Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

workflows: actions/attest-build-provenance #3225

Merged
merged 6 commits into from
Dec 29, 2024
Merged

workflows: actions/attest-build-provenance #3225

merged 6 commits into from
Dec 29, 2024

Conversation

lectrical
Copy link
Contributor

Adding https://github.com/actions/attest-build-provenance to the ci builds so that the release assets and docker image for the next release tag generate signed build provenance attestations for workflow artifacts.

@lectrical
workflows: actions/attest-build-provenance
67cf80d 
Provide Github provenance for release assets cretaed during a workflow.
@lectrical
Copy link
Contributor Author

@itchyny I deleted my previous for, which automatically closed the PR, as it is having a problem I cannot account for. Even after deleting and forking the issue persists.

On lectrical/jq when pushing a new tag it will fail at the docker build push step with a 403 that makes no sense.

https://github.com/lectrical/jq/actions/runs/12521449413/job/34928540814

This error was not present at first, It started at one point, I think after me deleting the packages.

I had to make a new test account to apply the change and push a tag to show it works as expected.

https://github.com/testimus-maximus/jq/actions/runs/12521528350

This is failing on downloading artifacts for some reason but that's not related to the changes made.

These were the changes you requested and it does work.

itchyny
itchyny reviewed Dec 27, 2024
View reviewed changes
.github/workflows/ci.yml Outdated Show resolved Hide resolved
@itchyny
Copy link
Contributor

itchyny commented Dec 27, 2024

Okay, I'll test on my fork later.

@lectrical
Copy link
Contributor Author

@itchyny will do, but also, perhaps an upcoming issue.

Looking my failing test repo with debug mode https://github.com/testimus-maximus/jq/actions/runs/12521528350/job/34929105623

I came across this potential issue docker/build-push-action#1167

An issue with docker/build-push-action@v6 and the way the way actions/download-artifact@v4 is configured.

Can you confirm?

@lectrical
Copy link
Contributor Author

So i believe this commit fixes the issues.

82af8d2

with:
  pattern: jq-*

Telling the artifact downloader to be more specific and not grab things it does not care about (docker stuff) seems like a valid way to not encounter the issue? All binary artifacts are uploaded with the name prefix jq- so using pattern: jq-* works.

The permission is a curious one as guess it's a related to the default permissions of a new repo/fork as seen here

https://github.com/testimus-maximus/jq/actions/runs/12522038351/job/34929986320#step:7:51

It was caused by the Update Signatures step and solved by adding actions: write to the release job.

Here is a full release workflow successfully completed.

https://github.com/testimus-maximus/jq/actions/runs/12522119122

Docker: https://github.com/testimus-maximus/jq/attestations/4133797

Release assets: https://github.com/testimus-maximus/jq/attestations/4133808

itchyny
itchyny reviewed Dec 28, 2024
View reviewed changes
.github/workflows/ci.yml Outdated Show resolved Hide resolved
@lectrical
Copy link
Contributor Author

One last confirmation the test repo outcome is good:

curl -sLO https://github.com/testimus-maximus/jq/releases/download/jq-1.8.5/jq-linux-amd64
gh attestation verify jq-linux-amd64 -o testimus-maximus

Will give a result like this.

Loaded digest sha256:5ba0e1ce3a3c72caff4117c2b68cbac2b8062ba59938b2cc3ef7a37541fe16ce for file://jq-linux-amd64
Loaded 2 attestations from GitHub API

The following policy criteria will be enforced:
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
- Source Repository Owner URI must match:... https://github.com/testimus-maximus
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Subject Alternative Name must match regex: (?i)^https://github.com/testimus-maximus/

✓ Verification succeeded!

sha256:5ba0e1ce3a3c72caff4117c2b68cbac2b8062ba59938b2cc3ef7a37541fe16ce was attested by:
REPO                 PREDICATE_TYPE                  WORKFLOW
testimus-maximus/jq  https://slsa.dev/provenance/v1  .github/workflows/ci.yml@refs/tags/jq-1.8.5
testimus-maximus/jq  https://slsa.dev/provenance/v1  .github/workflows/ci.yml@refs/tags/jq-1.8.5

@itchyny
Copy link
Contributor

itchyny commented Dec 29, 2024

Thank you. I confirmed the commit d2762b7 working on my fork.

 $ gh attestation verify jq-linux64 -o itchyny    
Loaded digest sha256:39eeab56bbf9021a00c46ffb815edd9a113f1c0977c27d8a4e19cb2c19147878 for file://jq-linux64
Loaded 2 attestations from GitHub API

The following policy criteria will be enforced:
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
- Source Repository Owner URI must match:... https://github.com/itchyny
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Subject Alternative Name must match regex: (?i)^https://github.com/itchyny/

✓ Verification succeeded!

sha256:39eeab56bbf9021a00c46ffb815edd9a113f1c0977c27d8a4e19cb2c19147878 was attested by:
REPO        PREDICATE_TYPE                  WORKFLOW                                     
itchyny/jq  https://slsa.dev/provenance/v1  .github/workflows/ci.yml@refs/tags/jq-1.7.1a4
itchyny/jq  https://slsa.dev/provenance/v1  .github/workflows/ci.yml@refs/tags/jq-1.7.1a4

 $ gh attestation verify jq-1.7.1a4.zip -o itchyny     
Loaded digest sha256:e37342721748b6b73b01dbb885b08fb2b18413d12a46acccb3bfffb89c1f45fc for file://jq-1.7.1a4.zip
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
- Source Repository Owner URI must match:... https://github.com/itchyny
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Subject Alternative Name must match regex: (?i)^https://github.com/itchyny/

✓ Verification succeeded!

sha256:e37342721748b6b73b01dbb885b08fb2b18413d12a46acccb3bfffb89c1f45fc was attested by:
REPO        PREDICATE_TYPE                  WORKFLOW                                     
itchyny/jq  https://slsa.dev/provenance/v1  .github/workflows/ci.yml@refs/tags/jq-1.7.1a4

 $ gh attestation verify oci://ghcr.io/itchyny/jq:1.7.1a4 -R itchyny/jq 
Loaded digest sha256:b03466ed41393691c1975ba30a4f239d63283f88f9ad72d0ea81d0ea3b4b30f1 for oci://ghcr.io/itchyny/jq:1.7.1a4
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
- Source Repository Owner URI must match:... https://github.com/itchyny
- Source Repository URI must match:......... https://github.com/itchyny/jq
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Subject Alternative Name must match regex: (?i)^https://github.com/itchyny/jq/

✓ Verification succeeded!

sha256:b03466ed41393691c1975ba30a4f239d63283f88f9ad72d0ea81d0ea3b4b30f1 was attested by:
REPO        PREDICATE_TYPE                  WORKFLOW                                     
itchyny/jq  https://slsa.dev/provenance/v1  .github/workflows/ci.yml@refs/tags/jq-1.7.1a4

@itchyny itchyny merged commit bcbf2b4 into jqlang:master Dec 29, 2024
28 checks passed
@lectrical
Copy link
Contributor Author

nice and thanks for the review.

@itchyny itchyny added this to the 1.8 release milestone Dec 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@itchyny itchyny itchyny approved these changes

Assignees
No one assigned
Labels
Github Actions
Projects
None yet
Milestone
1.8 release
Development

Successfully merging this pull request may close these issues.
2 participants
@lectrical @itchyny