docs: update users, blog posts divider

goreleaser · Dec 4, 2023 · 7e48196 · 7e48196
1 parent 532879e
commit 7e48196
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 40 deletions.
diff --git a/www/docs/blog/posts/2023-09-27-release-cadence.md b/www/docs/blog/posts/2023-09-27-release-cadence.md
@@ -15,6 +15,8 @@ removed in **minor** instead of **major** versions.
 
 Those complaints are valid, and today I'm announcing how I plan to move forward.
 
+<!-- more -->
+
 ## History
 
 Before we do that, I feel like I should explain how we got in this position

diff --git a/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md b/www/docs/blog/posts/2023-10-08-slsa-generation-for-your-artifacts.md
@@ -10,17 +10,19 @@ authors:
 
 # Stay Calm and SLSA: Generating SLSA Provenance for Your Artifacts with GoReleaser and slsa-github-generator
 
-In an age where software is at the heart of nearly every aspect of our lives, software supply chain security has become paramount. It involves a series of measures and practices aimed at ensuring the reliability and safety of the software we use daily. As cyber threats continue to evolve, the need for robust software supply chain security has never been greater. Organizations must take steps to protect their software development and distribution processes from potential vulnerabilities and attacks. 
+In an age where software is at the heart of nearly every aspect of our lives, software supply chain security has become paramount. It involves a series of measures and practices aimed at ensuring the reliability and safety of the software we use daily. As cyber threats continue to evolve, the need for robust software supply chain security has never been greater. Organizations must take steps to protect their software development and distribution processes from potential vulnerabilities and attacks.
 
-SLSA provenance, short for Supply Chain Levels for Software Artifacts, is an emerging concept that revolutionizes the way we think about software supply chain security. It offers a comprehensive framework to track the lineage and trustworthiness of software components, thereby enhancing overall security. 
+<!-- more -->
 
-The core idea behind SLSA provenance is to create a transparent and auditable trail of every software component's journey, from its creation to deployment. This ensures that any tampering or unauthorized changes can be quickly identified and mitigated. Software supply chain security and SLSA provenance are intrinsically linked, as the latter serves as a critical tool to bolster the former. 
+SLSA provenance, short for Supply Chain Levels for Software Artifacts, is an emerging concept that revolutionizes the way we think about software supply chain security. It offers a comprehensive framework to track the lineage and trustworthiness of software components, thereby enhancing overall security.
+
+The core idea behind SLSA provenance is to create a transparent and auditable trail of every software component's journey, from its creation to deployment. This ensures that any tampering or unauthorized changes can be quickly identified and mitigated. Software supply chain security and SLSA provenance are intrinsically linked, as the latter serves as a critical tool to bolster the former.
 
 Together, they provide a robust defense against the growing threats posed by malicious actors in the digital realm. In a world where software vulnerabilities can have far-reaching consequences, the adoption of SLSA provenance is a proactive step toward fortifying our software supply chains and making them more resilient to cyberattacks.
 
 GoReleaser takes the ever-growing risks in the realm of software supply chain security incredibly seriously. From the onset of this era of heightened security concerns, GoReleaser has been at the forefront, continuously adding features to safeguard your artifacts against potential software supply chain attacks such as [generating an SBOMs](https://goreleaser.com/customization/sbom/), [signing your artifacts](https://goreleaser.com/customization/docker_sign/), and more.
 
->  _If you want to learn more about the general software supply chain security features supported by GoReleaser, check out our [blog post](https://blog.goreleaser.com/goreleaser-and-software-supply-chain-security-e8917b26924b/) on the topic._
+> _If you want to learn more about the general software supply chain security features supported by GoReleaser, check out our [blog post](https://blog.goreleaser.com/goreleaser-and-software-supply-chain-security-e8917b26924b/) on the topic._
 
 In this blog post, we will explore how GoReleaser can help you generate SLSA provenance for your artifacts and how you can leverage the slsa-github-generator to automate the process.
 
