Skip to content

Commit

Permalink
chore: add provenance to native builds
Browse files Browse the repository at this point in the history
- chore: add SLSA support
- chore: package name update

Signed-off-by: Sam Gammon <sam@elide.ventures>
  • Loading branch information
sgammon committed Mar 20, 2024
1 parent ae2dd05 commit eb5fdcf
Show file tree
Hide file tree
Showing 6 changed files with 141 additions and 20 deletions.
1 change: 1 addition & 0 deletions .gitattributes
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
* text=auto eol=lf

dist/** -diff linguist-generated=true
scripts/** -linguist-detectable
7 changes: 3 additions & 4 deletions .github/workflows/ci.native-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,6 @@ jobs:
native-build:
name: 'Build: Native (${{ inputs.label }})'
runs-on: ${{ inputs.runner }}

steps:
- name: 'Setup: Harden Runner'
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
Expand Down Expand Up @@ -82,11 +81,11 @@ jobs:
- name: 'Artifact: Hashes'
env:
# prettier-ignore
SHA1SUM_TOOL: "${{ startsWith(inputs.runner, 'macos') && 'gsha1sum' || 'sha1sum' }}"
SHA1SUM_TOOL: "${{ startsWith(inputs.runner, 'macos') && 'shasum -a 1' || 'sha1sum' }}"
# prettier-ignore
SHA256SUM_TOOL: "${{ startsWith(inputs.runner, 'macos') && 'gsha256sum' || 'sha256sum' }}"
SHA256SUM_TOOL: "${{ startsWith(inputs.runner, 'macos') && 'shasum -a 256' || 'sha256sum' }}"
# prettier-ignore
SHA512SUM_TOOL: "${{ startsWith(inputs.runner, 'macos') && 'gsha512sum' || 'sha512sum' }}"
SHA512SUM_TOOL: "${{ startsWith(inputs.runner, 'macos') && 'shasum -a 512' || 'sha512sum' }}"
run: |
cp -fv bin/hashlock hashlock.${{ inputs.tag }}
$SHA1SUM_TOOL hashlock.${{ inputs.tag }} | tee hashlock.${{ inputs.tag }}.sha1
Expand Down
37 changes: 37 additions & 0 deletions .github/workflows/ci.native-builds.yml
Original file line number Diff line number Diff line change
Expand Up @@ -61,13 +61,38 @@ jobs:
name: 'Executables'
runs-on: ubuntu-latest
needs: [native-build]
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: 'Download: Artifacts'
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
path: ${{ inputs.artifact-prefix }}
pattern: '${{ inputs.artifact-prefix }}*'
merge-multiple: true
- name: 'Build: Provenance Hashes'
shell: bash
id: hash
run: |
echo "Release assets:"
cd ${{ inputs.artifact-prefix }}/
ls -la ./
file ./*
du -h ./*
echo ""
sha256sum ./* > ../pkg-hashes.txt
echo "Hashes:"
cat ../pkg-hashes.txt
echo ""
cat ../pkg-hashes.txt | base64 -w0 > ../pkg-hashes-encoded.txt
echo "Encoded Hashes:"
cat ../pkg-hashes-encoded.txt
echo ""
echo "hashes=$(sha256sum ./* | base64 -w0)" >> "$GITHUB_OUTPUT"
cd ..
- name: 'Artifact: Merged'
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
Expand All @@ -76,3 +101,15 @@ jobs:
compression-level: 4
overwrite: true
path: '${{ inputs.artifact-prefix }}/*'

provenance:
name: 'SLSA Provenance'
needs: [native-build, prepare-artifacts]
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
permissions:
actions: read
contents: write
id-token: write
with:
base64-subjects: '${{ needs.prepare-artifacts.outputs.hashes }}'
upload-assets: false
4 changes: 4 additions & 0 deletions .github/workflows/on.pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ jobs:
build-native:
name: 'Build & Test'
uses: ./.github/workflows/ci.native-builds.yml
permissions:
actions: read
contents: write
id-token: write
with:
artifact-prefix: hashlock-pr${{ github.event.number }}

