From 669f3303678467cd6e1e0cbf24354044dab3b950 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 2 Mar 2022 22:49:34 +0000 Subject: [PATCH 01/12] SLSA build --- .goreleaser.yml | 1 - .slsa-goreleaser.yml | 17 +++++++++++++++++ 2 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 .slsa-goreleaser.yml diff --git a/.goreleaser.yml b/.goreleaser.yml index 8833a882ab8..4522d656e85 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -29,7 +29,6 @@ builds: goos: - linux goarch: - - amd64 - arm64 - 386 - arm diff --git a/.slsa-goreleaser.yml b/.slsa-goreleaser.yml new file mode 100644 index 00000000000..40c2c1753d9 --- /dev/null +++ b/.slsa-goreleaser.yml @@ -0,0 +1,17 @@ +version: 1 +env: + - GO111MODULE=on + # https://stackoverflow.com/a/62821358/19407 + - CGO_ENABLED=0 + +flags: + - -trimpath + - -tags=netgo + +#TODO: +#mod_timestamp: '{{ .CommitTimestamp }}' +goos: linux +goarch: amd64 +binary: binary-{{ .OS }}-{{ .Arch }} +ldflags: + - '{{ .Env.VERSION_LDFLAGS }}' \ No newline at end of file From d3db15d0c949d3eb84df64e00fdccd15f4555aae Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 2 Mar 2022 23:17:30 +0000 Subject: [PATCH 02/12] missing files --- .github/workflows/slsa-goreleaser.yml | 49 +++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 .github/workflows/slsa-goreleaser.yml diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml new file mode 100644 index 00000000000..0a57abee9a3 --- /dev/null +++ b/.github/workflows/slsa-goreleaser.yml @@ -0,0 +1,49 @@ +name: Test SLSA +on: + workflow_dispatch: + push: + tags: + - "*" + +permissions: read-all + +jobs: + args: + runs-on: ubuntu-latest + outputs: + ldflags: ${{ steps.ldflags.outputs.value }} + steps: + - id: checkout + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4 + with: + fetch-depth: 0 + - id: ldflags + run: | + echo "::set-output name=value::$(./scripts/version-ldflags)" + + build: + permissions: + id-token: write + contents: read + needs: args + uses: gossts/slsa-go/.github/workflows/builder.yml@main # TODO: use has upon release. + with: + go-version: 1.17 + env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" + + upload: + permissions: + contents: write + runs-on: ubuntu-latest + needs: build + steps: + - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 + with: + name: ${{ needs.build.outputs.go-binary-name }} + - name: Release + uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 + if: startsWith(github.ref, 'refs/tags/') + with: + files: | + ${{ needs.build.outputs.go-binary-name }} + ${{ needs.build.outputs.go-binary-name }}.intoto.sig \ No newline at end of file From 3c881b14672c7a3b7378d553bde7992f934e2fb7 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 2 Mar 2022 23:38:13 +0000 Subject: [PATCH 03/12] updates --- .github/workflows/slsa-goreleaser.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml index 0a57abee9a3..05fe58a70ed 100644 --- a/.github/workflows/slsa-goreleaser.yml +++ b/.github/workflows/slsa-goreleaser.yml @@ -8,6 +8,7 @@ on: permissions: read-all jobs: + # Generate ldflags dynamically. args: runs-on: ubuntu-latest outputs: @@ -21,16 +22,18 @@ jobs: run: | echo "::set-output name=value::$(./scripts/version-ldflags)" + # Trusted builder. build: permissions: id-token: write contents: read needs: args - uses: gossts/slsa-go/.github/workflows/builder.yml@main # TODO: use has upon release. + uses: gossts/slsa-go/.github/workflows/builder.yml@main # TODO: use hash upon release. with: go-version: 1.17 env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" + # Upload to GitHub release. upload: permissions: contents: write @@ -40,6 +43,9 @@ jobs: - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.go-binary-name }} + - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 + with: + name: ${{ needs.build.outputs.go-binary-name }}.intoto.sig - name: Release uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 if: startsWith(github.ref, 'refs/tags/') From 26d3a9edff38c9cc36ac3c3b28d490068a4b6732 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 2 Mar 2022 23:40:00 +0000 Subject: [PATCH 