From 9ad46e4979df60743e5297270b26dba1e979f67f Mon Sep 17 00:00:00 2001 From: Joyce Date: Mon, 14 Nov 2022 21:25:03 -0300 Subject: [PATCH] Generate SLSA Provenance on Release using SLSA Go Releaser (#98) * chore: configure slsa-provenance generation Signed-off-by: Joyce Brum * chore: add SLSA Provenance to cross build Signed-off-by: Joyce Brum * fix: .goreleaser.yml to ignore linux build Signed-off-by: Joyce Brum * fix: trying to configure slsa-goreleaser at least to linux Signed-off-by: Joyce Brum * feat: enable run on push Signed-off-by: Joyce Brum * fix: use slsa git provenance generator 1.2.1 Signed-off-by: Joyce Brum * fix: generate ldflags dynamically Signed-off-by: Joyce Brum * feat: create darwin and windows slsa files Signed-off-by: Joyce Brum * fix: windows build name on yml file Signed-off-by: Joyce Brum * fix: restore run release on tag push only Signed-off-by: Joyce Brum * fix: error on push releaser yml file Signed-off-by: Joyce Brum * chore: update README file to mention the Provenance Signed-off-by: Joyce Brum Signed-off-by: Joyce Brum Signed-off-by: Joyce Brum --- .github/workflows/slsa-goreleaser.yml | 69 ++++++++++++++++++++++ .goreleaser.yml | 83 --------------------------- .slsa-goreleaser-darwin-amd64.yml | 36 ++++++++++++ .slsa-goreleaser-linux-amd64.yml | 36 ++++++++++++ .slsa-goreleaser-windows-amd64.yml | 37 ++++++++++++ README.md | 11 ++++ 6 files changed, 189 insertions(+), 83 deletions(-) create mode 100644 .github/workflows/slsa-goreleaser.yml delete mode 100644 .goreleaser.yml create mode 100644 .slsa-goreleaser-darwin-amd64.yml create mode 100644 .slsa-goreleaser-linux-amd64.yml create mode 100644 .slsa-goreleaser-windows-amd64.yml diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml new file mode 100644 index 0000000..65efeaa --- /dev/null +++ b/.github/workflows/slsa-goreleaser.yml @@ -0,0 +1,69 @@ +name: SLSA go releaser +on: + push: + tags: + # available only for tags like `v1.2.3` or `v1.2.3-rc1` + - "v[0-9]+.[0-9]+.[0-9]+" + - "v[0-9]+.[0-9]+.[0-9]+-*" + +permissions: read-all + +jobs: + # Generate ldflags dynamically. + # Optional: only needed for ldflags. + args: + runs-on: ubuntu-latest + outputs: + commit-date: ${{ steps.ldflags.outputs.commit-date }} + commit: ${{ steps.ldflags.outputs.commit }} + version: ${{ steps.ldflags.outputs.version }} + tree-state: ${{ steps.ldflags.outputs.tree-state }} + steps: + - id: checkout + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.3.4 + with: + fetch-depth: 0 + - id: ldflags + run: | + echo "::set-output name=commit-date::$(git log --date=iso8601-strict -1 --pretty=%ct)" + echo "::set-output name=commit::$GITHUB_SHA" + echo "::set-output name=version::$(git describe --tags --always --dirty | cut -c2-)" + echo "::set-output name=tree-state::$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi)" + + # Trusted builder. + build-linux-amd64: + permissions: + id-token: write # To sign the provenance. + contents: write # To upload assets to release. + actions: read # To read the workflow path. + needs: args + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1 + with: + config-file: .slsa-goreleaser-linux-amd64.yml + go-version: 1.18 + evaluated-envs: "COMMIT_DATE:${{needs.args.outputs.commit-date}}, COMMIT:${{needs.args.outputs.commit}}, VERSION:${{needs.args.outputs.version}}, TREE_STATE:${{needs.args.outputs.tree-state}}" + + build-darwin-amd64: + permissions: + id-token: write # To sign the provenance. + contents: write # To upload assets to release. + actions: read # To read the workflow path. + needs: args + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1 + with: + config-file: .slsa-goreleaser-darwin-amd64.yml + go-version: 1.18 + evaluated-envs: "COMMIT_DATE:${{needs.args.outputs.commit-date}}, COMMIT:${{needs.args.outputs.commit}}, VERSION:${{needs.args.outputs.version}}, TREE_STATE:${{needs.args.outputs.tree-state}}" + + build-windows-amd64: + permissions: + id-token: write # To sign the provenance. + contents: write # To upload assets to release. + actions: read # To read the workflow path. + needs: args + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1 + with: + config-file: .slsa-goreleaser-windows-amd64.yml + go-version: 1.18 + evaluated-envs: "COMMIT_DATE:${{needs.args.outputs.commit-date}}, COMMIT:${{needs.args.outputs.commit}}, VERSION:${{needs.args.outputs.version}}, TREE_STATE:${{needs.args.outputs.tree-state}}" + \ No newline at end of file diff --git a/.goreleaser.yml b/.goreleaser.yml deleted file mode 100644 index c3807a6..0000000 --- a/.goreleaser.yml +++ /dev/null @@ -1,83 +0,0 @@ -project_name: k8s-manifest-sigstore - -env: - - GO111MODULE=on - - CGO_ENABLED=0 - -# Prevents parallel builds from stepping on eachothers toes downloading modules -before: - hooks: - - go mod tidy - -builds: -- id: linux - binary: kubectl-sigstore-linux-{{ .Arch }} - no_unique_dist_dir: true - main: ./cmd/kubectl-sigstore - goos: - - linux - goarch: - - amd64 - ldflags: - - "{{ .Env.LDFLAGS }}" - -- id: darwin-amd64 - binary: kubectl-sigstore-darwin-amd64 - no_unique_dist_dir: true - main: ./cmd/kubectl-sigstore - goos: - - darwin - goarch: - - amd64 - ldflags: - - "{{ .Env.LDFLAGS }}" - -- id: darwin-arm64 - binary: kubectl-sigstore-darwin-arm64 - no_unique_dist_dir: true - main: ./cmd/kubectl-sigstore - goos: - - darwin - goarch: - - arm64 - ldflags: - - "{{.Env.LDFLAGS}}" - -- id: windows-amd64 - binary: kubectl-sigstore-windows-amd64 - no_unique_dist_dir: true - main: ./cmd/kubectl-sigstore - goos: - - windows - goarch: - - amd64 - ldflags: - - -buildmode=exe - - "{{ .Env.LDFLAGS }}" - -archives: -- format: binary - name_template: "{{ .Binary }}" - allow_different_binary_count: true - -checksum: - name_template: "{{ .ProjectName }}_checksums.txt" - -snapshot: - name_template: SNAPSHOT-{{.ShortCommit}} - -release: - # auto means that it sets prerelease by checking tag - # e.g) v0.1.0-rc1 --> prerelease, v0.1.0 --> normal - prerelease: auto - draft: true # If true, create a release draft - - # `github` defines a repo in which the release (or draft) will be created. - # Default is extracted from the origin remote URL or empty if its private hosted. - # github: - # owner: sigstore - # name: k8s-manifest-sigstore - - footer: | - ### Thanks for all contributors! - diff --git a/.slsa-goreleaser-darwin-amd64.yml b/.slsa-goreleaser-darwin-amd64.yml new file mode 100644 index 0000000..9eebeb9 --- /dev/null +++ b/.slsa-goreleaser-darwin-amd64.yml @@ -0,0 +1,36 @@ +# Version for this file. +version: 1 + +# (Optional) List of env variables used during compilation. +env: + - GO111MODULE=on + - CGO_ENABLED=0 + +# (Optional) Flags for the compiler. +flags: + - -trimpath + - -tags=netgo + +# The OS to compile for. `GOOS` env variable will be set to this value. +goos: darwin + +# The architecture to compile for. `GOARCH` env variable will be set to this value. +goarch: amd64 + +# (Optional) Entrypoint to compile. +main: ./cmd/kubectl-sigstore + +# (Optional) Working directory. (default: root of the project) +# dir: ./relative/path/to/dir + +# Binary output name. +# {{ .Os }} will be replaced by goos field in the config file. +# {{ .Arch }} will be replaced by goarch field in the config file. +binary: kubectl-sigstore-darwin-amd64 + +# (Optional) ldflags generated dynamically in the workflow, and set as the `evaluated-envs` input variables in the workflow. +ldflags: + - "-X main.Version={{ .Env.VERSION }}" + - "-X main.Commit={{ .Env.COMMIT }}" + - "-X main.CommitDate={{ .Env.COMMIT_DATE }}" + - "-X main.TreeState={{ .Env.TREE_STATE }}" \ No newline at end of file diff --git a/.slsa-goreleaser-linux-amd64.yml b/.slsa-goreleaser-linux-amd64.yml new file mode 100644 index 0000000..3a8051c --- /dev/null +++ b/.slsa-goreleaser-linux-amd64.yml @@ -0,0 +1,36 @@ +# Version for this file. +version: 1 + +# (Optional) List of env variables used during compilation. +env: + - GO111MODULE=on + - CGO_ENABLED=0 + +# (Optional) Flags for the compiler. +flags: + - -trimpath + - -tags=netgo + +# The OS to compile for. `GOOS` env variable will be set to this value. +goos: linux + +# The architecture to compile for. `GOARCH` env variable will be set to this value. +goarch: amd64 + +# (Optional) Entrypoint to compile. +main: ./cmd/kubectl-sigstore + +# (Optional) Working directory. (default: root of the project) +# dir: ./relative/path/to/dir + +# Binary output name. +# {{ .Os }} will be replaced by goos field in the config file. +# {{ .Arch }} will be replaced by goarch field in the config file. +binary: kubectl-sigstore-linux-{{ .Arch }} + +# (Optional) ldflags generated dynamically in the workflow, and set as the `evaluated-envs` input variables in the workflow. +ldflags: + - "-X main.Version={{ .Env.VERSION }}" + - "-X main.Commit={{ .Env.COMMIT }}" + - "-X main.CommitDate={{ .Env.COMMIT_DATE }}" + - "-X main.TreeState={{ .Env.TREE_STATE }}" \ No newline at end of file diff --git a/.slsa-goreleaser-windows-amd64.yml b/.slsa-goreleaser-windows-amd64.yml new file mode 100644 index 0000000..dbca8ea --- /dev/null +++ b/.slsa-goreleaser-windows-amd64.yml @@ -0,0 +1,37 @@ +# Version for this file. +version: 1 + +# (Optional) List of env variables used during compilation. +env: + - GO111MODULE=on + - CGO_ENABLED=0 + +# (Optional) Flags for the compiler. +flags: + - -trimpath + - -tags=netgo + +# The OS to compile for. `GOOS` env variable will be set to this value. +goos: windows + +# The architecture to compile for. `GOARCH` env variable will be set to this value. +goarch: amd64 + +# (Optional) Entrypoint to compile. +main: ./cmd/kubectl-sigstore + +# (Optional) Working directory. (default: root of the project) +# dir: ./relative/path/to/dir + +# Binary output name. +# {{ .Os }} will be replaced by goos field in the config file. +# {{ .Arch }} will be replaced by goarch field in the config file. +binary: kubectl-sigstore-windows-amd64 + +# (Optional) ldflags generated dynamically in the workflow, and set as the `evaluated-envs` input variables in the workflow. +ldflags: + - -buildmode=exe + - "-X main.Version={{ .Env.VERSION }}" + - "-X main.Commit={{ .Env.COMMIT }}" + - "-X main.CommitDate={{ .Env.COMMIT_DATE }}" + - "-X main.TreeState={{ .Env.TREE_STATE }}" \ No newline at end of file diff --git a/README.md b/README.md index 193a5db..8fa6c77 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,10 @@ # k8s-manifest-sigstore +=============== + +[![SLSA](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/) + + kubectl plugin for signing Kubernetes manifest YAML files with sigstore > :warning: Still under developement, not ready for production use yet! @@ -130,6 +135,12 @@ Flags: -o, --output string output format string, either "json" or "yaml" (if empty, a result is shown as a table) ``` +### SLSA Provenance +This project generates a SLSA provenance on its release! This enables you to verify the integrity +of the downloaded artifacts and ensure that the binary's code really comes from this source code. + +To do so, please follow the instructions [here](https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance). + ## Security Should you discover any security issues, please refer to sigstore'ss [security