From ace776d7c130535a088a2ee5547bcbc358053cab Mon Sep 17 00:00:00 2001
From: "Gal Ofri @ Legit Security"
 <99600389+gal-legit@users.noreply.github.com>
Date: Mon, 28 Nov 2022 03:43:32 +0200
Subject: [PATCH] =?UTF-8?q?Fix=20docs=20for=20goreleaser=20with=20the=20ge?=
 =?UTF-8?q?neric=20generator=20to=20include=20docker=20di=E2=80=A6=20(#125?=
 =?UTF-8?q?2)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Fix docs for goreleaser with the generic builder to include docker digest

* add backwards compatiblity for goreleaser versions prior v1.13.0

* add the new instructions for the all-in-all snippet as well

* add notes

* add link to goreleaser release with the new docker feature
---
 internal/builders/generic/README.md | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md
index b7fbd5848b..366025a15e 100644
--- a/internal/builders/generic/README.md
+++ b/internal/builders/generic/README.md
@@ -322,6 +322,11 @@ This section explains how to generate non-forgeable SLSA provenance with existin
 If you use [GoReleaser](https://github.com/goreleaser/goreleaser-action) to generate your build, you can easily
 generate SLSA3 provenance by updating your existing workflow with the steps indicated in the workflow below:
 
+**Notes**:
+- Make sure you did not disable checksum generation in the goreleaser yml.
+- Make sure you specified sha256 as the algorithm for the checksum or left it empty (sha256 is the default).
+- To enable provenance generation for dockers (as well as artifacts), use [goreleaser version >= v1.13.0](https://github.com/goreleaser/goreleaser/releases/tag/v1.13.0).
+
 1. Declare an `outputs` for the GoReleaser job:
 
 ```yaml
@@ -338,7 +343,7 @@ jobs:
       [...]
       - name: Run GoReleaser
         id: run-goreleaser
-        uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b # tag=v3
+        uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # tag=v3.2.0
 
 ```
 
@@ -351,9 +356,12 @@ jobs:
     ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
   run: |
     set -euo pipefail
-
-    checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
-    echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
+    hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+    if test "$hashes" = ""; then # goreleaser < v1.13.0
+      checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+      hashes=$(cat $checksum_file | base64 -w0)
+    fi
+    echo "hashes=$hashes" >> $GITHUB_OUTPUT
 ```
 
 4. Call the generic workflow to generate provenance by declaring the job below:
@@ -394,8 +402,12 @@ jobs:
         run: |
           set -euo pipefail
 
-          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
-          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
+          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          if test "$hashes" = ""; then # goreleaser < v1.13.0
+            checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+            hashes=$(cat $checksum_file | base64 -w0)
+          fi
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
 
   provenance:
     needs: [goreleaser]