auyer
diff --git a/‎.github/workflows/publish.yaml‎
Lines changed: 51 additions & 21 deletions b/‎.github/workflows/publish.yaml‎
Lines changed: 51 additions & 21 deletions
diff --git a/‎.github/workflows/scorecard.yaml‎
Lines changed: 79 additions & 0 deletions b/‎.github/workflows/scorecard.yaml‎
Lines changed: 79 additions & 0 deletions
diff --git a/‎Cargo.lock‎
Lines changed: 10 additions & 10 deletions b/‎Cargo.lock‎
Lines changed: 10 additions & 10 deletions
diff --git a/‎README.md‎
Lines changed: 34 additions & 8 deletions b/‎README.md‎
Lines changed: 34 additions & 8 deletions
diff --git a/‎SECURITY.md‎
Lines changed: 1 addition & 1 deletion b/‎SECURITY.md‎
Lines changed: 1 addition & 1 deletion
@@ -14,6 +14,7 @@ jobs:
       actions: read # To read the workflow path.
       id-token: write # To sign the provenance.
       contents: write # To add assets to a release.
+      attestations: write # add slsa attestations
     name: "Build and Publish Release"
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
@@ -59,32 +60,27 @@ jobs:
       - name: Run cargo build
         run: cargo build --release
 
-      # Generate the hashes for Provenance
-      - name: Generate subject
-        id: hash
-        run: |
-          set -euo pipefail
-          echo "hashes=$(sha256sum ./target/release/protonup-rs | base64 -w0)" >> "$GITHUB_OUTPUT"
-
       - name: Run cargo-deb to build a debian package
         run: cargo-deb -p protonup-rs --compress-type gzip --deb-version $CURRENT_VERSION
 
       - name: Run Alient to convert the DEB package into a RPM package
         run: |
           cd target/debian
           alien -k --to-rpm protonup-rs_${{ env.CURRENT_VERSION }}_amd64.deb
+          # move all artifacts to the release folder
+          mv *.deb *.rpm ../release/
 
-      - name: Compress binary release artefacts
+      - name: Compress binary release artifacts
         run: |
           cd ./target/release
           zip protonup-rs-linux-amd64.zip protonup-rs
           tar -czvf protonup-rs-linux-amd64.tar.gz protonup-rs
 
-      - name: Upload Ziped,Tar gzed, DEB and RPM binaries to release
+      - name: Upload Zipped,Tar gzed, DEB and RPM binaries to release
         uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd #v2.9.0
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
-          file: 'target/{release,debian}/protonup-rs**.{gz,zip,rpm,deb}'
+          file: 'target/release/protonup-rs**.{gz,zip,rpm,deb}'
           tag: v${{ env.CURRENT_VERSION }}
           overwrite: true
           file_glob: true
@@ -118,14 +114,48 @@ jobs:
             cargo publish -p protonup-rs
           fi
 
-provenance:
-  needs: [build]
-  permissions:
-    actions: read # To read the workflow path.
-    id-token: write # To sign the provenance.
-    contents: write # To add assets to a release.
-  uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
-  with:
-    base64-subjects: "${{ needs.build.outputs.hashes }}"
-    upload-assets: true
-    upload-tag-name: v${{ env.CURRENT_VERSION }}
+      # outputs version
+      - name: Output Tag Name
+        id: published_version
+        run: |
+          set -euo pipefail
+          echo "published_version=v$CURRENT_VERSION" >> "$GITHUB_OUTPUT"
+
+      # Generate the hashes for Provenance
+      - name: Generate hashes
+        id: hash
+        run: |
+          cd target/release/
+          sha256sum $(echo *.zip *.deb *.rpm *.gz ) | base64 -w0 > sha256sums.txt
+          echo "hashes=$(cat sha256sums.txt )" >> "$GITHUB_OUTPUT"
+
+      - name: Upload sha256sums
+        uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd #v2.9.0
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          file: 'target/release/sha256sums.txt'
+          tag: v${{ env.CURRENT_VERSION }}
+          overwrite: true
+          file_glob: true
+          draft: true
+
+      - uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
+        with:
+          subject-path: |
+            target/release/protonup-rs*.gz
+            target/release/protonup-rs*.zip
+            target/release/protonup-rs*.deb
+            target/release/protonup-rs*.rpm
+
+  provenance:
+    needs: [release]
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+      attestations: write # add slsa attestations
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    with:
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
+      upload-assets: true
+      upload-tag-name: ${{ needs.release.outputs.published_version }}
@@ -0,0 +1,79 @@
+# This workflow uses actions that are not certified by GitHub. They are provided
+# by a third-party and are governed by separate terms of service, privacy
+# policy, and support documentation.
+
+name: Scorecard supply-chain security
+on:
+  # For Branch-Protection check. Only the default branch is supported. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#branch-protection
+  branch_protection_rule:
+  # To guarantee Maintained check is occasionally updated. See
+  # https://github.com/ossf/scorecard/blob/main/docs/checks.md#maintained
+  schedule:
+    - cron: '27 8 * * 5'
+  push:
+    branches: [ "main" ]
+
+# Declare default permissions as read only.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    # `publish_results: true` only works when run from the default branch. conditional can be removed if disabled.
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      # Needed to upload the results to code-scanning dashboard.
+      security-events: write
+      # Needed to publish results and get a badge (see publish_results below).
+      id-token: write
+      # Uncomment the permissions below if installing in a private repository.
+      # contents: read
+      # actions: read
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
+          # - you want to enable the Branch-Protection check on a *public* repository, or
+          # - you are installing Scorecard on a *private* repository
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
+          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
+
+          # Public repositories:
+          #   - Publish results to OpenSSF REST API for easy access by consumers
+          #   - Allows the repository to include the Scorecard badge.
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
+          # For private repositories:
+          #   - `publish_results` will always be set to `false`, regardless
+          #     of the value entered here.
+          publish_results: true
+
+          # (Optional) Uncomment file_mode if you have a .gitattributes with files marked export-ignore
+          # file_mode: git
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+
@@ -1,18 +1,33 @@
 # Protonup-rs
 
