diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 74fb0b02..22e5c7be 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -18,11 +18,9 @@ jobs: targetarch: - aarch64 - x86_64 - permissions: - packages: write id-token: write - + attestations: write steps: - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 @@ -42,9 +40,20 @@ jobs: command: build args: --release --target ${{matrix.targetarch}}-unknown-linux-musl + - run: mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/kwctl kwctl-linux-${{ matrix.targetarch }} + + - name: Smoke test build + if: matrix.targetarch == 'x86_64' + run: ./kwctl-linux-x86_64 --help + + - name: Generate attestations + uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 + id: attestations + with: + subject-path: kwctl-linux-${{ matrix.targetarch }} + - name: Sign kwctl run: | - mv target/${{ matrix.targetarch }}-unknown-linux-musl/release/kwctl kwctl-linux-${{ matrix.targetarch }} cosign sign-blob --yes kwctl-linux-${{ matrix.targetarch }} --output-certificate kwctl-linux-${{ matrix.targetarch}}.pem --output-signature kwctl-linux-${{ matrix.targetarch }}.sig - run: zip -j9 kwctl-linux-${{ matrix.targetarch }}.zip kwctl-linux-${{ matrix.targetarch }} kwctl-linux-${{ matrix.targetarch }}.sig kwctl-linux-${{ matrix.targetarch }}.pem @@ -102,6 +111,7 @@ jobs: runs-on: macos-latest permissions: id-token: write + attestations: write steps: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 @@ -128,6 +138,12 @@ jobs: if: matrix.targetarch == 'x86_64' run: ./kwctl-darwin-x86_64 --help + - name: Generate attestations + uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 + id: attestations + with: + subject-path: kwctl-darwin-${{ matrix.targetarch }} + - name: Sign kwctl run: cosign sign-blob --yes kwctl-darwin-${{ matrix.targetarch }} --output-certificate kwctl-darwin-${{ matrix.targetarch }}.pem --output-signature kwctl-darwin-${{ matrix.targetarch }}.sig @@ -181,6 +197,7 @@ jobs: runs-on: ${{ matrix.os }} permissions: id-token: write + attestations: write steps: - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 @@ -207,6 +224,12 @@ jobs: - name: Smoke test build run: .\kwctl-windows-x86_64.exe --help + - name: Generate attestations + uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 + id: attestations + with: + subject-path: kwctl-windows-${{ matrix.targetarch }}.exe + - name: Sign kwctl run: cosign sign-blob --yes kwctl-windows-x86_64.exe --output-certificate kwctl-windows-x86_64.pem --output-signature kwctl-windows-x86_64.sig diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7744fee..248144de 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,6 +21,8 @@ jobs: permissions: id-token: write packages: write + actions: read + contents: write release: name: Create release diff --git a/README.md b/README.md index f5f143e9..8626747d 100644 --- a/README.md +++ b/README.md @@ -333,6 +333,20 @@ The output should be: Verified OK ``` +# Software bill of materials & provenance + +Kwctl has its software bill of materials (SBOM) published every release. They +follow the [SPDX](https://spdx.dev/) format, you can find them together with +the signature and certificate used to sign it in the [releases +assets](https://github.com/kubewarden/kwctl/releases). + +The build [Provenance](https://slsa.dev/spec/v1.0/provenance) files are +following the [SLSA](https://slsa.dev/provenance/v0.2#schema) provenance schema +and are accesible at the GitHub Actions' +[provenance](https://github.com/kubewarden/kwctl/attestations) tab. For +information on their format and how to verify them, see the [GitHub +documentation](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/verifying-attestations-offline). + ## Security disclosure See [SECURITY.md](https://github.com/kubewarden/community/blob/main/SECURITY.md) on the kubewarden/community repo.