04/12] updates --- .slsa-goreleaser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.slsa-goreleaser.yml b/.slsa-goreleaser.yml index 40c2c1753d9..ad5ae5d4de8 100644 --- a/.slsa-goreleaser.yml +++ b/.slsa-goreleaser.yml @@ -14,4 +14,4 @@ goos: linux goarch: amd64 binary: binary-{{ .OS }}-{{ .Arch }} ldflags: - - '{{ .Env.VERSION_LDFLAGS }}' \ No newline at end of file + - '{{ .Env.VERSION_LDFLAGS }}' From 56d81e865bb938d4fdfb6c1a82fa698caac00bcf Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 2 Mar 2022 23:40:34 +0000 Subject: [PATCH 05/12] updates --- .github/workflows/slsa-goreleaser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml index 05fe58a70ed..7b9458e8dbe 100644 --- a/.github/workflows/slsa-goreleaser.yml +++ b/.github/workflows/slsa-goreleaser.yml @@ -52,4 +52,4 @@ jobs: with: files: | ${{ needs.build.outputs.go-binary-name }} - ${{ needs.build.outputs.go-binary-name }}.intoto.sig \ No newline at end of file + ${{ needs.build.outputs.go-binary-name }}.intoto.sig From 56d8749486eefe660bd8195a37bd62f82e6cb7fe Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 3 Mar 2022 16:13:18 +0000 Subject: [PATCH 06/12] indent fix --- .github/workflows/slsa-goreleaser.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml index 7b9458e8dbe..7932245a124 100644 --- a/.github/workflows/slsa-goreleaser.yml +++ b/.github/workflows/slsa-goreleaser.yml @@ -43,7 +43,7 @@ jobs: - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.go-binary-name }} - - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 + - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.sig - name: Release From db14b15ba17825cd7f28a6b6cbf5fc4a82bbc2be Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 6 Jun 2022 22:08:22 +0000 Subject: [PATCH 07/12] update --- .github/workflows/slsa-goreleaser.yml | 2 +- .slsa-goreleaser.yml | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml index 7932245a124..fe309f32ee4 100644 --- a/.github/workflows/slsa-goreleaser.yml +++ b/.github/workflows/slsa-goreleaser.yml @@ -28,7 +28,7 @@ jobs: id-token: write contents: read needs: args - uses: gossts/slsa-go/.github/workflows/builder.yml@main # TODO: use hash upon release. + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v0.0.2 with: go-version: 1.17 env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" diff --git a/.slsa-goreleaser.yml b/.slsa-goreleaser.yml index ad5ae5d4de8..2d9dab24327 100644 --- a/.slsa-goreleaser.yml +++ b/.slsa-goreleaser.yml @@ -8,10 +8,8 @@ flags: - -trimpath - -tags=netgo -#TODO: -#mod_timestamp: '{{ .CommitTimestamp }}' goos: linux goarch: amd64 -binary: binary-{{ .OS }}-{{ .Arch }} +binary: scorecard-{{ .OS }}-{{ .Arch }} ldflags: - - '{{ .Env.VERSION_LDFLAGS }}' + - -s {{ .Env.VERSION_LDFLAGS }} From 3a6822be159d8ab90465f920c8ce0fdb6b734ba3 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 6 Jun 2022 22:10:53 +0000 Subject: [PATCH 08/12] update --- .github/workflows/slsa-goreleaser.yml | 24 ++---------------------- 1 file changed, 2 insertions(+), 22 deletions(-) diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml index fe309f32ee4..91f384d972d 100644 --- a/.github/workflows/slsa-goreleaser.yml +++ b/.github/workflows/slsa-goreleaser.yml @@ -27,29 +27,9 @@ jobs: permissions: id-token: write contents: read + actions: read needs: args uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v0.0.2 with: go-version: 1.17 - env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" - - # Upload to GitHub release. - upload: - permissions: - contents: write - runs-on: ubuntu-latest - needs: build - steps: - - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 - with: - name: ${{ needs.build.outputs.go-binary-name }} - - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 - with: - name: ${{ needs.build.outputs.go-binary-name }}.intoto.sig - - name: Release - uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 - if: startsWith(github.ref, 'refs/tags/') - with: - files: | - ${{ needs.build.outputs.go-binary-name }} - ${{ needs.build.outputs.go-binary-name }}.intoto.sig + evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" From