ci: add release artifact attestation

ChristianGalla · web-flow · commit 24dfe3c3ca54 · 2025-01-02T18:31:44.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,10 +2,25 @@ name: Build & Test
 
 on:
   workflow_call:
+    inputs:
+      attestation:
+        type: boolean
+        description: 'Attest artifacts'
+        required: false
+        default: false
     outputs:
       version_number:
-          description: "Build version number"
-          value: ${{ jobs.build.outputs.version_number }}
+        description: "Build version number"
+        value: ${{ jobs.build.outputs.version_number }}
+      setup_attestation_url:
+        description: "Setup attestation url"
+        value: ${{ jobs.build.outputs.setup_attestation_url }}
+      sbom_framework_dependent_attestation_url:
+        description: "SBOM framework dependent attestation url"
+        value: ${{ jobs.build.outputs.sbom_framework_dependent_attestation_url }}
+      sbom_standalone_attestation_url:
+        description: "SBOM standalone attestation url"
+        value: ${{ jobs.build.outputs.sbom_standalone_attestation_url }}
   push:
     branches: [ master ]
     paths:
@@ -23,12 +38,20 @@ on:
       - 'AutoStartConfirmTests/**'
       - '.github/workflows/**'
 
+permissions:
+  id-token: write
+  contents: read
+  attestations: write
+  
 jobs:
   build:
     runs-on: windows-latest
     
     outputs:
-      version_number: ${{ steps.get-version-number.outputs.version_number }}
+      version_number: ${{ steps.get-version-number.outputs.version_number }}      
+      setup_attestation_url: ${{ steps.setup-attestation.outputs.attestation-url }}
+      sbom_framework_dependent_attestation_url: ${{ steps.sbom-framework-dependent-attestation.outputs.attestation-url }}
+      sbom_standalone_attestation_url: ${{ steps.sbom-standalone-attestation.outputs.attestation-url }}
 
     steps:
     - uses: actions/checkout@v4
@@ -96,3 +119,40 @@ jobs:
         name: AutoStartConfirmSetup
         path: build\publish\*.msi
         if-no-files-found: error
+
+    - name: Generate framework dependent SBOM
+      uses: anchore/sbom-action@v0
+      with:
+        artifact-name: FrameworkDependent.sbom.spdx.json
+        output-file: FrameworkDependent.sbom.spdx.json
+        file: ./Build/publish/Release_FrameworkDependent_win-x64/AutoStartConfirm.deps.json
+
+    - name: Generate standalone SBOM
+      uses: anchore/sbom-action@v0
+      with:
+        artifact-name: Standalone.sbom.spdx.json
+        output-file: Standalone.sbom.spdx.json
+        file: ./Build/publish/Release_Standalone_win-x64/AutoStartConfirm.deps.json
+        
+    - name: Generate artifact attestation
+      if: ${{ inputs.attestation }}
+      id: setup-attestation
+      uses: actions/attest-build-provenance@v2
+      with:
+        subject-path: build\publish\*.msi
+        
+    - name: Generate framework dependent SBOM attestation
+      if: ${{ inputs.attestation }}
+      id: sbom-framework-dependent-attestation
+      uses: actions/attest-sbom@v1
+      with:
+        subject-path: build\publish\AutoStartConfirmSetup_FrameworkDependent.msi
+        sbom-path: FrameworkDependent.sbom.spdx.json
+        
+    - name: Generate standalone SBOM attestation
+      if: ${{ inputs.attestation }}
+      id: sbom-standalone-attestation
+      uses: actions/attest-sbom@v1
+      with:
+        subject-path: build\publish\AutoStartConfirmSetup_Standalone.msi
+        sbom-path: Standalone.sbom.spdx.json
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
@@ -3,9 +3,16 @@ name: Create release
 on:
   workflow_dispatch:
 
+permissions:
+  attestations: write
+  contents: write
+  id-token: write
+  
 jobs:
   build:
     uses: ./.github/workflows/ci.yml
+    with:
+      attestation: true
   
   create_release:
     needs: build
@@ -17,16 +24,26 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         
-      - name: Download build artifact
+      - name: Download setup artifact
         uses: actions/download-artifact@v4.1.8
         with:
           name: AutoStartConfirmSetup
+        
+      - name: Download framework dependent SBOM artifact
+        uses: actions/download-artifact@v4.1.8
+        with:
+          name: FrameworkDependent.sbom.spdx.json
+        
+      - name: Download standalone SBOM artifact
+        uses: actions/download-artifact@v4.1.8
+        with:
+          name: Standalone.sbom.spdx.json
           
       - name: Create tag and release
         run: |
           $v = "${{needs.build.outputs.version_number}}" -split "\."
           $semver = ($v | Select-Object -SkipLast 1) -join "."
-          gh release create "v$semver" -d -p --title "$semver" --generate-notes AutoStartConfirmSetup_Standalone.msi AutoStartConfirmSetup_FrameworkDependent.msi
+          gh release create "v$semver" -d -p --title "$semver" --generate-notes AutoStartConfirmSetup_Standalone.msi AutoStartConfirmSetup_FrameworkDependent.msi Standalone.sbom.spdx.json FrameworkDependent.sbom.spdx.json
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         shell: pwsh        
