Skip to content

chore(ci): Generate SLSA attestation #1955

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Apr 10, 2025
Merged

chore(ci): Generate SLSA attestation #1955

merged 4 commits into from
Apr 10, 2025

Conversation

javirln
Copy link
Member

@javirln javirln commented Apr 9, 2025

This patch generates a SLSA attestation that includes the binaries and Docker images produced by GoReleaser. The final attestation is derived from a checksum file with the following format:

984da8d576b3bd9f13bb33dedc29a11bd36752adaf7e1d1ff9d784fd2fba17c8 *chainloop-plugin-discord-webhook
9ecf812d8f462c8efc9b96b2b0dd1431d79e96dbe1b61479b909937902a0ded4 *chainloop-plugin-smtp
75cf34ce56f0299b27bf57bc1aeba78f3a1fb04c03c70365c541bd940a5fc86d *chainloop-plugin-dependency-track
83f69c22625c13b789ee47b93c648d82780b2a45e9a183cf72893f5e83d2fc7c *artifact-cas
39149252e9f42188e7e1d6808992b1b45a74ca0e3b23b7323852e0cd7822b4d5 *control-plane
49c35c45be38cd936b57990fc440f502d49be2c80048ab901eaa48f2178d237d *chainloop-linux-arm64
050fed0589a73c06fc2c868c81ead4526f1d46dd95f4833702a19d7687ceff52 *chainloop-darwin-amd64
30bbf64e7e8652ec595d79f42825ecfd67cad8a128073b0df67a432deb5372ad *chainloop-linux-amd64
3fe1217d0f3e130fed37b100d4c0e93164d661f04c97d138ed2a97e00b473db2 *chainloop-darwin-arm64
16f939e450fcf9d6662699a7be048731604e9203f86a18d3a7499288a1ff5375  ghcr.io/chainloop-dev/chainloop/control-plane:v1.0.0-rc.3
42f758c24da5c7c5fe978157cd3ff7b2ff08b4d134092522b10c43b53a00e57c  ghcr.io/chainloop-dev/chainloop/artifact-cas:v1.0.0-rc.3
a85bb4554298ef862a916466c7f9e0606722bc773fc389002241c2cc6fa40a0f  ghcr.io/chainloop-dev/chainloop/control-plane-migrations:v1.0.0-rc.3
093d3d4ef3eb1f481dc5cff81c2e040de4015174c18609346d86f62e59ad54ef  ghcr.io/chainloop-dev/chainloop/cli:v1.0.0-rc.3

Additionally the output from the SLSA attestation output is included in the Chainloop's attestation.

javirln added 2 commits April 9, 2025 15:02
@javirln
chore(ci): Generate SLSA attestation
67b572b 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln
remove extra space
e289918 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln requested review from migmartri and jiparis April 9, 2025 13:14
@javirln javirln self-assigned this Apr 9, 2025
migmartri
migmartri approved these changes Apr 9, 2025
View reviewed changes
Copy link
Member

@migmartri migmartri left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Something minor, thanks @javirln!

.github/workflows/release.yaml
@@ -132,6 +134,43 @@ jobs:
chainloop attestation add --name $material_name --value $entry --kind ARTIFACT --attestation-id ${{ env.ATTESTATION_ID }}
done

- name: Calculate checksum for SLSA attestation
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd add a link explaining why we need to do this. Pointing to the issue that mentioned that only one container image is possible at the moment

@migmartri
Copy link
Member

cc/ @gr0

migmartri
migmartri requested changes Apr 9, 2025
View reviewed changes
.github/workflows/release.yaml Outdated
echo "$digest $name" >> $checksum_file
done

- uses: actions/attest-build-provenance@v2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you pin it?

javirln added 2 commits April 9, 2025 16:32
@javirln
add comment
70e18ed 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln
pin action version
eeae559 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln merged commit 8a12fce into chainloop-dev:main Apr 10, 2025
13 checks passed
@BrewTestBot BrewTestBot mentioned this pull request May 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@migmartri migmartri

@jiparis jiparis

Assignees

@javirln javirln

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@javirln @migmartri @jiparis