Skip to content

Commit 10dbe42

Browse files
ViacheslavKudinovViacheslavKudinov
committed
Add GH attestation on release
Signed-off-by: Viacheslav Kudinov <[email protected]>
1 parent b44485e commit 10dbe42

File tree

2 files changed

+50
-0
lines changed

2 files changed

+50
-0
lines changed

.github/workflows/release.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,3 +43,8 @@ jobs:
4343
# GitHub sets the GITHUB_TOKEN secret automatically.
4444
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
4545
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
46+
47+
- name: Generate artifact attestations
48+
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
49+
with:
50+
subject-path: 'dist/terraform-provider-github_*.zip'

VERIFY_ATTESTATIONS.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
## Using artifact attestations to achieve SLSA v1 Build Level 3
2+
3+
This project started to use GitHub Action to create attestations for the release artifacts. Building software with artifact attestation streamlines supply chain security and helps us achieve [SLSA](https://slsa.dev/) v1.0 Build Level 3 for this project.
4+
5+
### Verifying artifact attestations built with a reusable workflow
6+
7+
To verify artifact attestations generated during the build process, use the `gh attestation verify` command from the GitHub CLI.
8+
9+
The `gh attestation verify` command requires either `--owner` or `--repo` flags to be used with it. These flags do two things.
10+
11+
> [!NOTE]
12+
> Make sure to replace vX.Y.Z with the actual release tag you want to verify.
13+
14+
> [!WARNING]
15+
> Not all artifacts may have attestations generated for them. Please check the [attestations](https://github.com/integrations/terraform-provider-github/attestations) page for this repository to see which artifacts have attestations available.
16+
17+
Download the release artifacts first:
18+
19+
```bash
20+
gh release download vX.Y.Z -R integrations/terraform-provider-github -p "*.zip"
21+
```
22+
23+
To verify the artifact attestations for this project, you can run the following command:
24+
25+
```bash
26+
gh attestation verify --repo integrations/terraform-provider-github terraform-provider-github_X.Y.Z_darwin_amd64.zip
27+
```
28+
29+
### Using optional flags
30+
31+
The `gh attestation verify` command supports additional flags for more specific verification:
32+
33+
Use the `--signer-repo` flag to specify the repository:
34+
35+
```bash
36+
gh attestation verify --owner integrations --signer-repo integrations/terraform-provider-github \
37+
terraform-provider-github_X.Y.Z_darwin_amd64.zip
38+
```
39+
40+
If you would like to require an artifact attestation to be signed with a specific workflow, use the `--signer-workflow` flag to indicate the workflow file that should be used.
41+
42+
```bash
43+
gh attestation verify --owner integrations --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yml \
44+
terraform-provider-github_X.Y.Z_darwin_amd64.zip
45+
```

0 commit comments

Comments
 (0)