ci: release SLSA Provenance

.github/workflows/release.yaml

@@ -0,0 +1,81 @@
+---
+name: Release
+on:
+  push:
+    tags: [v*]
+permissions:
+  contents: write # required to create a release
+  id-token: write # required for cosign
+env:
+  AQUA_POLICY_CONFIG: ${{ github.workspace }}/aqua-policy.yaml
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    steps:
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
+      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        with:
+          go-version: '1.19.3'
+          cache: true
+
+      - name: Generate token
+        id: generate_token
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c # tag=v1.7.0
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: remove changes
+        # Sometimes it is failed to release by goreleaser due to changes of go.sum
+        run: git checkout -- .
+      - name: fetch tags to release
+        run: git fetch --tags -f
+      - name: Unshallow
+        run: git fetch --prune --unshallow
+      - name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      - name: Generate hashes
+        id: hash
+        run: |
+          # sha256sum generates sha256 hash for all artifacts.
+          # base64 -w0 encodes to base64 and outputs on a single line.
+          # sha256sum artifact1 artifact2 ... | base64 -w0
+          echo "hashes=$(find dist -name "*.tar.gz" -print0 | xargs -0 sha256sum | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read # Needed for detection of GitHub Actions environment.
+      id-token: write # Needed for provenance signing and ID
+      contents: write # Needed for release uploads
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      # Upload provenance to a new release
+      upload-assets: false
+
+  release:
+    needs: [provenance]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download the provenance
+        uses: actions/download-artifact@v3
+        with:
+          name: ${{ needs.provenance.outputs.provenance-name }}
+
+      - name: Upload provenance
+        run: gh release upload -R aquaproj/aqua "${REF#refs/tags/}" multiple.intoto.jsonl
+        env:
+          REF: ${{ github.ref }}
+          GITHUB_TOKEN: ${{ github.token }}

.github/workflows/test.yaml

@@ -5,7 +5,6 @@ env:
 on:
   push:
     branches: [main]
-    tags: [v*]
   pull_request:
     branches: [main]
 jobs:
@@ -27,28 +26,3 @@ jobs:
         timeout: 120s
 
     - run: go test -v ./... -race -covermode=atomic
-
-    - name: Generate token
-      id: generate_token
-      if: startsWith(github.ref, 'refs/tags/')
-      uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c # tag=v1.7.0
-      with:
-        app_id: ${{ secrets.APP_ID }}
-        private_key: ${{ secrets.APP_PRIVATE_KEY }}
-
-    - name: remove changes
-      # Sometimes it is failed to release by goreleaser due to changes of go.sum
-      run: git checkout -- .
-    - name: fetch tags to release
-      run: git fetch --tags -f
-    - name: Unshallow
-      run: git fetch --prune --unshallow
-    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0
-      if: startsWith(github.ref, 'refs/tags/')
-      with:
-        version: latest
-        args: release --rm-dist
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}

go.mod

@@ -7,7 +7,7 @@ require (
 	github.com/adrg/xdg v0.4.0
 	github.com/antonmedv/expr v1.9.0
 	github.com/codingsince1985/checksum v1.2.6
-	github.com/goccy/go-yaml v1.9.7
+	github.com/goccy/go-yaml v1.9.8
 	github.com/google/go-cmp v0.5.9
 	github.com/google/go-github/v45 v45.2.0
 	github.com/google/wire v0.5.0

go.sum

@@ -587,8 +587,8 @@ github.com/gobuffalo/packd v0.1.0/go.mod h1:M2Juc+hhDXf/PnmBANFCqx4DM3wRbgDvnVWe
 github.com/gobuffalo/packr/v2 v2.0.9/go.mod h1:emmyGweYTm6Kdper+iywB6YK5YzuKchGtJQZ0Odn4pQ=
 github.com/gobuffalo/packr/v2 v2.2.0/go.mod h1:CaAwI0GPIAv+5wKLtv8Afwl+Cm78K/I/VCm/3ptBN+0=
 github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY95UYwwW3uSASeV7vtgYkT2t16hJgV3AEPUpw=
-github.com/goccy/go-yaml v1.9.7 h1:D/Vx+JITklB1ugSkncB4BNR67M3X6AKs9+rqVeo3ddw=
-github.com/goccy/go-yaml v1.9.7/go.mod h1:JubOolP3gh0HpiBc4BLRD4YmjEjHAmIIB2aaXKkTfoE=
+github.com/goccy/go-yaml v1.9.8 h1:5gMyLUeU1/6zl+WFfR1hN7D2kf+1/eRGa7DFtToiBvQ=
+github.com/goccy/go-yaml v1.9.8/go.mod h1:JubOolP3gh0HpiBc4BLRD4YmjEjHAmIIB2aaXKkTfoE=
 github.com/godbus/dbus v4.1.0+incompatible/go.mod h1:/YcGZj5zSblfDWMMoOzV4fas9FZnQYTkDnsGvmh2Grw=
 github.com/godbus/dbus/v5 v5.0.3/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=