Skip to content

Commit b24e973

Browse files
authored
Merge pull request #1125 from fluxcd/slsa3
Add SLSA3 generators to release workflow
2 parents bade8c9 + 91bd086 commit b24e973

File tree

2 files changed

+89
-15
lines changed

2 files changed

+89
-15
lines changed

.github/workflows/release.yml

Lines changed: 71 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -11,16 +11,22 @@ on:
1111
required: true
1212

1313
permissions:
14-
contents: write # needed to write releases
15-
id-token: write # needed for keyless signing
16-
packages: write # needed for ghcr access
14+
contents: read
1715

1816
env:
1917
CONTROLLER: ${{ github.event.repository.name }}
2018

2119
jobs:
22-
build-push:
20+
release:
21+
outputs:
22+
hashes: ${{ steps.slsa.outputs.hashes }}
23+
image_url: ${{ steps.slsa.outputs.image_url }}
24+
image_digest: ${{ steps.slsa.outputs.image_digest }}
2325
runs-on: ubuntu-latest
26+
permissions:
27+
contents: write # for creating the GitHub release.
28+
id-token: write # for creating OIDC tokens for signing.
29+
packages: write # for pushing and signing container images.
2430
steps:
2531
- name: Checkout
2632
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
@@ -61,6 +67,7 @@ jobs:
6167
tags: |
6268
type=raw,value=${{ steps.prep.outputs.VERSION }}
6369
- name: Publish images
70+
id: build-push
6471
uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
6572
with:
6673
sbom: true
@@ -72,32 +79,82 @@ jobs:
7279
platforms: linux/amd64,linux/arm/v7,linux/arm64
7380
tags: ${{ steps.meta.outputs.tags }}
7481
labels: ${{ steps.meta.outputs.labels }}
75-
- name: Check images
76-
run: |
77-
docker buildx imagetools inspect docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
78-
docker buildx imagetools inspect ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
79-
docker pull docker.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
80-
docker pull ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
8182
- uses: sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # v3.0.5
8283
- name: Sign images
8384
env:
8485
COSIGN_EXPERIMENTAL: 1
8586
run: |
86-
cosign sign --yes fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
87-
cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.VERSION }}
87+
cosign sign --yes fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
88+
cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}@${{ steps.build-push.outputs.digest }}
8889
- name: Generate release artifacts
8990
if: startsWith(github.ref, 'refs/tags/v')
9091
run: |
9192
mkdir -p config/release
9293
kustomize build ./config/crd > ./config/release/${{ env.CONTROLLER }}.crds.yaml
9394
kustomize build ./config/manager > ./config/release/${{ env.CONTROLLER }}.deployment.yaml
94-
echo '[CHANGELOG](https://github.com/fluxcd/${{ env.CONTROLLER }}/blob/main/CHANGELOG.md)' > ./config/release/notes.md
9595
- uses: anchore/sbom-action/download-syft@4d571ad1038a9cc29d676154ef265ab8f9027042 # v0.14.2
9696
- name: Create release and SBOM
97+
id: run-goreleaser
9798
if: startsWith(github.ref, 'refs/tags/v')
9899
uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0
99100
with:
100101
version: latest
101-
args: release --release-notes=config/release/notes.md --rm-dist --skip-validate
102+
args: release --clean --skip-validate
102103
env:
103104
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
105+
- name: Generate SLSA metadata
106+
id: slsa
107+
env:
108+
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
109+
run: |
110+
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
111+
echo "hashes=$hashes" >> $GITHUB_OUTPUT
112+
113+
image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
114+
echo "image_url=$image_url" >> $GITHUB_OUTPUT
115+
116+
image_digest=${{ steps.build-push.outputs.digest }}
117+
echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
118+
119+
release-provenance:
120+
needs: [release]
121+
permissions:
122+
actions: read # for detecting the Github Actions environment.
123+
id-token: write # for creating OIDC tokens for signing.
124+
contents: write # for uploading attestations to GitHub releases.
125+
if: startsWith(github.ref, 'refs/tags/v')
126+
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
127+
with:
128+
provenance-name: "provenance.intoto.jsonl"
129+
base64-subjects: "${{ needs.release.outputs.hashes }}"
130+
upload-assets: true
131+
132+
dockerhub-provenance:
133+
needs: [release]
134+
permissions:
135+
actions: read # for detecting the Github Actions environment.
136+
id-token: write # for creating OIDC tokens for signing.
137+
packages: write # for uploading attestations.
138+
if: startsWith(github.ref, 'refs/tags/v')
139+
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
140+
with:
141+
image: ${{ needs.release.outputs.image_url }}
142+
digest: ${{ needs.release.outputs.image_digest }}
143+
registry-username: fluxcdbot
144+
secrets:
145+
registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
146+
147+
ghcr-provenance:
148+
needs: [release]
149+
permissions:
150+
actions: read # for detecting the Github Actions environment.
151+
id-token: write # for creating OIDC tokens for signing.
152+
packages: write # for uploading attestations.
153+
if: startsWith(github.ref, 'refs/tags/v')
154+
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
155+
with:
156+
image: ghcr.io/${{ needs.release.outputs.image_url }}
157+
digest: ${{ needs.release.outputs.image_digest }}
158+
registry-username: fluxcdbot
159+
secrets:
160+
registry-password: ${{ secrets.GHCR_TOKEN }}

.goreleaser.yaml

Lines changed: 18 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,9 +4,26 @@ builds:
44
- skip: true
55

66
release:
7-
prerelease: "true"
87
extra_files:
98
- glob: config/release/*.yaml
9+
prerelease: "auto"
10+
header: |
11+
## Changelog
12+
13+
[{{.Tag}} changelog](https://github.com/fluxcd/{{.ProjectName}}/blob/{{.Tag}}/CHANGELOG.md)
14+
footer: |
15+
## Container images
16+
17+
- `docker.io/fluxcd/{{.ProjectName}}:{{.Tag}}`
18+
- `ghcr.io/fluxcd/{{.ProjectName}}:{{.Tag}}`
19+
20+
Supported architectures: `linux/amd64`, `linux/arm64` and `linux/arm/v7`.
21+
22+
The container images are built on GitHub hosted runners and are signed with cosign and GitHub OIDC.
23+
To verify the images and their provenance (SLSA level 3), please see the [security documentation](https://fluxcd.io/flux/security/).
24+
25+
changelog:
26+
skip: true
1027

1128
checksum:
1229
extra_files:

0 commit comments

Comments
 (0)