diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6fdf2c4..a7a7487 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,6 +13,7 @@ jobs: permissions: contents: write # create the GitHub release id-token: write # keyless cosign signing via OIDC + attestations: write # write SLSA build provenance attestations steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7 with: @@ -41,3 +42,29 @@ jobs: args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Attest build provenance + id: attest + uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2 + with: + # Attest the distributable archives and native packages GoReleaser + # produced. This records a signed, verifiable statement that these + # artifacts were built from this commit by this workflow, checkable + # with `gh attestation verify`. + subject-path: | + dist/*.tar.gz + dist/*.zip + dist/*.deb + dist/*.rpm + dist/*.apk + - name: Attach provenance to the release + # attest-build-provenance stores the attestation in GitHub's attestation + # store, which the OpenSSF Scorecard signed-releases check does not read. + # It scans release assets by name, so attach the provenance bundle as a + # *.intoto.jsonl asset for it (and any downstream verifier) to find. + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + TAG: ${{ github.ref_name }} + BUNDLE: ${{ steps.attest.outputs.bundle-path }} + run: | + cp "$BUNDLE" flynn.intoto.jsonl + gh release upload "$TAG" flynn.intoto.jsonl --clobber diff --git a/go.mod b/go.mod index a052864..b45e830 100644 --- a/go.mod +++ b/go.mod @@ -42,7 +42,7 @@ require ( github.com/x448/float16 v0.8.4 // indirect golang.design/x/x11 v0.2.0 // indirect golang.org/x/exp/shiny v0.0.0-20250606033433-dcc06ee1d476 // indirect - golang.org/x/image v0.41.0 // indirect + golang.org/x/image v0.43.0 // indirect golang.org/x/mobile v0.0.0-20250606033058-a2a15c67f36f // indirect golang.org/x/sync v0.21.0 // indirect modernc.org/libc v1.73.4 // indirect diff --git a/go.sum b/go.sum index bf37b24..1fda93b 100644 --- a/go.sum +++ b/go.sum @@ -76,8 +76,8 @@ golang.org/x/crypto v0.53.0 h1:QZ4Muo8THX6CizN2vPPd5fBGHyogrdK9fG4wLPFUsto= golang.org/x/crypto v0.53.0/go.mod h1:DNLU434OwVakk9PzuwV8w62mAJpRJL3vsgcfp4Qnsio= golang.org/x/exp/shiny v0.0.0-20250606033433-dcc06ee1d476 h1:Wdx0vgH5Wgsw+lF//LJKmWOJBLWX6nprsMqnf99rYDE= golang.org/x/exp/shiny v0.0.0-20250606033433-dcc06ee1d476/go.mod h1:ygj7T6vSGhhm/9yTpOQQNvuAUFziTH7RUiH74EoE2C8= -golang.org/x/image v0.41.0 h1:8wS72eGJMJaBxK6okTzd4WaXumUlTVlb753MlsSvTCo= -golang.org/x/image v0.41.0/go.mod h1:uIc348UZMSvS5Z65CVZ7iDPaNobNFEPeJ4kbqTOszmA= +golang.org/x/image v0.43.0 h1:FLxcP4ec2350nTfOC8ysKtqYSIFbk/QGjw1ZHNP4tsY= +golang.org/x/image v0.43.0/go.mod h1:rrpelvGFt+kLPAjPM4HeWPgrl0FtafueU//e5N0qk/Q= golang.org/x/mobile v0.0.0-20250606033058-a2a15c67f36f h1:/n+PL2HlfqeSiDCuhdBbRNlGS/g2fM4OHufalHaTVG8= golang.org/x/mobile v0.0.0-20250606033058-a2a15c67f36f/go.mod h1:ESkJ836Z6LpG6mTVAhA48LpfW/8fNR0ifStlH2axyfg= golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=