Add SLSA build provenance attestations to release workflows (#7097)

This commit is contained in:
tlongwell-block
2026-02-12 14:54:23 -05:00
committed by GitHub
parent d90fde19bd
commit 60e782c424
3 changed files with 45 additions and 0 deletions
+20
View File
@@ -15,6 +15,13 @@ concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
# Permissions for SLSA attestation, AWS OIDC codesigning, and release creation
permissions:
id-token: write # Required for Sigstore OIDC signing and AWS OIDC codesigning
contents: write # Required for creating releases and by actions/checkout
actions: read # Required by bundle-desktop-windows.yml reusable workflow
attestations: write # Required for SLSA build provenance attestations
jobs:
# ------------------------------------
# 1) Prepare Version
@@ -100,6 +107,8 @@ jobs:
needs: [build-cli, install-script, bundle-desktop, bundle-desktop-linux, bundle-desktop-windows]
permissions:
contents: write
id-token: write # Required for Sigstore OIDC signing
attestations: write # Required for SLSA build provenance attestations
steps:
- name: Download all artifacts
@@ -107,6 +116,17 @@ jobs:
with:
merge-multiple: true
- name: Attest build provenance
uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
with:
subject-path: |
goose-*.tar.bz2
Goose*.zip
*.deb
*.rpm
*.flatpak
download_cli.sh
# Create/update the canary release
- name: Release canary
uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
+10
View File
@@ -15,6 +15,8 @@ on:
permissions:
contents: read
packages: write
id-token: write # Required for Sigstore OIDC signing
attestations: write # Required for SLSA build provenance attestations
jobs:
docker:
@@ -51,6 +53,7 @@ jobs:
type=raw,value={{tag}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
- name: Build and push Docker image
id: docker-push
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # pin@v6.18.0
with:
context: .
@@ -60,3 +63,10 @@ jobs:
cache-from: type=gha
cache-to: type=gha,mode=max
platforms: linux/amd64,linux/arm64
- name: Attest Docker image
uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
with:
subject-name: ghcr.io/${{ github.repository_owner }}/goose
subject-digest: ${{ steps.docker-push.outputs.digest }}
push-to-registry: true
+15
View File
@@ -13,6 +13,7 @@ permissions:
id-token: write # Required for AWS OIDC authentication in called workflow
contents: write # Required for creating releases and by actions/checkout
actions: read # May be needed for some workflows
attestations: write # Required for SLSA build provenance attestations
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
@@ -92,12 +93,26 @@ jobs:
needs: [build-cli, install-script, bundle-desktop, bundle-desktop-intel, bundle-desktop-linux, bundle-desktop-windows]
permissions:
contents: write
id-token: write # Required for Sigstore OIDC signing
attestations: write # Required for SLSA build provenance attestations
steps:
- name: Download all artifacts
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
merge-multiple: true
- name: Attest build provenance
uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
with:
subject-path: |
goose-*.tar.bz2
goose-*.zip
Goose*.zip
*.deb
*.rpm
*.flatpak
download_cli.sh
# Create/update the versioned release
- name: Release versioned
uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0