diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 888ce827..08bcf1a2 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -70,6 +70,10 @@ jobs: container_repos: ${{ steps.container_info.outputs.container_repos }} runs-on: ubuntu-20.04 + permissions: + packages: write + id-token: write + contents: write steps: - name: Set up Go @@ -124,6 +128,7 @@ jobs: LDFLAGS: ${{ steps.release-vars.outputs.LDFLAGS }} GIT_HASH: ${{ steps.release-vars.outputs.GIT_HASH }} COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_EXPERIMENTAL: 1 - name: Get container info id: container_info @@ -149,6 +154,10 @@ jobs: needs: [release] if: startsWith(github.ref, 'refs/tags/') runs-on: ubuntu-20.04 + permissions: + packages: write + id-token: write + contents: write env: TAGS: "${{ needs.release.outputs.container_tags }}" @@ -172,16 +181,14 @@ jobs: - name: Attach SBOM env: - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_EXPERIMENTAL: 1 run: | - echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub - echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key IFS=, for t in ${TAGS}; do - cosign verify --key cosign.pub ${{ matrix.repo }}:${t} + cosign verify ${{ matrix.repo }}:${t} syft ${{ matrix.repo }}:${t} -o spdx-json > sbom-spdx.json - cosign attest --predicate sbom-spdx.json --type spdx --key cosign.key ${{ matrix.repo }}:${t} - cosign verify-attestation -o verified-sbom-spdx.json --key cosign.pub ${{ matrix.repo }}:${t} + cosign attest --predicate sbom-spdx.json --type spdx ${{ matrix.repo }}:${t} + cosign verify-attestation -o verified-sbom-spdx.json ${{ matrix.repo }}:${t} done - name: Clean up & Logout from Container registries @@ -189,13 +196,16 @@ jobs: run: | docker logout docker logout ghcr.io - rm -f cosign.key provenance: name: provenance needs: [release] if: startsWith(github.ref, 'refs/tags/') runs-on: ubuntu-20.04 + permissions: + packages: write + id-token: write + contents: write steps: - name: Generate provenance for Release @@ -214,8 +224,7 @@ jobs: - name: Sign provenance run: | - echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key - cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att + cosign sign-blob --output-signature "${SIGNATURE}" provenance.att cat "${SIGNATURE}" curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}") @@ -229,7 +238,7 @@ jobs: "https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}" env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" - COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} + COSIGN_EXPERIMENTAL: 1 SIGNATURE: provenance.att.sig container-provenance: @@ -237,6 +246,10 @@ jobs: needs: [release] if: startsWith(github.ref, 'refs/tags/') runs-on: ubuntu-20.04 + permissions: + packages: write + id-token: write + contents: write strategy: matrix: @@ -269,19 +282,16 @@ jobs: - name: Attach provenance to image run: | - echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key - cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} + cosign attest --predicate provenance-predicate.att --type slsaprovenance ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} env: COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} - name: Verify attestation run: | - echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub - cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} + cosign verify-attestation ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} - name: Logout from Container registries if: ${{ always() }} run: | docker logout docker logout ghcr.io - rm -f cosign.key diff --git a/.goreleaser.draft.yml b/.goreleaser.draft.yml index 5b6d4a53..ebcb3efe 100644 --- a/.goreleaser.draft.yml +++ b/.goreleaser.draft.yml @@ -6,6 +6,7 @@ before: env: - CGO_ENABLED=0 + - COSIGN_EXPERIMENTAL=1 builds: - id: binary @@ -82,8 +83,6 @@ signs: artifacts: checksum args: - sign-blob - - --key - - cosign.key - '--output-certificate=${certificate}' - '--output-signature=${signature}' - '${artifact}' @@ -94,8 +93,6 @@ signs: artifacts: binary args: - sign-blob - - --key - - cosign.key - '--output-certificate=${certificate}' - '--output-signature=${signature}' - '${artifact}' @@ -106,8 +103,6 @@ signs: artifacts: archive args: - sign-blob - - --key - - cosign.key - '--output-certificate=${certificate}' - '--output-signature=${signature}' - '${artifact}' @@ -118,8 +113,6 @@ signs: artifacts: sbom args: - sign-blob - - --key - - cosign.key - '--output-certificate=${certificate}' - '--output-signature=${signature}' - '${artifact}' @@ -130,8 +123,6 @@ docker_signs: output: true args: - 'sign' - - --key - - cosign.key - '${artifact}' snapshot: @@ -150,7 +141,5 @@ changelog: release: draft: true prerelease: auto - extra_files: - - glob: "./cosign.pub" footer: | **Full Changelog**: https://github.com/philips-labs/slsa-provenance-action/compare/{{ .PreviousTag }}...{{ .Tag }} diff --git a/.goreleaser.yml b/.goreleaser.yml index 69795cbe..0a968bbb 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -130,8 +130,6 @@ docker_signs: output: true args: - 'sign' - - --key - - cosign.key - '${artifact}' snapshot: