forked from ossf/scorecard
-
Notifications
You must be signed in to change notification settings - Fork 0
69 lines (61 loc) · 2.05 KB
/
slsa-goreleaser.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
name: SLSA releaser
on:
workflow_dispatch:
# push:
# tags:
# - "*"
permissions: read-all
env:
GO_VERSION: 1.21
jobs:
# Generate ldflags dynamically.
args:
runs-on: ubuntu-latest
outputs:
ldflags: ${{ steps.ldflags.outputs.value }}
go-binary-name: ${{ steps.build.outputs.go-binary-name }}
steps:
- id: checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v2.3.4
with:
fetch-depth: 0
- id: ldflags
run: |
echo "value=$(./scripts/version-ldflags)" >> "$GITHUB_OUTPUT"
# Trusted builder.
build:
permissions:
id-token: write
contents: write
actions: read
needs: args
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] #7f4fdb871876c23e455853d694197440c5a91506
with:
go-version: ${{ env.GO_VERSION }}
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
verification:
needs:
- build
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/[email protected]
- name: Download the artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: "${{ needs.build.outputs.go-binary-name }}.intoto.jsonl"
- name: Download the artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ needs.build.outputs.go-binary-name }}
- name: Verify assets
env:
ARTIFACT: ${{ needs.build.outputs.go-binary-name }}
ATT_FILE_NAME: "${{ needs.build.outputs.go-binary-name }}.intoto.jsonl"
run: |
set -euo pipefail
echo "Verifying $ARTIFACT using $ATT_FILE_NAME"
slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
"$ARTIFACT"