Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 0 additions & 21 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,6 @@ jobs:
id-token: write
outputs:
asset_version: ${{ steps.version.outputs.asset_version }}
slsa_subjects_file: ${{ steps.slsa_subjects.outputs.handle }}
steps:
- uses: actions/checkout@v7
- uses: actions/setup-go@v6
Expand Down Expand Up @@ -50,14 +49,6 @@ jobs:
- run: ./packaging/package-release.sh
env:
VERSION: ${{ github.ref_name }}
- name: Generate SLSA subjects
shell: bash
run: base64 -w0 dist/SHA256SUMS > dist/SHA256SUMS.base64
- name: Upload SLSA subjects
id: slsa_subjects
uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.1.0
with:
path: dist/SHA256SUMS.base64
- name: Install Cosign
uses: sigstore/cosign-installer@v4.1.0
- name: Sign checksums
Expand All @@ -70,15 +61,3 @@ jobs:
dist/SHA256SUMS
dist/SHA256SUMS.sigstore.json
dist/*_sbom.spdx.json

provenance:
needs: release
permissions:
actions: read
contents: write
id-token: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
with:
base64-subjects-as-file: ${{ needs.release.outputs.slsa_subjects_file }}
upload-assets: true
provenance-name: dbxcli_${{ needs.release.outputs.asset_version }}_slsa.intoto.jsonl
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@
- Added scheduled/manual OSSF Scorecard scanning without public Scorecard API publishing.
- Replaced standalone Staticcheck workflow steps with a narrow `golangci-lint` configuration.
- Added explicit `go.sum` cache dependency paths for `actions/setup-go`.
- Added SBOM, Cosign signatures, and SLSA provenance to release artifacts.
- Added SBOM generation and Cosign signatures to release artifacts.
- Added race detector, workflow linting, and CodeQL security scanning to CI.
- Hardened CI workflows with explicit read-only permissions.
- Generate a non-constant OAuth2 `state` value to resolve the CodeQL `go/constant-oauth2-state` alert.
Expand Down
Loading