Generate GH attestations in addition to SLSA

Change-Id: Iddcd4025811f895113e0324e8c860f379ad3ad97
jul-sh · May 6, 2024 · b37fac8 · b37fac8
1 parent 3acd7b5
commit b37fac8
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 0 deletions.
diff --git a/.github/workflows/provenance.yaml b/.github/workflows/provenance.yaml
@@ -46,6 +46,7 @@ jobs:
       contents: write
       # Allow the job to add a comment to the PR.
       pull-requests: write
+      attestations: write
     uses: ./.github/workflows/reusable_provenance.yaml
     with:
       build-config-path: ${{ matrix.buildconfig }}

diff --git a/.github/workflows/reusable_full_provenance.yaml b/.github/workflows/reusable_full_provenance.yaml
@@ -15,6 +15,7 @@ on:
 jobs:
   get_inputs:
     outputs:
+      artifact-path: ${{ steps.parse-build-config.outputs.artifact-path }}
       builder-digest: ${{ steps.builder-digest.outputs.builder-digest }}
 
     runs-on: ubuntu-20.04
@@ -23,6 +24,18 @@ jobs:
       - name: Mount main branch
         uses: actions/checkout@v3
 
+      - name: Parse build config
+        id: parse-build-config
+        run: |
+          set -o errexit
+          set -o nounset
+          set -o xtrace
+          set -o pipefail
+          artifact_path="$(tail -1 ${{ inputs.build-config-path }} | grep -oP 'artifact_path = \K(.*)')"
+          package_name="$(basename ${{ inputs.build-config-path }} .toml)"
+          echo "artifact-path=${artifact_path}" >> $GITHUB_OUTPUT
+          echo "package-name=${package_name}" >> $GITHUB_OUTPUT
+
       - name: Get builder image info
         id: builder-digest
         run: |
@@ -55,3 +68,16 @@ jobs:
       config-path: ${{ inputs.build-config-path }}
       provenance-name: attestation.intoto
       compile-builder: true
+
+  gh_provenance:
+    needs: [get_inputs, generate_provenance]
+    runs-on: ubuntu-20.04
+    permissions:
+      actions: read
+      attestations: write
+    steps:
+      - name: Attest Build Provenance
+        uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+        with:
+          subject-path: ${{ inputs.artifact-path }}
+          push-to-registry: true
diff --git a/.github/workflows/reusable_provenance.yaml b/.github/workflows/reusable_provenance.yaml
@@ -76,6 +76,7 @@ jobs:
     permissions:
       actions: read
       id-token: write
+      attestations: write
       contents: write # For uploading provenances.
     # We are a pre-release of the slsa-github-generator. This is because the
     # current release does not include fix for the action deadlocking.
@@ -89,6 +90,19 @@ jobs:
       provenance-name: attestation.intoto
       compile-builder: true
 
+  gh_provenance:
+    needs: [get_inputs, generate_provenance]
+    runs-on: ubuntu-20.04
+    permissions:
+      actions: read
+      attestations: write
+    steps:
+      - name: Attest Build Provenance
+        uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+        with:
+          subject-path: ${{ inputs.artifact-path }}
+          push-to-registry: true
+
   # This job uploads the signed provenance from the previous step to Ent, and
   # publishes a comment for each binary on the PR.
   upload_provenance: