Skip to content

fix: migrate from slsa-github-generator to actions/attest-build-provenance #542

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
CybotTM merged 1 commit into from
Mar 23, 2026
Merged

fix: migrate from slsa-github-generator to actions/attest-build-provenance #542

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
70 changes: 43 additions & 27 deletions .github/workflows/release-slsa.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Release (SLSA Level 3)
name: Release

on:
release:
Expand All @@ -23,34 +23,52 @@
id: tag
run: echo "tag=${{ github.event.release.tag_name }}" >> "$GITHUB_OUTPUT"

# SLSA Level 3 builds with provenance
# Build binaries with provenance attestation via org-wide reusable workflow (SLSA L3)
build:
name: Build ${{ matrix.target }}
needs: [resolve-tag]
strategy:
fail-fast: false
matrix:
target:
- linux-386
- linux-amd64
- linux-arm64
- linux-armv6
- linux-armv7
- darwin-amd64
- darwin-arm64
- windows-amd64
include:
- target: linux-386
goos: linux
goarch: "386"
- target: linux-amd64
goos: linux
goarch: amd64
- target: linux-arm64
goos: linux
goarch: arm64
- target: linux-armv6
goos: linux
goarch: arm
goarm: "6"
- target: linux-armv7
goos: linux
goarch: arm
goarm: "7"
- target: darwin-amd64
goos: darwin
goarch: amd64
- target: darwin-arm64
goos: darwin
goarch: arm64
- target: windows-amd64
goos: windows
goarch: amd64
permissions:
id-token: write
contents: write
actions: read
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
attestations: write
uses: netresearch/.github/.github/workflows/build-go-attest.yml@main
with:
go-version-file: go.mod
config-file: .slsa-goreleaser/${{ matrix.target }}.yml
evaluated-envs: "VERSION:${{ github.ref_name }}, COMMIT:${{ github.sha }}"
upload-assets: true
draft-release: false
# Workaround for SLSA builder bug detecting public repos as private (see slsa-framework/slsa-github-generator#942)
private-repository: true
binary-name: ofelia-${{ matrix.target }}
goos: ${{ matrix.goos }}
goarch: ${{ matrix.goarch }}
goarm: ${{ matrix.goarm || '' }}
ldflags: "-s -w -X main.version=${{ needs.resolve-tag.outputs.tag }} -X main.build=${{ github.sha }}"
release-tag: ${{ needs.resolve-tag.outputs.tag }}

# Generate SBOMs for all binaries
sbom:
Expand Down Expand Up @@ -84,7 +102,7 @@
run: |
set -euo pipefail
for binary in dist/ofelia-*; do
if [[ ! "$binary" =~ \.intoto\.jsonl$ ]] && [[ ! "$binary" =~ \.sbom\.json$ ]]; then
if [[ ! "$binary" =~ \.sbom\.json$ ]]; then
echo "Generating SBOM for $binary"
syft "$binary" -o spdx-json="${binary}.sbom.json"
fi
Expand Down Expand Up @@ -134,9 +152,8 @@
run: |
set -euo pipefail
cd dist
# Only checksum actual binaries (exclude provenance and SBOM metadata)
# Only checksum actual binaries (exclude SBOM metadata)
find . -maxdepth 1 -type f -name "ofelia-*" \
! -name "*.intoto.jsonl" \
! -name "*.sbom.json" \
-exec sha256sum {} + > checksums.txt
cat checksums.txt
Expand Down Expand Up @@ -201,13 +218,12 @@
echo ""
echo "## Verification"
echo ""
echo "All binaries include SLSA Level 3 provenance attestations."
echo "All binaries include provenance attestations stored in GitHub's attestation store."
echo ""
echo "### Verify binary provenance"
echo '```bash'
echo "slsa-verifier verify-artifact ofelia-linux-amd64 \\"
echo " --provenance-path ofelia-linux-amd64.intoto.jsonl \\"
echo " --source-uri github.com/netresearch/ofelia"
echo "gh attestation verify ofelia-linux-amd64 \\"
echo " --repo netresearch/ofelia"
echo '```'
echo ""
echo "### Verify checksums signature"
Expand Down Expand Up @@ -451,7 +467,7 @@
- name: Update release notes with issues link
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |

Check failure on line 470 in .github/workflows/release-slsa.yml

View workflow job for this annotation

GitHub Actions / actionlint 

[actionlint] reported by reviewdog 🐶
shellcheck reported issue in this script: SC2129:style:15:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects [shellcheck]

Raw Output:
e:.github/workflows/release-slsa.yml:470:9: shellcheck reported issue in this script: SC2129:style:15:1: Consider using { cmd1; cmd2; } >> file instead of individual redirects [shellcheck]
set -euo pipefail

# Get existing release notes
Expand Down
12 changes: 0 additions & 12 deletions .slsa-goreleaser/darwin-amd64.yml
View file
Open in desktop

This file was deleted.

12 changes: 0 additions & 12 deletions .slsa-goreleaser/darwin-arm64.yml
View file
Open in desktop

This file was deleted.

12 changes: 0 additions & 12 deletions .slsa-goreleaser/linux-386.yml
View file
Open in desktop

This file was deleted.

12 changes: 0 additions & 12 deletions .slsa-goreleaser/linux-amd64.yml
View file
Open in desktop

This file was deleted.

12 changes: 0 additions & 12 deletions .slsa-goreleaser/linux-arm64.yml
View file
Open in desktop

This file was deleted.

13 changes: 0 additions & 13 deletions .slsa-goreleaser/linux-armv6.yml
View file
Open in desktop

This file was deleted.

13 changes: 0 additions & 13 deletions .slsa-goreleaser/linux-armv7.yml
View file
Open in desktop

This file was deleted.

12 changes: 0 additions & 12 deletions .slsa-goreleaser/windows-amd64.yml
View file
Open in desktop

This file was deleted.

Loading