@@ -30,7 +32,7 @@ I would like to start with my favorite quote:
 
 > _Each of these attacks could have been prevented if there were a way to detect that the delivered artifacts diverged from the expected origin of the software. But until now, generating verifiable information that described where, when, and how software artifacts were produced (information known as provenance) was difficult. This information allows users to trace artifacts verifiably back to the source and develop risk-based policies around what they consume._ - [Improving software supply chain security with tamper-proof builds](https://security.googleblog.com/2022/04/improving-software-supply-chain.html)
 
-Unfortunately, provenance generation is not widely supported yet but hopefully will be in the future. And this is where the slsa-github-generator comes into play. 
+Unfortunately, provenance generation is not widely supported yet but hopefully will be in the future. And this is where the slsa-github-generator comes into play.
 
 Thanks to the SLSA community, they developed a collection of GitHub reusable workflows called [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) that can help us with the solving of the problem we mentioned in the quote. It is a powerful tool designed to simplify the process of generating SLSA provenances for your GitHub-hosted projects. It seamlessly integrates with your GitHub repositories, providing an efficient way to enhance the security and trustworthiness of your software supply chain by automatically creating and managing SLSA provenance records.
 
@@ -53,7 +55,8 @@ We said artifacts a lot, but what are artifacts really? In the context of this b
 Let's take a look at the `.goreleaser.yml` file of our demo project:
 
 ```yaml
-...
+
+---
 builds:
   - env:
       - CGO_ENABLED=0
@@ -65,8 +68,8 @@ builds:
 kos:
   - repository: ghcr.io/goreleaser/goreleaser-example-slsa-provenance
     tags:
-      - '{{.Tag}}'
-      - '{{ if not .Prerelease }}latest{{ end }}' 
+      - "{{.Tag}}"
+      - "{{ if not .Prerelease }}latest{{ end }}"
     bare: true
     preserve_import_paths: false
     sbom: none
@@ -76,7 +79,6 @@ kos:
       - -trimpath
     ldflags:
       - -s -w
-...
 ```
 
 I trimmed the file a bit to make it easier to read. As you can see, we are building our binaries for the `linux`, `windows`, and `darwin` operating systems as we defined in the `builds` section, thanks to the built-in cross-compliation support in Golang. We are also using the [kos](https://goreleaser.com/customization/ko/) integration to build a container image for our project. It is a new way to build container images your project using [ko](https://ko.build). We are also using the `ghcr.io/goreleaser/goreleaser-example-slsa-provenance` repository to push our container image both with the `latest` and the `{{.Tag}}` tag.
@@ -85,7 +87,7 @@ I trimmed the file a bit to make it easier to read. As you can see, we are build
 
 Now that we have a better understanding of what artifacts are and the `.goreleaser.yml' is, let's see how we can use the slsa-github-generator to generate SLSA provenance for our artifacts.
 
-Before than that we should talk a little bit about the [GitHub Actions](https://docs.github.com/en/actions/quickstart) platform. 
+Before than that we should talk a little bit about the [GitHub Actions](https://docs.github.com/en/actions/quickstart) platform.
 
 GitHub Actions is an automation and continuous integration/continuous deployment (CI/CD) platform provided by GitHub, which is a widely used web-based platform for version control and collaboration among software developers. GitHub Actions allows you to automate various tasks and workflows in your software development process directly within your GitHub repositories.
 
@@ -98,32 +100,32 @@ It's important to understand reusable workflows since the slsa-github-generator
 Let's have a first look at the GitHub workflow file that we will use to generate SLSA provenance for our artifacts:
 
 ```yaml
-...
-  binary-provenance:
-    needs: [goreleaser]
-    permissions:
-      actions: read # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write # To add assets to a release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
-    with:
-      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
-      upload-assets: true # upload to a new release
-
-  image-provenance:
-    needs: [goreleaser]
-    permissions:
-      actions: read
-      id-token: write
-      packages: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
-    with:
-      image: ${{ needs.goreleaser.outputs.image }}
-      digest: ${{ needs.goreleaser.outputs.digest }}
-      registry-username: ${{ github.actor }}
-    secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }} # you should provive registry-password, if you are using private registry like ghcr.io
-...
+
+---
+binary-provenance:
+  needs: [goreleaser]
+  permissions:
+    actions: read # To read the workflow path.
+    id-token: write # To sign the provenance.
+    contents: write # To add assets to a release.
+  uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+  with:
+    base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+    upload-assets: true # upload to a new release
+
+image-provenance:
+  needs: [goreleaser]
+  permissions:
+    actions: read
+    id-token: write
+    packages: write
+  uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
+  with:
+    image: ${{ needs.goreleaser.outputs.image }}
+    digest: ${{ needs.goreleaser.outputs.digest }}
+    registry-username: ${{ github.actor }}
+  secrets:
+    registry-password: ${{ secrets.GITHUB_TOKEN }} # you should provive registry-password, if you are using private registry like ghcr.io
 ```
 
