|
44 | 44 | contents: write # required for goreleaser to upload the release assets |
45 | 45 | packages: write # to push container images |
46 | 46 | pull-requests: write |
| 47 | + id-token: write # required for SLSA provenance |
| 48 | + attestations: write # required for SLSA provenance |
47 | 49 | env: |
48 | 50 | CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }} |
49 | 51 | ATTESTATION_ID: ${{ needs.init_attestation.outputs.attestation_id }} |
@@ -132,6 +134,48 @@ jobs: |
132 | 134 | chainloop attestation add --name $material_name --value $entry --kind ARTIFACT --attestation-id ${{ env.ATTESTATION_ID }} |
133 | 135 | done |
134 | 136 |
|
| 137 | + - name: Calculate checksum for SLSA attestation |
| 138 | + run: | |
| 139 | + # We're generating a checksum file for the SLSA attestation as a workaround for the current limitations of the SLSA attestation action. |
| 140 | + # Until it's possible to include multiple container images and binaries in a single attestation, this approach serves as a temporary solution. |
| 141 | + # An open issue suggests that if pushing the attestation to an OCI registry isn't required, using a checksum file is a valid alternative. |
| 142 | + # Link: https://github.com/actions/attest-build-provenance/issues/454 |
| 143 | +
|
| 144 | + # Create an empty checksum file |
| 145 | + checksum_file="subjects-checksum.txt" |
| 146 | + touch "$checksum_file" |
| 147 | +
|
| 148 | + # First the binaries |
| 149 | + binaries=$(cat dist/artifacts.json | jq -r '.[] | select(.type=="Binary") | select(.name=="chainloop"| not) | "\(.path) \(.name)"') |
| 150 | + echo "$binaries" | while IFS= read -r entry; do |
| 151 | + # Extract the path and name from the entry |
| 152 | + path=$(echo "$entry" | awk '{print $1}') |
| 153 | + # Calculate the checksum of the file |
| 154 | + checksum=$(sha256sum "$path" | awk '{print $1}') |
| 155 | + # Get the name from the entry |
| 156 | + name=$(echo "$entry" | awk '{print $2}') |
| 157 | + # Add it to the checksum file |
| 158 | + echo "$checksum *$name" >> $checksum_file |
| 159 | + done |
| 160 | +
|
| 161 | + # Then the docker images |
| 162 | + images=$(cat dist/artifacts.json | jq -r '.[] | select(.type=="Docker Manifest") | select(.name | endswith(":latest") | not) | "\(.extra.Digest | split("sha256:")[1]) \(.name)"') |
| 163 | + echo "$images" | while IFS= read -r entry; do |
| 164 | + # Extract the digest and name from the entry |
| 165 | + name=$(echo "$entry" | awk '{print $2}') |
| 166 | + digest=$(echo "$entry" | awk '{print $1}') |
| 167 | + echo "$digest $name" >> $checksum_file |
| 168 | + done |
| 169 | +
|
| 170 | + - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 |
| 171 | + id: slsa-attest |
| 172 | + with: |
| 173 | + subject-checksums: subjects-checksum.txt |
| 174 | + |
| 175 | + - name: Attest SLSA attestation |
| 176 | + run: | |
| 177 | + chainloop attestation --name slsa-attestation add --value ${{ steps.slsa-attest.outputs.bundle-path }} --kind SLSA_PROVENANCE --attestation-id ${{ env.ATTESTATION_ID }} |
| 178 | +
|
135 | 179 | - name: Bump Chart and Dagger Version |
136 | 180 | run: .github/workflows/utils/bump-chart-and-dagger-version.sh deployment/chainloop extras/dagger ${{ github.ref_name }} |
137 | 181 | - name: Bump Project Version |
|
0 commit comments