From af8247bc3eab4700b695e96a27e0ca846753a724 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien?= Date: Sat, 11 May 2024 18:04:45 +0200 Subject: [PATCH] Add GitHub Actions build provenance attestations --- .github/workflows/publish.yml | 58 ++++++++++++++++++++++++++++++++++- 1 file changed, 57 insertions(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 965c82d..b39ac83 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -74,7 +74,7 @@ jobs: - name: Upload install helper artifact uses: actions/upload-artifact@v4 with: - name: install-helpers + name: web-ext-install-helpers path: ./scripts/install/dist/* release: @@ -120,3 +120,59 @@ jobs: --clobber env: GH_TOKEN: ${{ github.token }} + + attest: + name: Attest build provenance + runs-on: ubuntu-latest + needs: + - release + + permissions: + contents: write + id-token: write + attestations: write + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Download artifacts to attest + uses: actions/download-artifact@v4 + with: + pattern: web-ext-* + path: ./web-ext-artifacts + merge-multiple: true + + - name: Generate artifact attestation + id: provenance + uses: actions/attest-build-provenance@v1 + with: + subject-path: ./web-ext-artifacts + + - name: Generate SBOM + uses: anchore/sbom-action@v0 + with: + path: ./web-ext-artifacts + upload-artifact: false + output-file: ./sbom.spdx.json + + - name: Generate SBOM attestation + id: sbom + uses: actions/attest-sbom@v1 + with: + subject-path: ./web-ext-artifacts + sbom-path: ./sbom.spdx.json + + - name: Merge attestations + run: | + cat "${{ steps.provenance.outputs.bundle-path }}" >> ./attestation.jsonl + cat "${{ steps.sbom.outputs.bundle-path }}" >> ./attestation.jsonl + + - name: Attach attestation to release + run: | + gh release upload \ + "${{ github.ref_name }}" \ + ./attestation.jsonl \ + --clobber + env: + GH_TOKEN: ${{ github.token }}