From 70900c2ed7b02b523760803e9f104110ce157fa2 Mon Sep 17 00:00:00 2001
From: Nicholas Felt <nicholas.felt@tektronix.com>
Date: Tue, 21 May 2024 08:34:38 -0700
Subject: [PATCH] Sign all published files (#221)

* ci: Add attestation to SBOM

* docs: Update the readme with instructions on verifying the signatures of the binary files

* ci: Restrict the attestations to only be created when running within the main repo

* ci: Update logic to detect forks
---
 .github/workflows/package-build.yml |  2 +-
 .github/workflows/sbom-scan.yml     |  6 ++++++
 CHANGELOG.md                        |  2 ++
 README.md                           | 12 ++++++++++++
 4 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/package-build.yml b/.github/workflows/package-build.yml
index 71dbdd4c..315d752c 100644
--- a/.github/workflows/package-build.yml
+++ b/.github/workflows/package-build.yml
@@ -30,7 +30,7 @@ jobs:
       - uses: hynek/build-and-inspect-python-package@v2.5.0
         id: build-pkg
         with:
-          attest-build-provenance-github: 'true'
+          attest-build-provenance-github: ${{ !(github.event.pull_request.head.repo.fork || github.event.workflow_call.pull_request.head.repo.fork) && github.actor != 'dependabot[bot]' }}
       - name: Set up Python
         uses: actions/setup-python@v5
         with:
diff --git a/.github/workflows/sbom-scan.yml b/.github/workflows/sbom-scan.yml
index d97214be..1f14734f 100644
--- a/.github/workflows/sbom-scan.yml
+++ b/.github/workflows/sbom-scan.yml
@@ -14,6 +14,8 @@ jobs:
     permissions:
       security-events: write
       contents: write
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-python@v5
@@ -28,6 +30,10 @@ jobs:
         with:
           format: spdx-json
           output-file: ${{ github.event.repository.name }}-sbom.spdx.json
+      - uses: actions/attest-build-provenance@v1
+        if: ${{ !(github.event.pull_request.head.repo.fork || github.event.workflow_call.pull_request.head.repo.fork) && github.actor != 'dependabot[bot]' }}
+        with:
+          subject-path: ${{ github.event.repository.name }}-sbom.spdx.json
       - name: Scan SBOM
         uses: anchore/scan-action@v3
         id: scan
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 95c8b37c..b4f89ed3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -22,6 +22,8 @@ Things to be included in the next release go here.
 
 - Added a new section in the documentation of each package/subpackage that shows the submodules (files) of that package/subpackage.
 - Added signed build provenance attestations to workflow artifacts for the built package.
+- Added signed build provenance attestations to the generated SBOMs.
+- Documentation was added explaining how to verify the attestations on uploaded files.
 
 ### Removed
 
diff --git a/README.md b/README.md
index cac1c632..2587922e 100644
--- a/README.md
+++ b/README.md
@@ -192,6 +192,18 @@ contributing to this project, you agree to abide by its terms.
 `tm_devices` was created by Tektronix. It is licensed under the terms of
 the [Apache License 2.0](https://tinyurl.com/tek-tm-devices/LICENSE.md).
 
+## Security
+
+The signatures of the files uploaded to [PyPI](https://pypi.org/project/tm-devices/) and each
+[GitHub Release](https://github.com/tektronix/tm_devices/releases) can be verified using
+the [GitHub CLI `attestation verify` command](https://cli.github.com/manual/gh_attestation_verify).
+The artifact attestations can also be directly downloaded from the
+[GitHub repo attestations page](https://github.com/tektronix/tm_devices/attestations) if desired.
+
+```shell
+gh attestation verify --owner tektronix <file>
+```
+
 ## Credits
 
 `tm_devices` was created with