TreeState={{ .Env.TREE_STATE }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| # Version for this file. | ||
| version: 1 | ||
|
|
||
| # (Optional) List of env variables used during compilation. | ||
| env: | ||
| - GO111MODULE=on | ||
| - CGO_ENABLED=0 | ||
|
|
||
| # (Optional) Flags for the compiler. | ||
| flags: | ||
| - -trimpath | ||
| - -tags=netgo | ||
|
|
||
| # The OS to compile for. `GOOS` env variable will be set to this value. | ||
| goos: linux | ||
|
|
||
| # The architecture to compile for. `GOARCH` env variable will be set to this value. | ||
| goarch: amd64 | ||
|
|
||
| # (Optional) Entrypoint to compile. | ||
| main: ./cmd/kubectl-sigstore | ||
|
|
||
| # (Optional) Working directory. (default: root of the project) | ||
| # dir: ./relative/path/to/dir | ||
|
|
||
| # Binary output name. | ||
| # {{ .Os }} will be replaced by goos field in the config file. | ||
| # {{ .Arch }} will be replaced by goarch field in the config file. | ||
| binary: kubectl-sigstore-linux-{{ .Arch }} | ||
|
|
||
| # (Optional) ldflags generated dynamically in the workflow, and set as the `evaluated-envs` input variables in the workflow. | ||
| ldflags: | ||
| - "-X main.Version={{ .Env.VERSION }}" | ||
| - "-X main.Commit={{ .Env.COMMIT }}" | ||
| - "-X main.CommitDate={{ .Env.COMMIT_DATE }}" | ||
| - "-X main.TreeState={{ .Env.TREE_STATE }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| # Version for this file. | ||
| version: 1 | ||
|
|
||
| # (Optional) List of env variables used during compilation. | ||
| env: | ||
| - GO111MODULE=on | ||
| - CGO_ENABLED=0 | ||
|
|
||
| # (Optional) Flags for the compiler. | ||
| flags: | ||
| - -trimpath | ||
| - -tags=netgo | ||
|
|
||
| # The OS to compile for. `GOOS` env variable will be set to this value. | ||
| goos: windows | ||
|
|
||
| # The architecture to compile for. `GOARCH` env variable will be set to this value. | ||
| goarch: amd64 | ||
|
|
||
| # (Optional) Entrypoint to compile. | ||
| main: ./cmd/kubectl-sigstore | ||
|
|
||
| # (Optional) Working directory. (default: root of the project) | ||
| # dir: ./relative/path/to/dir | ||
|
|
||
| # Binary output name. | ||
| # {{ .Os }} will be replaced by goos field in the config file. | ||
| # {{ .Arch }} will be replaced by goarch field in the config file. | ||
| binary: kubectl-sigstore-windows-amd64 | ||
|
|
||
| # (Optional) ldflags generated dynamically in the workflow, and set as the `evaluated-envs` input variables in the workflow. | ||
| ldflags: | ||
| - -buildmode=exe | ||
| - "-X main.Version={{ .Env.VERSION }}" | ||
| - "-X main.Commit={{ .Env.COMMIT }}" | ||
| - "-X main.CommitDate={{ .Env.COMMIT_DATE }}" | ||
| - "-X main.TreeState={{ .Env.TREE_STATE }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters