ko-build · imjasonh · Aug 16, 2022 · Jun 14, 2022 · Jun 14, 2022 · Jun 14, 2022
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,9 @@ on:
 
 jobs:
   goreleaser:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
@@ -16,8 +19,29 @@ jobs:
           go-version: 1.18
           check-latest: true
       - uses: goreleaser/goreleaser-action@v3.0.0
+        id: run-goreleaser
         with:
           version: latest
           args: release --rm-dist
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Generate subject
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+
+          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+          echo "::set-output name=hashes::$(cat $checksum_file | base64 -w0)"
+
+  provenance:
+    needs: [goreleaser]
+    permissions:
+      actions: read   # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      upload-assets: true
diff --git a/README.md b/README.md
@@ -26,11 +26,24 @@ tool for Kubernetes applications ([See below](#Kubernetes-Integration)).
 ### Install from [Releases](https://github.com/google/ko/releases)
 
 ```
-VERSION=TODO # choose the latest version
-OS=Linux     # or Darwin
-ARCH=x86_64  # or arm64, i386, s390x
-curl -L https://github.com/google/ko/releases/download/v${VERSION}/ko_${VERSION}_${OS}_${ARCH}.tar.gz | tar xzf - ko
-chmod +x ./ko
+$ VERSION=TODO # choose the latest version
+$ OS=Linux     # or Darwin
+$ ARCH=x86_64  # or arm64, i386, s390x
+```
+
+We generate [SLSA3 provenance](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). To verify our release, install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation) and verify as follows:
+
+
+```shell
+$ curl -sL "https://github.com/google/ko/releases/download/v${VERSION}/ko_${VERSION}_${OS}_${ARCH}.tar.gz" > ko.tar.gz
+$ curl -sL https://github.com/google/ko/releases/download/v${VERSION}/attestation.intoto.jsonl > provenance.intoto.jsonl
+$ slsa-verifier -artifact-path ko.tar.gz -provenance provenance.intoto.jsonl -source github.com/google/ko -tag "v${VERSION}"
+  PASSED: Verified SLSA provenance
+```
+
+```shell
+$ tar xzf ko.tar.gz ko
+$ chmod +x ./ko
 ```
 
 ### Install using [Homebrew](https://brew.sh)