-Lib, CLI and GUI(wip) program to automate the installation and update of Proton-GE
+Lib, CLI and GUI(wip) program to automate the installation and update of Linux Gaming Compatibility tools, like ProtonGE, Luxtorpeda, Boxtron and others.
 
 [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/10372/badge)](https://www.bestpractices.dev/projects/10372)
 
-> **NOTE**: This has no relations with the original ProtonUp project, and I am glad it was created.
-> ~~This is not nearly as feature complete as the original Protonup~~.
+> **NOTE**: This has no relations with the original ProtonUp project, and I thankful for the original author.
 >
 > I've create it because the original project had a few issues with its Python dependencies (that most likely got fixed already).
 > I wanted to to re-create it in rust, in a way it could be used as a lib and a CLI.
-> ~~If this repo gets to a stable and feature rich state, I will publish it to Cargo and other repositories.~~ I guess it got there! Thanks!
 
 [![asciicast](https://asciinema.org/a/QZ97c4yRwQ6YczTliB1ziZy5Z.svg)](https://asciinema.org/a/QZ97c4yRwQ6YczTliB1ziZy5Z)
 
+## Currently supported tools
+
+These are the tools that are currently supported by this project.
+
+| Project Name      | GitHub Repository |
+|-------------------|-------------------|
+| GEProton          | [GloriousEggroll/proton-ge-custom](https://github.com/GloriousEggroll/proton-ge-custom) |
+| WineGE            | [GloriousEggroll/wine-ge-custom](https://github.com/GloriousEggroll/wine-ge-custom) |
+| Luxtorpeda        | [luxtorpeda-dev/luxtorpeda](https://github.com/luxtorpeda-dev/luxtorpeda) |
+| Boxtron           | [dreamer/boxtron](https://github.com/dreamer/boxtron) |
+| VKD3D-Proton      | [HansKristian-Work/vkd3d-proton](https://github.com/HansKristian-Work/vkd3d-proton) |
+| Lutris-VKD3D      | [lutris/vkd3d](https://github.com/lutris/vkd3d) |
+| DXVK              | [doitsujin/dxvk](https://github.com/doitsujin/dxvk) |
+| Kron4ek Wine      | [kron4ek/Wine-Builds](https://github.com/kron4ek/Wine-Builds) |
+
+Adding new tools should be a simple process, check the docs section below!
+
 ## Usage
 
 The default way is to simply invoke the cli, and navigate the text interface.
@@ -88,18 +103,29 @@ cargo build -p protonup-rs --release
 mv ./target/release/protonup-rs "your path"
 ```
 
-## GUI
+## Docs
 
-Not ready for usage.
+Code docs available in the [docs/docs.md](./docs/docs.md) file, and default generated docs in [docs.rs/libprotonup](https://docs.rs/libprotonup/latest/libprotonup/).
 
-The GUI is in its [early stages](https://github.com/auyer/Protonup-rs/tree/feature/gui). My current plan is to develop it in the iced framework, but GUI development is not my forte.
+### Roadmap
+
+1. GUI:
+  Not ready for usage. I made a few experiments with different libs, and decided to use the iced/cosmic framework.
+  I left the [base structure](https://github.com/auyer/Protonup-rs/tree/feature/gui), and hope to get to it someday or to receive contributions.
 
 ## Feedbacks & Contributing
 
 This project accepts contributions and feedbacks from anyone.
-For feedbacks, please use GitHub Issues or Discussions. Please be polite!
+For feedbacks, please use GitHub Issues or Discussions. Please be polite ([code-of-conduct](https://www.rust-lang.org/policies/code-of-conduct)).
 
 For contributions, there aren't many rules.
 Just try to justify your changes, and try to make the pull request easy to review.
 Is is very recommended to add tests, specially for complex code.
 Thanks!
+
+### Roles and Maintainers
+
+This project is maintained only by the creator [@auyer](https://rcpassos.me)
+
+Maintaining this project does not take a lot of effort.
+The project is open to having other contributors, specially if implementing a GUI.
@@ -8,7 +8,7 @@ Due to its low risk nature, there are very few attack vectors that could take pl
 
 | Version | Supported          |
 | ------- | ------------------ |
-| 0.8.x   | :white_check_mark: |
+| 0.9.x   | :white_check_mark: |
 
 ## Reporting a Vulnerability