forked from ossf/scorecard
-
Notifications
You must be signed in to change notification settings - Fork 0
66 lines (59 loc) · 2.01 KB
/
slsa-goreleaser.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
name: SLSA releaser
on:
workflow_dispatch:
# push:
# tags:
# - "*"
permissions: read-all
jobs:
# Generate ldflags dynamically.
args:
runs-on: ubuntu-latest
outputs:
ldflags: ${{ steps.ldflags.outputs.value }}
go-binary-name: ${{ steps.build.outputs.go-binary-name }}
steps:
- id: checkout
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v2.3.4
with:
fetch-depth: 0
- id: ldflags
run: |
echo "value=$(./scripts/version-ldflags)" >> "$GITHUB_OUTPUT"
# Trusted builder.
build:
permissions:
id-token: write
contents: write
actions: read
needs: args
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] #7f4fdb871876c23e455853d694197440c5a91506
with:
go-version: 1.19
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
verification:
needs:
- build
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/[email protected]
- name: Download the artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: "${{ needs.build.outputs.go-binary-name }}.intoto.jsonl"
- name: Download the artifact
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ needs.build.outputs.go-binary-name }}
- name: Verify assets
env:
ARTIFACT: ${{ needs.build.outputs.go-binary-name }}
ATT_FILE_NAME: "${{ needs.build.outputs.go-binary-name }}.intoto.jsonl"
run: |
set -euo pipefail
echo "Verifying $ARTIFACT using $ATT_FILE_NAME"
slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
"$ARTIFACT"