From 3b7c46f779b89ceb52ffd3d99540aa8e9f826665 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Wed, 8 Jun 2022 09:54:09 -0700 Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20SLSA=20provenance/build=20(#1702)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * SLSA build * missing files * updates * updates * updates * indent fix * update * update * updates * updates * updates * updates --- .github/workflows/slsa-goreleaser.yml | 35 +++++++++++++++++++++++++++ .goreleaser.yml | 1 - .slsa-goreleaser.yml | 15 ++++++++++++ README.md | 19 ++++++++++++--- 4 files changed, 66 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/slsa-goreleaser.yml create mode 100644 .slsa-goreleaser.yml diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml new file mode 100644 index 00000000000..6a92587154c --- /dev/null +++ b/.github/workflows/slsa-goreleaser.yml @@ -0,0 +1,35 @@ +name: SLSA releaser +on: + workflow_dispatch: + push: + tags: + - "*" + +permissions: read-all + +jobs: + # Generate ldflags dynamically. + args: + runs-on: ubuntu-latest + outputs: + ldflags: ${{ steps.ldflags.outputs.value }} + steps: + - id: checkout + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4 + with: + fetch-depth: 0 + - id: ldflags + run: | + echo "::set-output name=value::$(./scripts/version-ldflags)" + + # Trusted builder. + build: + permissions: + id-token: write + contents: write + actions: read + needs: args + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.0.0 + with: + go-version: 1.17 + evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" \ No newline at end of file diff --git a/.goreleaser.yml b/.goreleaser.yml index 8833a882ab8..4522d656e85 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -29,7 +29,6 @@ builds: goos: - linux goarch: - - amd64 - arm64 - 386 - arm diff --git a/.slsa-goreleaser.yml b/.slsa-goreleaser.yml new file mode 100644 index 00000000000..5495e9f6c51 --- /dev/null +++ b/.slsa-goreleaser.yml @@ -0,0 +1,15 @@ +version: 1 +env: + - GO111MODULE=on + # https://stackoverflow.com/a/62821358/19407 + - CGO_ENABLED=0 + +flags: + - -trimpath + - -tags=netgo + +goos: linux +goarch: amd64 +binary: scorecard-{{ .Os }}-{{ .Arch }} +ldflags: + - -s {{ .Env.VERSION_LDFLAGS }} \ No newline at end of file diff --git a/README.md b/README.md index ef38276950a..57568a0a02b 100644 --- a/README.md +++ b/README.md @@ -148,9 +148,22 @@ To install Scorecards as a standalone: 1. Visit our latest [release page](https://github.com/ossf/scorecard/releases/latest) and - download the correct binary for your operating system -2. Extract the binary file -3. Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to + download the correct binary for your operating system +1. Extract the binary file +1. We are excited to be an early adopter of one of the the OSSF [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) +to generate non-forgeable SLSA3 provenance for the scorecard-linux-amd64 binary. If you use this binary, download the companiion provenance file +scorecard-linux-amd64.intoto.jsonl as well. Then verify the scorecard binary with [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier#download-the-binary): +``` +$ ./slsa-verifier-linux-amd64 \ + --artifact-path scorecard-linux-amd64 \ + --provenance scorecard-linux-amd64.intoto.jsonl \ + --source github.com/ossf/scorecard + --tag vX.Y.Z +``` +When verification passes, it guarantees that the binary you downloaded was generated using the source code of this repository. +If you're interested in reading more about SLSA, visit the official [slsa.dev](slsa.dev). + +1. Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to identify your directory if necessary) ##### Using Homebrew