Skip to content

fix(ci): add SLSA provenance to release artifacts#243

Merged
rhuanbarreto merged 1 commit into
mainfrom
fix/slsa-provenance
Apr 27, 2026
Merged

fix(ci): add SLSA provenance to release artifacts#243
rhuanbarreto merged 1 commit into
mainfrom
fix/slsa-provenance

Conversation

@rhuanbarreto

Copy link
Copy Markdown
Contributor

Summary

  • Adds SLSA v1.0 provenance generation via slsa-framework/slsa-github-generator generic workflow to release-binaries.yml
  • Each platform build uploads its SHA256 digest as a GitHub Actions artifact; a combine-hashes job merges them; the provenance job calls the SLSA reusable workflow which generates .intoto.jsonl and uploads it to the GitHub Release
  • Existing actions/attest-build-provenance steps are kept — they feed GitHub's Artifact Attestations API (gh attestation verify), while the new .intoto.jsonl files satisfy the OpenSSF Scorecard's Signed-Releases provenance tier (10/10 vs current 8/10)

Context

OpenSSF Scorecard currently gives 8/10 on Signed-Releases: all 5 latest releases have .sigstore.json signatures, but none have .intoto.jsonl SLSA provenance files. The Scorecard awards 10/10 only when .intoto.jsonl is present. Since the Scorecard checks the last 5 releases, the score will ramp up gradually with each new release.

Test plan

  • Merge and wait for next release — verify release-binaries workflow completes all 3 build jobs + combine-hashes + provenance
  • Check the new release assets include a multiple.intoto.jsonl file alongside the existing .sigstore.json bundles
  • Verify provenance with slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl --source-uri github.com/archgate/cli <artifact>
  • After 1+ releases, re-check OpenSSF Scorecard Signed-Releases score (should increase above 8)

The OpenSSF Scorecard Signed-Releases check awards 8/10 for sigstore
signatures (.sigstore.json) but requires .intoto.jsonl provenance files
for 10/10. Add the slsa-framework/slsa-github-generator generic workflow
to generate SLSA v1.0 provenance and upload it to each GitHub Release.

The existing actions/attest-build-provenance steps are kept for GitHub
Artifact Attestations (gh attestation verify). The new SLSA generator
adds .intoto.jsonl files that the Scorecard recognizes as provenance.

Signed-off-by: Rhuan Barreto <rhuan.barreto@gmail.com>
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying archgate-cli with  Cloudflare Pages  Cloudflare Pages

Latest commit: b32e865
Status: ✅  Deploy successful!
Preview URL: https://5430b6ad.archgate-cli.pages.dev
Branch Preview URL: https://fix-slsa-provenance.archgate-cli.pages.dev

View logs

@rhuanbarreto rhuanbarreto merged commit f80b942 into main Apr 27, 2026
10 checks passed
@rhuanbarreto rhuanbarreto deleted the fix/slsa-provenance branch April 27, 2026 22:44
@github-actions github-actions Bot mentioned this pull request Apr 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant