feature: enable verification for provenance (#2765)

Signed-off-by: Batuhan Apaydın <batuhan.apaydin@trendyol.com>
2024-09-11 08:55:27 +03:00 · 2023-04-29 00:23:42 +03:00 · 2023-04-29 00:23:42 +03:00 · 195767d90b
commit 195767d90b
parent 3ccc659a22
2 changed files with 65 additions and 2 deletions
--- a/.github/workflows/goreleaser.yaml
+++ b/.github/workflows/goreleaser.yaml
@ -76,3 +76,35 @@ jobs:
    with:
      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
      upload-assets: true # upload to a new release
+
+  verification:
+    needs: [goreleaser, provenance]
+    runs-on: ubuntu-latest
+    permissions: read-all
+    steps:
+      - name: Install the verifier
+        uses: slsa-framework/slsa-verifier/actions/installer@v2.1.0
+
+      - name: Download assets
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
+        run: |
+          set -euo pipefail
+          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
+          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"
+      - name: Verify assets
+        env:
+          CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
+          PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
+        run: |
+          set -euo pipefail
+          checksums=$(echo "$CHECKSUMS" | base64 -d)
+          while read -r line; do
+              fn=$(echo $line | cut -d ' ' -f2)
+              echo "Verifying $fn"
+              slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
+                                            --source-uri "github.com/$GITHUB_REPOSITORY" \
+                                            --source-tag "$GITHUB_REF_NAME" \
+                                            "$fn"
+          done <<<"$checksums"
--- a/.github/workflows/slsa-goreleaser.yml
+++ b/.github/workflows/slsa-goreleaser.yml
@ -13,6 +13,7 @@ jobs:
    runs-on: ubuntu-latest
    outputs:
      ldflags: ${{ steps.ldflags.outputs.value }}
+      go-binary-name: ${{ steps.build.outputs.go-binary-name }}
    steps:
      - id: checkout
        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v2.3.4
@ -21,7 +22,6 @@ jobs:
      - id: ldflags
        run: |
          echo "value=$(./scripts/version-ldflags)" >> "$GITHUB_OUTPUT"
-
  # Trusted builder.
  build:
    permissions:
@ -29,7 +29,38 @@ jobs:
      contents: write
      actions: read
    needs: args
-    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0 # v1.2.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0 #7f4fdb871876c23e455853d694197440c5a91506
    with:
      go-version: 1.19
      evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
+
+  verification:
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    permissions: read-all
+    steps:
+      - name: Install the verifier
+        uses: slsa-framework/slsa-verifier/actions/installer@v2.1.0
+
+      - name: Download the artifact
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: "${{ needs.build.outputs.go-binary-name }}.intoto.jsonl"
+
+      - name: Download the artifact
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: ${{ needs.build.outputs.go-binary-name }}
+
+      - name: Verify assets
+        env:
+          ARTIFACT: ${{ needs.build.outputs.go-binary-name }}
+          ATT_FILE_NAME: "${{ needs.build.outputs.go-binary-name }}.intoto.jsonl"
+        run: |
+          set -euo pipefail
+
+          echo "Verifying $ARTIFACT using $ATT_FILE_NAME"
+          slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \
+                                        --source-uri "github.com/$GITHUB_REPOSITORY" \
+                                        "$ARTIFACT"