From d820308980bf1eb418efc5d48058b45533e2d997 Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <info@sebastianmendel.de>
Date: Sun, 22 Mar 2026 23:44:18 +0100
Subject: [PATCH] fix: migrate from slsa-github-generator to org-wide reusable
 workflow

slsa-framework/slsa-github-generator's internal actions use tag refs
which conflict with our SHA-pinning ruleset. This is a known unfixable
limitation (slsa-framework/slsa-github-generator#4440).

Replace with:
- Org-wide reusable workflow at netresearch/.github (SLSA Build L3:
  build runs in a separate repo the caller cannot modify)
- actions/attest-build-provenance@v4.1.0 for provenance attestations
  (SHA-pinnable, stores in GitHub's attestation store)
- Verification via `gh attestation verify` instead of `slsa-verifier`

Remove .slsa-goreleaser/ configs (no longer needed).

Signed-off-by: Sebastian Mendel <info@sebastianmendel.de>
---
 .github/workflows/release-slsa.yml | 70 ++++++++++++++++++------------
 .slsa-goreleaser/darwin-amd64.yml  | 12 -----
 .slsa-goreleaser/darwin-arm64.yml  | 12 -----
 .slsa-goreleaser/linux-386.yml     | 12 -----
 .slsa-goreleaser/linux-amd64.yml   | 12 -----
 .slsa-goreleaser/linux-arm64.yml   | 12 -----
 .slsa-goreleaser/linux-armv6.yml   | 13 ------
 .slsa-goreleaser/linux-armv7.yml   | 13 ------
 .slsa-goreleaser/windows-amd64.yml | 12 -----
 9 files changed, 43 insertions(+), 125 deletions(-)
 delete mode 100644 .slsa-goreleaser/darwin-amd64.yml
 delete mode 100644 .slsa-goreleaser/darwin-arm64.yml
 delete mode 100644 .slsa-goreleaser/linux-386.yml
 delete mode 100644 .slsa-goreleaser/linux-amd64.yml
 delete mode 100644 .slsa-goreleaser/linux-arm64.yml
 delete mode 100644 .slsa-goreleaser/linux-armv6.yml
 delete mode 100644 .slsa-goreleaser/linux-armv7.yml
 delete mode 100644 .slsa-goreleaser/windows-amd64.yml

diff --git a/.github/workflows/release-slsa.yml b/.github/workflows/release-slsa.yml
index 50a06b3ef7..ff7657cfc8 100644
--- a/.github/workflows/release-slsa.yml
+++ b/.github/workflows/release-slsa.yml
@@ -1,4 +1,4 @@
-name: Release (SLSA Level 3)
+name: Release
 
 on:
   release:
@@ -23,34 +23,52 @@ jobs:
         id: tag
         run: echo "tag=${{ github.event.release.tag_name }}" >> "$GITHUB_OUTPUT"
 
-  # SLSA Level 3 builds with provenance
+  # Build binaries with provenance attestation via org-wide reusable workflow (SLSA L3)
   build:
     name: Build ${{ matrix.target }}
+    needs: [resolve-tag]
     strategy:
       fail-fast: false
       matrix:
-        target:
-          - linux-386
-          - linux-amd64
-          - linux-arm64
-          - linux-armv6
-          - linux-armv7
-          - darwin-amd64
-          - darwin-arm64
-          - windows-amd64
+        include:
+          - target: linux-386
+            goos: linux
+            goarch: "386"
+          - target: linux-amd64
+            goos: linux
+            goarch: amd64
+          - target: linux-arm64
+            goos: linux
+            goarch: arm64
+          - target: linux-armv6
+            goos: linux
+            goarch: arm
+            goarm: "6"
+          - target: linux-armv7
+            goos: linux
+            goarch: arm
+            goarm: "7"
+          - target: darwin-amd64
+            goos: darwin
+            goarch: amd64
+          - target: darwin-arm64
+            goos: darwin
+            goarch: arm64
+          - target: windows-amd64
+            goos: windows
+            goarch: amd64
     permissions:
       id-token: write
       contents: write
-      actions: read
-    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
+      attestations: write
+    uses: netresearch/.github/.github/workflows/build-go-attest.yml@main
     with:
-      go-version-file: go.mod
-      config-file: .slsa-goreleaser/${{ matrix.target }}.yml
-      evaluated-envs: "VERSION:${{ github.ref_name }}, COMMIT:${{ github.sha }}"
-      upload-assets: true
-      draft-release: false
-      # Workaround for SLSA builder bug detecting public repos as private (see slsa-framework/slsa-github-generator#942)
-      private-repository: true
+      binary-name: ofelia-${{ matrix.target }}
+      goos: ${{ matrix.goos }}
+      goarch: ${{ matrix.goarch }}
+      goarm: ${{ matrix.goarm || '' }}
+      ldflags: "-s -w -X main.version=${{ needs.resolve-tag.outputs.tag }} -X main.build=${{ github.sha }}"
+      release-tag: ${{ needs.resolve-tag.outputs.tag }}
 
