Add SLSA generic generator workflow#385
Conversation
This workflow generates SLSA provenance files for projects, satisfying level 3 requirements.
There was a problem hiding this comment.
Pull request overview
This PR adds a GitHub Actions workflow to generate SLSA (Supply-chain Levels for Software Artifacts) provenance files for the gotrue project, satisfying SLSA level 3 requirements. The workflow is triggered on releases and can be manually dispatched.
Key changes:
- Adds SLSA provenance generation workflow using the SLSA framework's generic generator
- Implements a two-job workflow: one for building artifacts and computing their hashes, another for generating and publishing provenance
- Configures proper permissions for signing provenance and uploading release assets
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # List the artifacts the provenance will refer to. | ||
| files=$(ls artifact*) | ||
| # Generate the subjects (base64 encoded). | ||
| echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" |
There was a problem hiding this comment.
The output variable name is inconsistent. The job output is named digests (line 23) but here it's being set as hashes. This should be digests=$(sha256sum $files | base64 -w0) to match the expected output name.
| echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" | |
| echo "digests=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" |
| - name: Build artifacts | ||
| run: | | ||
| # These are some amazing artifacts. | ||
| echo "artifact1" > artifact1 | ||
| echo "artifact2" > artifact2 |
There was a problem hiding this comment.
This appears to be placeholder code for building artifacts. For this Go project (gotrue), the build step should actually compile the Go binary. Consider replacing this with something like:
make build
# or
go build -ldflags "-X github.com/netlify/gotrue/cmd.Version=${{ github.sha }}" -o gotrueThen update the hash generation step to reference the actual binary artifact(s) instead of artifact*.
| set -euo pipefail | ||
|
|
||
| # List the artifacts the provenance will refer to. | ||
| files=$(ls artifact*) |
There was a problem hiding this comment.
Using ls with glob patterns can fail if no files match the pattern, which would cause the workflow to fail. Consider adding error handling or using a more explicit file list. For example:
files=$(ls artifact* 2>/dev/null || true)
if [ -z "$files" ]; then
echo "Error: No artifacts found"
exit 1
fiOr better yet, explicitly list the files to hash once the actual build artifacts are defined.
| files=$(ls artifact*) | |
| files=$(ls artifact* 2>/dev/null || true) | |
| if [ -z "$files" ]; then | |
| echo "Error: No artifacts found" | |
| exit 1 | |
| fi |
This workflow generates SLSA provenance files for projects, satisfying level 3 requirements.
- Summary
- Test plan
- Description for the changelog
- A picture of a cute animal (not mandatory but encouraged)