|
| 1 | +--- |
| 2 | +title: Use Chainloop to attest GitHub Releases |
| 3 | +--- |
| 4 | + |
| 5 | +# Chainloop reusable workflow for GitHub Releases |
| 6 | + |
| 7 | +You can use Chainloop to attest and collect pieces of evidence from your GitHub Releases. That includes |
| 8 | +all assets on the GitHub Release page, such as binaries and source code. Additionally, you can attest |
| 9 | +any other additional materials that are not part of the GitHub Release page. |
| 10 | + |
| 11 | +## Prerequisites |
| 12 | + |
| 13 | +There are some prerequisites to use this reusable workflow: |
| 14 | +- You need to have an existing familiarity with Chainloop and its attestation process. Please refer to [this guide](https://docs.chainloop.dev/getting-started/attestation-crafting) to learn more. |
| 15 | +- You need a `token` [previously generated](https://docs.chainloop.dev/reference/operator/api-tokens) by your Chainloop administrator. |
| 16 | +- You need to have a GitHub repository with a release that you want to attest. |
| 17 | +- You need to have a `cosign` key and passphrase to sign the attestation. |
| 18 | +- Permissions `contents:write` if you wish to update the release notes with the Chainloop attestation link. |
| 19 | + |
| 20 | +Optionally you need to have a workflow created in Chainloop to store the attestation, if not provided, the workflow will be created automatically. |
| 21 | + |
| 22 | + |
| 23 | +## Where to find the reusable workflow |
| 24 | +The reusable workflow can be found under a public repository in the Chainloop's labs GitHub organization. You can find the workflow [here](https://github.com/chainloop-dev/labs/blob/main/.github/workflows/chainloop_github_release.yml) |
| 25 | + |
| 26 | +## How to use the reusable workflow |
| 27 | +Create a brand-new GitHub workflow file in your repository and add the following content: |
| 28 | + |
| 29 | +```yaml |
| 30 | +name: Release |
| 31 | + |
| 32 | +on: |
| 33 | + release: |
| 34 | + types: [published] |
| 35 | + |
| 36 | +permissions: |
| 37 | + contents: write |
| 38 | + |
| 39 | +jobs: |
| 40 | + github_release: |
| 41 | + name: Attest GitHub Release |
| 42 | + uses: chainloop-dev/labs/.github/workflows/chainloop_github_release.yml@417bad33ca08beaa785ae6a6b933406cd7b935cb |
| 43 | + with: |
| 44 | + project: "acme-team-project" |
| 45 | + workflow_name: "github-release-workflow" |
| 46 | + secrets: |
| 47 | + api_token: ${{ secrets.CHAINLOOP_API_TOKEN }} |
| 48 | + cosign_key: ${{ secrets.COSIGN_KEY }} |
| 49 | + cosign_password: ${{ secrets.COSING_PASSWORD }} |
| 50 | +``` |
| 51 | +
|
| 52 | +This workflow will trigger every time a new release is published in your repository. It will collect all the assets from the release page and attest them using Chainloop. The attestation will be stored in the workflow you specify in the `workflow_name` field. |
| 53 | +There are some parameters that you need to provide: |
| 54 | +- `workflow_name`: The name of the workflow in Chainloop where the attestation will be stored. |
| 55 | +- `api_token`: The Chainloop API token to authenticate with the Chainloop API. |
| 56 | +- `cosign_key`: The path to the `cosign` key file. |
| 57 | +- `cosign_password`: The passphrase for the `cosign` key. |
| 58 | + |
| 59 | +## How to additional materials |
| 60 | +If you want to attest additional materials that are not part of the GitHub Release page, you can use the `additional_materials` input. For example: |
| 61 | + |
| 62 | +```yaml |
| 63 | +name: Release with additional materials |
| 64 | +
|
| 65 | +on: |
| 66 | + release: |
| 67 | + types: [published] |
| 68 | +
|
| 69 | +permissions: |
| 70 | + contents: write |
| 71 | +
|
| 72 | +jobs: |
| 73 | + github_release: |
| 74 | + name: Attest GitHub Release |
| 75 | + uses: chainloop-dev/labs/.github/workflows/chainloop_github_release.yml@417bad33ca08beaa785ae6a6b933406cd7b935cb |
| 76 | + with: |
| 77 | + project: "acme-team-project" |
| 78 | + workflow_name: "github-release-workflow" |
| 79 | + additional_materials: "controlplane.cyclonedx.json,ghcr.io/acme-team/acme-project:latest" |
| 80 | + secrets: |
| 81 | + api_token: ${{ secrets.CHAINLOOP_API_TOKEN }} |
| 82 | + cosign_key: ${{ secrets.COSIGN_KEY }} |
| 83 | + cosign_password: ${{ secrets.COSING_PASSWORD }} |
| 84 | +``` |
| 85 | +A new input `additional_materials` is added to the workflow. You can provide a comma-separated list of materials that you want to attest. Chainloop will collect these materials and add them to the attestation |
| 86 | +auto discovering their types and if cannot be inferred, they will be set as `ARTIFACT`. |
0 commit comments