Skip to content

Commit

Permalink
👷 Generate signed build provenance attestations
Browse files Browse the repository at this point in the history
  • Loading branch information
OpenWaygate committed May 24, 2024
1 parent 07dbdeb commit c6bc40f
Showing 1 changed file with 15 additions and 2 deletions.
17 changes: 15 additions & 2 deletions .github/workflows/go-ossf-slsa3-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
fetch-depth: 0
- id: ldflags
run: |
echo "commit-date=$(git log --date=iso8601-strict -1 --pretty=%ct)" >> "$GITHUB_OUTPUT"
echo "commit-date=$(date -d @$(git log --date=iso8601-strict -1 --pretty=%ct))" >> "$GITHUB_OUTPUT"
echo "commit=$GITHUB_SHA" >> "$GITHUB_OUTPUT"
echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> "$GITHUB_OUTPUT"
echo "tree-state=$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi)" >> "$GITHUB_OUTPUT"
Expand All @@ -57,11 +57,24 @@ jobs:
matrix:
os: [linux, windows, darwin]
arch: [amd64, arm64]
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.10.0
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v2.0.0
with:
go-version-file: go.mod
config-file: .slsa-goreleaser/${{ matrix.os }}-${{ matrix.arch }}.yml
evaluated-envs: "MODULE_PATH:github.com/${{ github.repository }}, COMMIT_DATE:${{needs.args.outputs.commit-date}}, COMMIT:${{needs.args.outputs.commit}}, VERSION:${{needs.args.outputs.version}}, TREE_STATE:${{needs.args.outputs.tree-state}}"
# =======================================================================================================
# Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects
# =======================================================================================================

attestation:
needs: [build]
runs-on: ubuntu-latest
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ${{ needs.build.outputs.go-binary-name }}
- name: Attest
uses: actions/attest-build-provenance@v1
with:
subject-path: '${{ github.workspace }}/${{ needs.build.outputs.go-binary-name }}'

0 comments on commit c6bc40f

Please # to comment.