 At the time of writing this `1.9.0` is the latest version of the slsa-github-generator. As you can see, we are using two different reusable workflows to generate SLSA provenance for our artifacts. The first one is the `generator_generic_slsa3.yml` workflow, which is used to generate SLSA provenance for our binaries. The second one is the `generator_container_slsa3.yml` workflow, which is used to generate SLSA provenance for our container images.
@@ -136,7 +138,7 @@ First, as you might have noticed, we are using the `needs` keyword to define the
 
 Next, we are using the `permissions` keyword to define the permissions of our job. This is a new feature of GitHub Actions that allows you to define the permissions of your workflow. This is important because we need to define the permissions of our workflow to be able to generate SLSA provenance for our artifacts. In this case, we are saying that our workflow needs the `read` permission to read the workflow path, the `write` permission to sign the provenance, and the `write` permission to add assets to a release.
 
-As we mentioned we have to wait until the `goreleaser` job to be finished before we generate SLSA provenance because we need some output from the `goreleaser` job to generate SLSA provenance. 
+As we mentioned we have to wait until the `goreleaser` job to be finished before we generate SLSA provenance because we need some output from the `goreleaser` job to generate SLSA provenance.
 
 We are using the `outputs` keyword to define the outputs of our job. In this case, we are saying that our workflow needs the `hashes` output from the `goreleaser` job. This is important because we need the hashes of our artifacts to generate SLSA provenance for them. We are also saying that our workflow needs the `image` and the `digest` output from the `goreleaser` job. This is important because we need the image and the digest of our container image to generate SLSA provenance for them.
 
@@ -163,7 +165,7 @@ jobs:
 
           checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
           echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
-      
+
       - name: Image digest
         id: image
         env:
@@ -178,7 +180,7 @@ jobs:
 ...
 ```
 
-For the `Generate binary hashes` step, we are using the `jq` tool to parse the `artifacts` output which is one of the outputs of the [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from the `goreleaser` job and extract the checksum file path. We are then using the `base64` tool to encode the checksum file and save it to the `hashes` output. 
+For the `Generate binary hashes` step, we are using the `jq` tool to parse the `artifacts` output which is one of the outputs of the [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from the `goreleaser` job and extract the checksum file path. We are then using the `base64` tool to encode the checksum file and save it to the `hashes` output.
 
 In essence, the artifacts output consists of the contents of the artifacts.json file that GoReleaser generates in the dist/ folder, starting from version 1.2, as explained in this v1.2 release. This file contains information regarding the artifacts produced by GoReleaser.
 
@@ -188,7 +190,6 @@ At the end of the day, you will be having a succesfull workflow run like this:
 
 ![image](/static/slsa-provenance-generation.png)
 
-
 ## Further Steps
 
 As you can see, generating SLSA provenance for your artifacts with GoReleaser and slsa-github-generator is a straightforward process. You might be asking yourself what's next? Well, the answer is simple because we added verification steps to our workflow to show you how you can verify the SLSA provenance of your artifacts since they were signed by the slsa-github-generator and uploaded to the transparency log server (Rekor).

diff --git a/www/docs/users.md b/www/docs/users.md
@@ -23,6 +23,7 @@ Here's a running list of some organizations using GoReleaser[^1]:
 1. [EVCC](https://evcc.io)
 1. [FabioLB](https://fabiolb.net)
 1. [Fleet for osquery](https://fleetdm.com)
+1. [Flipt](https://www.flipt.io)
 1. [FluxCD](https://fluxcd.io)
 1. [Gaia Pipeline](https://github.com/gaia-pipeline)
 1. [GitGuardian](https://gitguardian.com)