-
Notifications
You must be signed in to change notification settings - Fork 4
122 lines (105 loc) · 4.17 KB
/
binary_provenance.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
name: Binary Provenance
on:
workflow_call:
inputs:
artifacts:
required: true
type: string
dir:
required: true
type: string
kosli_org:
required: true
type: string
flow_name:
required: true
type: string
trail_name:
required: true
type: string
secrets:
kosli_api_token:
required: true
jobs:
binary-provenance:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: write
pull-requests: read
attestations: write
strategy:
matrix:
artifact: ${{fromJson(inputs.artifacts)}}
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: ${{inputs.dir}}
path: ${{ github.workspace }}/${{inputs.dir}}
- name: setup-kosli-cli
uses: kosli-dev/setup-cli-action@v2
with:
version:
${{ vars.KOSLI_CLI_VERSION }}
- name: Make the artifact fingerprint available for following steps
run: |
ARTIFACT_SHA=$(kosli fingerprint ${{matrix.artifact.path}} --artifact-type file)
echo "FINGERPRINT=$ARTIFACT_SHA" >> ${GITHUB_ENV}
- name: Attest Build Provenance
id: artifact-gh-attest
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{matrix.artifact.template_name}}
subject-digest: sha256:${{ env.FINGERPRINT }}
- name: Make artifact GH sigstore attestation index available to next steps
run: |
TRANSPARENCY_LOG_INDEX=$(jq '.verificationMaterial.tlogEntries[0].logIndex' ${{ steps.artifact-gh-attest.outputs.bundle-path }})
echo "ARTIFACT_TLOG_INDEX=$TRANSPARENCY_LOG_INDEX" >> ${GITHUB_ENV}
- name: Generate SBOM for the binary
uses: anchore/sbom-action@v0
with:
file: ${{matrix.artifact.path}}
format: 'spdx-json'
output-file: '${{matrix.artifact.template_name}}-sbom.spdx.json'
upload-artifact: false
upload-release-assets: false
- name: Publish SBOM
uses: anchore/sbom-action/publish-sbom@v0
with:
sbom-artifact-match: ".*\\.spdx.json$"
- name: Attest SBOM to Github
id: sbom-gh-attest
uses: actions/attest-sbom@v1
with:
sbom-path: '${{matrix.artifact.template_name}}-sbom.spdx.json'
subject-name: ${{matrix.artifact.template_name}}
subject-digest: sha256:${{ env.FINGERPRINT }}
- name: Make sbom GH sigstore attestation index available to next steps
run: |
TRANSPARENCY_LOG_INDEX=$(jq '.verificationMaterial.tlogEntries[0].logIndex' ${{ steps.sbom-gh-attest.outputs.bundle-path }})
echo "SBOM_TLOG_INDEX=$TRANSPARENCY_LOG_INDEX" >> ${GITHUB_ENV}
- name: Report artifact to Kosli
env:
KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
run:
kosli attest artifact
${{matrix.artifact.path}}
--flow ${{ inputs.flow_name }}
--trail ${{ inputs.trail_name }}
--name ${{matrix.artifact.template_name}}
--fingerprint ${{ env.FINGERPRINT }}
--external-url sigstore=https://search.sigstore.dev/?hash=${{ env.FINGERPRINT }}
--org ${{ inputs.kosli_org }}
- name: Report SBOM to Kosli
env:
KOSLI_API_TOKEN: ${{ secrets.kosli_api_token }}
run:
kosli attest generic
--flow ${{ inputs.flow_name }}
--trail ${{ inputs.trail_name }}
--name sbom
--fingerprint ${{ env.FINGERPRINT }}
--attachments ${{matrix.artifact.template_name}}-sbom.spdx.json
--external-url sigstore=https://search.sigstore.dev/?logIndex=${{ env.SBOM_TLOG_INDEX }}
--org ${{ inputs.kosli_org }}