From b32e865fd1ab79f4aa6b6a561b2262293c9aed06 Mon Sep 17 00:00:00 2001 From: Rhuan Barreto Date: Tue, 28 Apr 2026 00:40:52 +0200 Subject: [PATCH] fix(ci): add SLSA provenance to release artifacts The OpenSSF Scorecard Signed-Releases check awards 8/10 for sigstore signatures (.sigstore.json) but requires .intoto.jsonl provenance files for 10/10. Add the slsa-framework/slsa-github-generator generic workflow to generate SLSA v1.0 provenance and upload it to each GitHub Release. The existing actions/attest-build-provenance steps are kept for GitHub Artifact Attestations (gh attestation verify). The new SLSA generator adds .intoto.jsonl files that the Scorecard recognizes as provenance. Signed-off-by: Rhuan Barreto --- .github/workflows/release-binaries.yml | 53 ++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) diff --git a/.github/workflows/release-binaries.yml b/.github/workflows/release-binaries.yml index 82e5d5ee..15e9dba2 100644 --- a/.github/workflows/release-binaries.yml +++ b/.github/workflows/release-binaries.yml @@ -116,3 +116,56 @@ jobs: $tag = "${{ github.event.release.tag_name || inputs.tag }}" Copy-Item "${{ steps.attest-win.outputs.bundle-path }}" "${{ matrix.artifact }}.zip.sigstore.json" gh release upload $tag "${{ matrix.artifact }}.zip" "${{ matrix.artifact }}.zip.sha256" "${{ matrix.artifact }}.zip.sigstore.json" --clobber + + - name: Upload digest for SLSA provenance (Unix) + if: runner.os != 'Windows' + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: digest-${{ matrix.artifact }} + path: ${{ matrix.artifact }}.tar.gz.sha256 + + - name: Upload digest for SLSA provenance (Windows) + if: runner.os == 'Windows' + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: digest-${{ matrix.artifact }} + path: ${{ matrix.artifact }}.zip.sha256 + + combine-hashes: + name: Combine hashes for provenance + needs: build + runs-on: ubuntu-latest + timeout-minutes: 5 + outputs: + digests: ${{ steps.combine.outputs.digests }} + steps: + - name: Download all digest artifacts + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + with: + pattern: digest-* + merge-multiple: true + + - name: Combine digests + id: combine + run: | + echo "=== Individual digests ===" + cat *.sha256 + echo "" + DIGESTS=$(cat *.sha256 | tr -d '\r' | base64 -w0) + echo "digests=$DIGESTS" >> "$GITHUB_OUTPUT" + + # SLSA provenance — generates .intoto.jsonl and uploads it to the release. + # Uses tag ref (not SHA) because slsa-verifier checks the builder identity + # against a known tag list; SHA refs would fail verification. + provenance: + name: SLSA provenance + needs: combine-hashes + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 + with: + base64-subjects: "${{ needs.combine-hashes.outputs.digests }}" + upload-assets: true + upload-tag-name: ${{ github.event.release.tag_name || inputs.tag }}