Merge pull request #945 from viccuad/slsa-gh

Ensure SLSA Lvl 3
kubewarden · Oct 22, 2024 · 1e361f7 · 1e361f7
2 parents 77f28da + ee60444
commit 1e361f7
Show file tree

Hide file tree

Showing 3 changed files with 43 additions and 4 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -18,11 +18,9 @@ jobs:
         targetarch:
           - aarch64
           - x86_64
-
     permissions:
-      packages: write
       id-token: write
-
+      attestations: write
     steps:
       - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
 
@@ -42,9 +40,20 @@ jobs:
           command: build
           args: --release --target ${{matrix.targetarch}}-unknown-linux-musl
 
+      - run: mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/kwctl kwctl-linux-${{ matrix.targetarch }}
+
+      - name: Smoke test build
+        if: matrix.targetarch == 'x86_64'
+        run: ./kwctl-linux-x86_64 --help
+
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        id: attestations
+        with:
+          subject-path: kwctl-linux-${{ matrix.targetarch }}
+
       - name: Sign kwctl
         run: |
-          mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/kwctl kwctl-linux-${{ matrix.targetarch }}
           cosign sign-blob --yes kwctl-linux-${{ matrix.targetarch }} --output-certificate kwctl-linux-${{ matrix.targetarch}}.pem --output-signature kwctl-linux-${{ matrix.targetarch }}.sig
 
       - run: zip -j9 kwctl-linux-${{ matrix.targetarch }}.zip kwctl-linux-${{ matrix.targetarch }} kwctl-linux-${{ matrix.targetarch }}.sig kwctl-linux-${{ matrix.targetarch }}.pem
@@ -102,6 +111,7 @@ jobs:
     runs-on: macos-latest
     permissions:
       id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
@@ -128,6 +138,12 @@ jobs:
         if: matrix.targetarch == 'x86_64'
         run: ./kwctl-darwin-x86_64 --help
 
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        id: attestations
+        with:
+          subject-path: kwctl-darwin-${{ matrix.targetarch }}
+
       - name: Sign kwctl
         run: cosign sign-blob --yes kwctl-darwin-${{ matrix.targetarch }} --output-certificate kwctl-darwin-${{ matrix.targetarch }}.pem --output-signature kwctl-darwin-${{ matrix.targetarch }}.sig
 
@@ -181,6 +197,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     permissions:
       id-token: write
+      attestations: write
     steps:
       - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
 
@@ -207,6 +224,12 @@ jobs:
       - name: Smoke test build
         run: .\kwctl-windows-x86_64.exe --help
 
+      - name: Generate attestations
+        uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
+        id: attestations
+        with:
+          subject-path: kwctl-windows-${{ matrix.targetarch }}.exe
+
       - name: Sign kwctl
         run: cosign sign-blob --yes kwctl-windows-x86_64.exe --output-certificate kwctl-windows-x86_64.pem --output-signature kwctl-windows-x86_64.sig
 

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,6 +21,8 @@ jobs:
     permissions:
       id-token: write
       packages: write
+      actions: read
+      contents: write
 
   release:
     name: Create release

diff --git a/README.md b/README.md
@@ -333,6 +333,20 @@ The output should be:
 Verified OK
 ```
 
+# Software bill of materials & provenance
+
+Kwctl has its software bill of materials (SBOM) published every release. They
+follow the [SPDX](https://spdx.dev/) format, you can find them together with
+the signature and certificate used to sign it in the [releases
+assets](https://github.com/kubewarden/kwctl/releases).
+
+The build [Provenance](https://slsa.dev/spec/v1.0/provenance) files are
+following the [SLSA](https://slsa.dev/provenance/v0.2#schema) provenance schema
+and are accesible at the GitHub Actions'
+[provenance](https://github.com/kubewarden/kwctl/attestations) tab. For
+information on their format and how to verify them, see the [GitHub
+documentation](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline).
+
 ## Security disclosure
 
 See [SECURITY.md](https://github.com/kubewarden/community/blob/main/SECURITY.md) on the kubewarden/community repo.