mirror of
https://github.com/ossf/scorecard.git
synced 2024-10-05 13:17:08 +03:00
✨ SLSA provenance/build (#1702)
* SLSA build * missing files * updates * updates * updates * indent fix * update * update * updates * updates * updates * updates
This commit is contained in:
parent
2c34a46503
commit
3b7c46f779
35
.github/workflows/slsa-goreleaser.yml
vendored
Normal file
35
.github/workflows/slsa-goreleaser.yml
vendored
Normal file
@ -0,0 +1,35 @@
|
||||
name: SLSA releaser
|
||||
on:
|
||||
workflow_dispatch:
|
||||
push:
|
||||
tags:
|
||||
- "*"
|
||||
|
||||
permissions: read-all
|
||||
|
||||
jobs:
|
||||
# Generate ldflags dynamically.
|
||||
args:
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
ldflags: ${{ steps.ldflags.outputs.value }}
|
||||
steps:
|
||||
- id: checkout
|
||||
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
|
||||
with:
|
||||
fetch-depth: 0
|
||||
- id: ldflags
|
||||
run: |
|
||||
echo "::set-output name=value::$(./scripts/version-ldflags)"
|
||||
|
||||
# Trusted builder.
|
||||
build:
|
||||
permissions:
|
||||
id-token: write
|
||||
contents: write
|
||||
actions: read
|
||||
needs: args
|
||||
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.0.0
|
||||
with:
|
||||
go-version: 1.17
|
||||
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
|
@ -29,7 +29,6 @@ builds:
|
||||
goos:
|
||||
- linux
|
||||
goarch:
|
||||
- amd64
|
||||
- arm64
|
||||
- 386
|
||||
- arm
|
||||
|
15
.slsa-goreleaser.yml
Normal file
15
.slsa-goreleaser.yml
Normal file
@ -0,0 +1,15 @@
|
||||
version: 1
|
||||
env:
|
||||
- GO111MODULE=on
|
||||
# https://stackoverflow.com/a/62821358/19407
|
||||
- CGO_ENABLED=0
|
||||
|
||||
flags:
|
||||
- -trimpath
|
||||
- -tags=netgo
|
||||
|
||||
goos: linux
|
||||
goarch: amd64
|
||||
binary: scorecard-{{ .Os }}-{{ .Arch }}
|
||||
ldflags:
|
||||
- -s {{ .Env.VERSION_LDFLAGS }}
|
19
README.md
19
README.md
@ -148,9 +148,22 @@ To install Scorecards as a standalone:
|
||||
|
||||
1. Visit our latest
|
||||
[release page](https://github.com/ossf/scorecard/releases/latest) and
|
||||
download the correct binary for your operating system
|
||||
2. Extract the binary file
|
||||
3. Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to
|
||||
download the correct binary for your operating system
|
||||
1. Extract the binary file
|
||||
1. We are excited to be an early adopter of one of the the OSSF [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator)
|
||||
to generate non-forgeable SLSA3 provenance for the scorecard-linux-amd64 binary. If you use this binary, download the companiion provenance file
|
||||
scorecard-linux-amd64.intoto.jsonl as well. Then verify the scorecard binary with [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier#download-the-binary):
|
||||
```
|
||||
$ ./slsa-verifier-linux-amd64 \
|
||||
--artifact-path scorecard-linux-amd64 \
|
||||
--provenance scorecard-linux-amd64.intoto.jsonl \
|
||||
--source github.com/ossf/scorecard
|
||||
--tag vX.Y.Z
|
||||
```
|
||||
When verification passes, it guarantees that the binary you downloaded was generated using the source code of this repository.
|
||||
If you're interested in reading more about SLSA, visit the official [slsa.dev](slsa.dev).
|
||||
|
||||
1. Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to
|
||||
identify your directory if necessary)
|
||||
|
||||
##### Using Homebrew
|
||||
|
Loading…
Reference in New Issue
Block a user