ad1773aa9d88240a7e97e26535e81cb0505947d2 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 7 Jun 2022 23:45:55 +0000 Subject: [PATCH 09/12] updates --- .github/workflows/slsa-goreleaser.yml | 8 ++++---- .slsa-goreleaser.yml | 4 ++-- README.md | 7 ++++++- 3 files changed, 12 insertions(+), 7 deletions(-) diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml index 91f384d972d..6a92587154c 100644 --- a/.github/workflows/slsa-goreleaser.yml +++ b/.github/workflows/slsa-goreleaser.yml @@ -1,4 +1,4 @@ -name: Test SLSA +name: SLSA releaser on: workflow_dispatch: push: @@ -26,10 +26,10 @@ jobs: build: permissions: id-token: write - contents: read + contents: write actions: read needs: args - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v0.0.2 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.0.0 with: go-version: 1.17 - evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" + evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" \ No newline at end of file diff --git a/.slsa-goreleaser.yml b/.slsa-goreleaser.yml index 2d9dab24327..5495e9f6c51 100644 --- a/.slsa-goreleaser.yml +++ b/.slsa-goreleaser.yml @@ -10,6 +10,6 @@ flags: goos: linux goarch: amd64 -binary: scorecard-{{ .OS }}-{{ .Arch }} +binary: scorecard-{{ .Os }}-{{ .Arch }} ldflags: - - -s {{ .Env.VERSION_LDFLAGS }} + - -s {{ .Env.VERSION_LDFLAGS }} \ No newline at end of file diff --git a/README.md b/README.md index ef38276950a..e496f5231fd 100644 --- a/README.md +++ b/README.md @@ -148,8 +148,13 @@ To install Scorecards as a standalone: 1. Visit our latest [release page](https://github.com/ossf/scorecard/releases/latest) and - download the correct binary for your operating system + download the correct binary for your operating system 2. Extract the binary file +3. We are proud to be one of the the first repositories to generate non-forgeable SLSA3 provenance natively using the OSSF [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) project for our linux amd64 binary. If you use this binary, you can verify it by installing the [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier#download-the-binary) and running: +``` +$ ./slsa-verifier-linux-amd64 --artifact-path scorecard-linux-amd64 --provenance scorecard-linux-amd64.intoto.jsonl --source github.com/ossf/scorecard +``` +This guarantees that the binary you downloaded was generated using the source code of this repository. If you're interested in reading more about SLSA, visit [slsa.dev](slsa.dev). 3. Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to identify your directory if necessary) From a8ed466061d797ea37b6961feadc0b5643cfbd0c Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 7 Jun 2022 23:47:42 +0000 Subject: [PATCH 10/12] updates --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e496f5231fd..5c40617da00 100644 --- a/README.md +++ b/README.md @@ -150,7 +150,7 @@ To install Scorecards as a standalone: [release page](https://github.com/ossf/scorecard/releases/latest) and download the correct binary for your operating system 2. Extract the binary file -3. We are proud to be one of the the first repositories to generate non-forgeable SLSA3 provenance natively using the OSSF [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) project for our linux amd64 binary. If you use this binary, you can verify it by installing the [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier#download-the-binary) and running: +3. We are proud to be one of the the first repositories to generate non-forgeable SLSA3 provenance using the OSSF [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) project for the scorecard-linux-amd64 binary. If you use this binary, download the file scorecard-linux-amd64.intoto.jsonl as well. Then verify the binary by installing the [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier#download-the-binary) and running: ``` $ ./slsa-verifier-linux-amd64 --artifact-path scorecard-linux-amd64 --provenance scorecard-linux-amd64.intoto.jsonl --source github.com/ossf/scorecard ``` From 63143cc65326d4e8753e29f2049474ae617abbd7 