   # Generate SBOMs for all binaries
   sbom:
@@ -84,7 +102,7 @@ jobs:
         run: |
           set -euo pipefail
           for binary in dist/ofelia-*; do
-            if [[ ! "$binary" =~ \.intoto\.jsonl$ ]] && [[ ! "$binary" =~ \.sbom\.json$ ]]; then
+            if [[ ! "$binary" =~ \.sbom\.json$ ]]; then
               echo "Generating SBOM for $binary"
               syft "$binary" -o spdx-json="${binary}.sbom.json"
             fi
@@ -134,9 +152,8 @@ jobs:
         run: |
           set -euo pipefail
           cd dist
-          # Only checksum actual binaries (exclude provenance and SBOM metadata)
+          # Only checksum actual binaries (exclude SBOM metadata)
           find . -maxdepth 1 -type f -name "ofelia-*" \
-            ! -name "*.intoto.jsonl" \
             ! -name "*.sbom.json" \
             -exec sha256sum {} + > checksums.txt
           cat checksums.txt
@@ -201,13 +218,12 @@ jobs:
             echo ""
             echo "## Verification"
             echo ""
-            echo "All binaries include SLSA Level 3 provenance attestations."
+            echo "All binaries include provenance attestations stored in GitHub's attestation store."
             echo ""
             echo "### Verify binary provenance"
             echo '```bash'
-            echo "slsa-verifier verify-artifact ofelia-linux-amd64 \\"
-            echo "  --provenance-path ofelia-linux-amd64.intoto.jsonl \\"
-            echo "  --source-uri github.com/netresearch/ofelia"
+            echo "gh attestation verify ofelia-linux-amd64 \\"
+            echo "  --repo netresearch/ofelia"
             echo '```'
             echo ""
             echo "### Verify checksums signature"
diff --git a/.slsa-goreleaser/darwin-amd64.yml b/.slsa-goreleaser/darwin-amd64.yml
deleted file mode 100644
index b1f8cca623..0000000000
--- a/.slsa-goreleaser/darwin-amd64.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-version: 1
-env:
-  - CGO_ENABLED=0
-  - GO111MODULE=on
-flags:
-  - -trimpath
-goos: darwin
-goarch: amd64
-main: .
-binary: ofelia-{{ .Os }}-{{ .Arch }}
-ldflags:
-  - "-s -w -X main.version={{ .Env.VERSION }} -X main.build={{ .Env.COMMIT }}"
diff --git a/.slsa-goreleaser/darwin-arm64.yml b/.slsa-goreleaser/darwin-arm64.yml
deleted file mode 100644
index 4db60b73e8..0000000000
--- a/.slsa-goreleaser/darwin-arm64.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-version: 1
-env:
-  - CGO_ENABLED=0
-  - GO111MODULE=on
-flags:
-  - -trimpath
-goos: darwin
-goarch: arm64
-main: .
-binary: ofelia-{{ .Os }}-{{ .Arch }}
-ldflags:
-  - "-s -w -X main.version={{ .Env.VERSION }} -X main.build={{ .Env.COMMIT }}"
diff --git a/.slsa-goreleaser/linux-386.yml b/.slsa-goreleaser/linux-386.yml
