✨ SLSA provenance/build (#1702)

* SLSA build * missing files * updates * updates * updates * indent fix * update * update * updates * updates * updates * updates
ossf · Jun 8, 2022 · 3b7c46f · 3b7c46f
1 parent 2c34a46
commit 3b7c46f
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 4 deletions.
diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml
@@ -0,0 +1,35 @@
+name: SLSA releaser
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "*" 
+
+permissions: read-all
+
+jobs:
+  # Generate ldflags dynamically.
+  args:
+    runs-on: ubuntu-latest
+    outputs:
+      ldflags: ${{ steps.ldflags.outputs.value }}
+    steps:
+      - id: checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
+        with:
+          fetch-depth: 0
+      - id: ldflags
+        run: |
+          echo "::set-output name=value::$(./scripts/version-ldflags)"
+
+  # Trusted builder.
+  build:
+    permissions:
+      id-token: write
+      contents: write
+      actions: read
+    needs: args
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.0.0
+    with:
+      go-version: 1.17
+      evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -29,7 +29,6 @@ builds:
   goos:
     - linux
   goarch:
-    - amd64
     - arm64
     - 386
     - arm

diff --git a/.slsa-goreleaser.yml b/.slsa-goreleaser.yml
@@ -0,0 +1,15 @@
+version: 1
+env:
+  - GO111MODULE=on
+  # https://stackoverflow.com/a/62821358/19407
+  - CGO_ENABLED=0
+
+flags:
+  - -trimpath
+  - -tags=netgo
+
+goos: linux
+goarch: amd64
+binary: scorecard-{{ .Os }}-{{ .Arch }}
+ldflags:
+  - -s {{ .Env.VERSION_LDFLAGS }}
diff --git a/README.md b/README.md
@@ -148,9 +148,22 @@ To install Scorecards as a standalone:
 
 1.  Visit our latest
     [release page](https://github.com/ossf/scorecard/releases/latest) and
-    download the correct binary for your operating system
-2.  Extract the binary file
-3.  Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to
+    download the correct binary for your operating system 
+1.  Extract the binary file
+1.  We are excited to be an early adopter of one of the the OSSF [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator)
+to generate non-forgeable SLSA3 provenance for the scorecard-linux-amd64 binary. If you use this binary, download the companiion provenance file 
+scorecard-linux-amd64.intoto.jsonl as well. Then verify the scorecard binary with [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier#download-the-binary):
+```
+$ ./slsa-verifier-linux-amd64 \
+    --artifact-path scorecard-linux-amd64 \
+    --provenance scorecard-linux-amd64.intoto.jsonl \
+    --source github.com/ossf/scorecard
+    --tag vX.Y.Z
+```
+When verification passes, it guarantees that the binary you downloaded was generated using the source code of this repository. 
+If you're interested in reading more about SLSA, visit the official [slsa.dev](slsa.dev).
+
+1.  Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to
     identify your directory if necessary)
 
 ##### Using Homebrew