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Tue, 7 Jun 2022 23:48:26 +0000 Subject: [PATCH 11/12] updates --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5c40617da00..182b337a245 100644 --- a/README.md +++ b/README.md @@ -149,13 +149,14 @@ To install Scorecards as a standalone: 1. Visit our latest [release page](https://github.com/ossf/scorecard/releases/latest) and download the correct binary for your operating system -2. Extract the binary file -3. We are proud to be one of the the first repositories to generate non-forgeable SLSA3 provenance using the OSSF [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) project for the scorecard-linux-amd64 binary. If you use this binary, download the file scorecard-linux-amd64.intoto.jsonl as well. Then verify the binary by installing the [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier#download-the-binary) and running: +1. Extract the binary file +1. We are proud to be one of the the first repositories to generate non-forgeable SLSA3 provenance using the OSSF [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) project for the scorecard-linux-amd64 binary. If you use this binary, download the file scorecard-linux-amd64.intoto.jsonl as well. Then verify the binary by installing the [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier#download-the-binary) and running: ``` $ ./slsa-verifier-linux-amd64 --artifact-path scorecard-linux-amd64 --provenance scorecard-linux-amd64.intoto.jsonl --source github.com/ossf/scorecard ``` This guarantees that the binary you downloaded was generated using the source code of this repository. If you're interested in reading more about SLSA, visit [slsa.dev](slsa.dev). -3. Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to + +1. Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to identify your directory if necessary) ##### Using Homebrew From dcdd59c0f357c8922db325e6542df7b5c3d9db44 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 8 Jun 2022 15:35:49 +0000 Subject: [PATCH 12/12] updates --- README.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 182b337a245..57568a0a02b 100644 --- a/README.md +++ b/README.md @@ -150,11 +150,18 @@ To install Scorecards as a standalone: [release page](https://github.com/ossf/scorecard/releases/latest) and download the correct binary for your operating system 1. Extract the binary file -1. We are proud to be one of the the first repositories to generate non-forgeable SLSA3 provenance using the OSSF [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) project for the scorecard-linux-amd64 binary. If you use this binary, download the file scorecard-linux-amd64.intoto.jsonl as well. Then verify the binary by installing the [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier#download-the-binary) and running: +1. We are excited to be an early adopter of one of the the OSSF [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) +to generate non-forgeable SLSA3 provenance for the scorecard-linux-amd64 binary. If you use this binary, download the companiion provenance file +scorecard-linux-amd64.intoto.jsonl as well. Then verify the scorecard binary with [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier#download-the-binary): ``` -$ ./slsa-verifier-linux-amd64 --artifact-path scorecard-linux-amd64 --provenance scorecard-linux-amd64.intoto.jsonl --source github.com/ossf/scorecard +$ ./slsa-verifier-linux-amd64 \ + --artifact-path scorecard-linux-amd64 \ + --provenance scorecard-linux-amd64.intoto.jsonl \ + --source github.com/ossf/scorecard + --tag vX.Y.Z ``` -This guarantees that the binary you downloaded was generated using the source code of this repository. If you're interested in reading more about SLSA, visit [slsa.dev](slsa.dev). +When verification passes, it guarantees that the binary you downloaded was generated using the source code of this repository. +If you're interested in reading more about SLSA, visit the official [slsa.dev](slsa.dev). 1. Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to identify your directory if necessary)