deleted file mode 100644
index af2acd3d3d..0000000000
--- a/.slsa-goreleaser/linux-386.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-version: 1
-env:
-  - CGO_ENABLED=0
-  - GO111MODULE=on
-flags:
-  - -trimpath
-goos: linux
-goarch: 386
-main: .
-binary: ofelia-{{ .Os }}-{{ .Arch }}
-ldflags:
-  - "-s -w -X main.version={{ .Env.VERSION }} -X main.build={{ .Env.COMMIT }}"
diff --git a/.slsa-goreleaser/linux-amd64.yml b/.slsa-goreleaser/linux-amd64.yml
deleted file mode 100644
index 76e8b57aa1..0000000000
--- a/.slsa-goreleaser/linux-amd64.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-version: 1
-env:
-  - CGO_ENABLED=0
-  - GO111MODULE=on
-flags:
-  - -trimpath
-goos: linux
-goarch: amd64
-main: .
-binary: ofelia-{{ .Os }}-{{ .Arch }}
-ldflags:
-  - "-s -w -X main.version={{ .Env.VERSION }} -X main.build={{ .Env.COMMIT }}"
diff --git a/.slsa-goreleaser/linux-arm64.yml b/.slsa-goreleaser/linux-arm64.yml
deleted file mode 100644
index 4bb747619e..0000000000
--- a/.slsa-goreleaser/linux-arm64.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-version: 1
-env:
-  - CGO_ENABLED=0
-  - GO111MODULE=on
-flags:
-  - -trimpath
-goos: linux
-goarch: arm64
-main: .
-binary: ofelia-{{ .Os }}-{{ .Arch }}
-ldflags:
-  - "-s -w -X main.version={{ .Env.VERSION }} -X main.build={{ .Env.COMMIT }}"
diff --git a/.slsa-goreleaser/linux-armv6.yml b/.slsa-goreleaser/linux-armv6.yml
deleted file mode 100644
index abb8f20853..0000000000
--- a/.slsa-goreleaser/linux-armv6.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-version: 1
-env:
-  - CGO_ENABLED=0
-  - GO111MODULE=on
-flags:
-  - -trimpath
-goos: linux
-goarch: arm
-goarm: 6
-main: .
-binary: ofelia-linux-armv6
-ldflags:
-  - "-s -w -X main.version={{ .Env.VERSION }} -X main.build={{ .Env.COMMIT }}"
diff --git a/.slsa-goreleaser/linux-armv7.yml b/.slsa-goreleaser/linux-armv7.yml
deleted file mode 100644
index 311bbbbbc9..0000000000
--- a/.slsa-goreleaser/linux-armv7.yml
+++ /dev/null
@@ -1,13 +0,0 @@
-version: 1
-env:
-  - CGO_ENABLED=0
-  - GO111MODULE=on
-flags:
-  - -trimpath
-goos: linux
-goarch: arm
-goarm: 7
-main: .
-binary: ofelia-linux-armv7
-ldflags:
-  - "-s -w -X main.version={{ .Env.VERSION }} -X main.build={{ .Env.COMMIT }}"
diff --git a/.slsa-goreleaser/windows-amd64.yml b/.slsa-goreleaser/windows-amd64.yml
deleted file mode 100644
index c9976c1ec2..0000000000
--- a/.slsa-goreleaser/windows-amd64.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-version: 1
-env:
-  - CGO_ENABLED=0
-  - GO111MODULE=on
-flags:
-  - -trimpath
-goos: windows
-goarch: amd64
-main: .
-binary: ofelia-{{ .Os }}-{{ .Arch }}
-ldflags:
-  - "-s -w -X main.version={{ .Env.VERSION }} -X main.build={{ .Env.COMMIT }}"