Add goreleaser, sboms, slsa3, sigstore and homebrew support (#1315)

* add goreleaser, sboms, slsa3, sigstore and homebrew support Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com> * fix env vars for ldflags Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com> * use commit date for ldflags Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com> * allow slsa generator to run for private repo Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com> --------- Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
mindersec · Oct 30, 2023 · 7fa1be1 · 7fa1be1
1 parent 973f103
commit 7fa1be1
Show file tree

Hide file tree

Showing 9 changed files with 236 additions and 281 deletions.
diff --git a/.github/workflows/releaser.yml b/.github/workflows/releaser.yml
@@ -0,0 +1,154 @@
+#
+# Copyright 2023 Stacklok, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# This workflow compiles your mediator server and medic using a SLSA3 compliant
+# build and then verifies the provenance of the built artifacts.
+# It releases the following architectures: amd64, arm64, and armv7 on Linux, 
+# Windows, and macOS.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: Release
+on:
+  workflow_dispatch:
+  release:
+    types: [created]
+
+permissions:
+  contents: write
+
+jobs:
+  ldflags_args:
+    runs-on: ubuntu-latest
+    outputs:
+      commit-date: ${{ steps.ldflags.outputs.commit-date }}
+      commit: ${{ steps.ldflags.outputs.commit }}
+      version: ${{ steps.ldflags.outputs.version }}
+      tree-state: ${{ steps.ldflags.outputs.tree-state }}
+    steps:
+      - id: checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - id: ldflags
+        run: |
+          echo "::set-output name=commit-date::$(git log --date=iso8601-strict -1 --pretty=%ct)"
+          echo "::set-output name=commit::$GITHUB_SHA"
+          echo "::set-output name=version::$(git describe --tags --always --dirty | cut -c2-)"
+          echo "::set-output name=tree-state::$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi)"
+  release:
+    name: Build and release
+    needs:
+      - ldflags_args
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    permissions:
+      contents: write # To add assets to a release.
+      id-token: write # To do keyless signing with cosign
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Setup Go
+        uses: actions/setup-go@v4
+        with:
+          go-version-file: 'go.mod'
+      - name: Install Syft
+        uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.1.1
+        with:
+          cosign-release: 'v2.1.1'
+      - name: Run GoReleaser
+        id: run-goreleaser
+        uses: goreleaser/goreleaser-action@v5
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
+          VERSION: ${{ needs.ldflags_args.outputs.version }}
+          COMMIT: ${{ needs.ldflags_args.outputs.commit }}
+          COMMIT_DATE: ${{ needs.ldflags_args.outputs.commit-date }}
+          TREE_STATE: ${{ needs.ldflags_args.outputs.tree-state }}
+
+      - name: Generate subject
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          if test "$hashes" = ""; then # goreleaser < v1.13.0
+            checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+            hashes=$(cat $checksum_file | base64 -w0)
+          fi
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
+  provenance:
+    name: Generate provenance (SLSA3)
+    needs:
+      - release
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    with:
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
+      upload-assets: true # upload to a new release
+      private-repository: true # remove this line after going public
+  verification:
+    name: Verify provenance of assets (SLSA3)
+    needs:
+      - release
+      - provenance
+    runs-on: ubuntu-latest
+    permissions: read-all
+    steps:
+      - name: Install the SLSA verifier
+        uses: slsa-framework/slsa-verifier/actions/installer@v2.4.0
+      - name: Download assets
+        env:
+          GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          CHECKSUMS: "${{ needs.release.outputs.hashes }}"
+          ATT_FILE_NAME: "${{ needs.provenance.outputs.provenance-name }}"
+        run: |
+          set -euo pipefail
+          checksums=$(echo "$CHECKSUMS" | base64 -d)
+          while read -r line; do
+              fn=$(echo $line | cut -d ' ' -f2)
+              echo "Downloading $fn"
+              gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$fn"
+          done <<<"$checksums"
+          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
+      - name: Verify assets
+        env:
+          CHECKSUMS: "${{ needs.release.outputs.hashes }}"
+          PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
+        run: |
+          set -euo pipefail
+          checksums=$(echo "$CHECKSUMS" | base64 -d)
+          while read -r line; do
+              fn=$(echo $line | cut -d ' ' -f2)
+              echo "Verifying SLSA provenance for $fn"
+              slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
+                                            --source-uri "github.com/$GITHUB_REPOSITORY" \
+                                            --source-tag "$GITHUB_REF_NAME" \
+                                            "$fn"
+          done <<<"$checksums"
diff --git a/.github/workflows/slsa-go-releaser.yml b/.github/workflows/slsa-go-releaser.yml
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -0,0 +1,82 @@
+# This is an example .goreleaser.yml file with some sensible defaults.
+# Make sure to check the documentation at https://goreleaser.com
+
+# The lines bellow are called `modelines`. See `:help modeline`
+# Feel free to remove those if you don't want/need to use them.
+# yaml-language-server: $schema=https://goreleaser.com/static/schema.json
+# vim: set ts=2 sw=2 tw=0 fo=cnqoj
+project_name: medic
+before:
+  hooks:
+    - go mod tidy
+    - go generate ./...
+# This section defines the build matrix.
+builds:
+  - env:
+      - GO111MODULE=on
+      - CGO_ENABLED=0
+    flags:
+      - -trimpath
+      - -tags=netgo
+    ldflags:
+      - "-X main.Version={{ .Env.VERSION }}"
+      - "-X main.Commit={{ .Env.COMMIT }}"
+      - "-X main.CommitDate={{ .Env.COMMIT_DATE }}"
+      - "-X main.TreeState={{ .Env.TREE_STATE }}"
+    goos:
+      - linux
+      - windows
+      - darwin
+    goarch:
+      - amd64
+      - arm64
+    main: ./cmd/cli
+# This section defines the release format.
+archives:
+  - format: tar.gz # we can use binary, but it seems there's an issue where goreleaser skips the sboms
+    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}" # "{{ .Binary }}-{{ .Os }}-{{ .Arch }}"
+    format_overrides:
+      - goos: windows
+        format: zip
+# This section defines how to release to homebrew.
+brews:
+  - homepage: 'https://github.com/stacklok/mediator'
+    description: 'Medic is the client CLI for interacting with Mediator by Stacklok.'
+    folder: Formula
+    commit_author:
+      name: 'Stacklok, Inc.'
+      email: contact@stacklok.com
+    repository:
+      owner: stacklok
+      name: homebrew-tap
+      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+    test: |
+      system "#{bin}/medic --help"
+# This section defines whether we want to release the source code too.
+source:
+  enabled: true
+# This section defines how to generate the changelog
+changelog:
+  sort: asc
+  use: github
+# This section defines for which artifact types to generate SBOMs.
+sboms:
+  - artifacts: archive
+# This section defines the release policy.
+release:
+  # If set to auto, will mark the release as not ready for production
+  # in case there is an indicator for this in the tag e.g. v1.0.0-rc1
+  prerelease: auto
+  github:
+    owner: stacklok
+    name: mediator
+# This section defines how and which artifacts we want to sign for the release.
+signs:
+  - cmd: cosign
+    args:
+      - "sign-blob"
+      - "--output-signature=${signature}"
+      - "${artifact}"
+      - "--yes" # needed on cosign 2.0.0+
+    artifacts: archive
+    output: true
diff --git a/.slsa-goreleaser/darwin-amd64.yml b/.slsa-goreleaser/darwin-amd64.yml
diff --git a/.slsa-goreleaser/darwin-arm64.yml b/.slsa-goreleaser/darwin-arm64.yml