Expand Down
106 changes: 93 additions & 13 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Verify Hashes Action
# `hashlock`

[![CI](https://github.com/sgammon/verify-hashes/actions/workflows/on.push.yml/badge.svg)](https://github.com/sgammon/verify-hashes/actions/workflows/on.push.yml)
[![Check: Dist](https://github.com/sgammon/verify-hashes/actions/workflows/check.dist.yml/badge.svg)](https://github.com/sgammon/verify-hashes/actions/workflows/check.dist.yml)
Expand All @@ -7,16 +7,81 @@

---

> A very simple action:
> Use it as a CLI to check hash files like `something.txt.sha256`:
```shell
find . -name "<filename>.{md5,sha,sha1,sha256,sha512} -exec \
# (verify <filenames> within <hashfile>)
hashlock check .
```

> Or to generate hash lock files:
```shell
hashlock -a sha256 generate something.txt
# equivalent to `sha256sum something.txt > something.txt.sha256`
```

> Or, use it as a GitHub Action:
```yaml
- name: 'Check: Hashes'
uses: sgammon/verify-hashes@v1
```
> Or, use it as a library, from TypeScript or JavaScript:
```
{
"devDependencies": {
"hashlocks": "..."
}
}
```

```javascript
import { checkHashes } from 'hashlocks'
```

---

## Usage: CLI

This package is also usable as a command line tool, under the name `hashlock`.
The CLI is distributed on
[NPM as a JavaScript package](https://www.npmjs.com/package/hashlock), as well
as here, [on GitHub](https://github.com/sgammon/verify-hashes/releases), as a
[standalone executable built by Bun](https://bun.sh/docs/bundler/executables).

> [!NOTE] The CLI does not support Windows yet. Once
> [Bun](https://github.com/oven-sh/bun/issues/43) can ship a standalone Windows
> executable, this project will shortly follow.
### Installing the CLI

```
npm install -g hashlock
yarn install -g hashlock
pnpm install -g hashlock
bun install -g hashlock
```

### Using the CLI

```
hashlock --help
```

### Quick runs without installing

```
npx hashlock ...
yarnpkg hashlock ...
pnpm dlx hashlock ...
bun x hashlock ...
```

---

## Getting Started
## Usage: Actions

```yaml
- name: 'Check: Hashes'
Expand Down Expand Up @@ -49,7 +114,7 @@ hi
This action will detect `something.txt.sha256`, find `something.txt`, hash it
according to SHA-256, and make sure the two match.

## Usage
### Inputs

| Input | Description | Default |
| ----------------------- | ------------------------------------------------ | --------------- |
Expand All @@ -71,9 +136,9 @@ according to SHA-256, and make sure the two match.

- There were no hash files found under any `paths`, or all of them were ignored

## Examples
### Examples

### Fail if hash files are not found
#### Fail if hash files are not found

Strict mode will fail if hash files are not found or all of them are ignored:

Expand All @@ -84,7 +149,7 @@ Strict mode will fail if hash files are not found or all of them are ignored:
strict: true
```
### Verify a specific set of hash files
#### Verify a specific set of hash files
Turn off globs to do that. Multi-line values are accepted for `paths`:

Expand All @@ -97,11 +162,11 @@ Turn off globs to do that. Multi-line values are accepted for `paths`:
some/cool/hashfile.txt.sha256
```

## Behavior
### Behavior

This section describes in detail how the action behaves.

### Paths
#### Paths

By default, `paths` and `ignored` are treated as globs. Entries in `ignored` are
actually just globbed against each algorithm, same as `paths`, but with `!`
Expand All @@ -122,7 +187,7 @@ hello/**/*.{md5,sha,sha1,sha256,sha512}
!goodbye
```

#### Literal paths mode
##### Literal paths mode

When you pass `globs: false`, the `paths` entries become regular literal paths:

Expand All @@ -138,7 +203,22 @@ When you pass `globs: false`, the `paths` entries become regular literal paths:

The effective paths are:

```
```text
hello.sha256
djkhaledanotherone.sha256
```

---

## Usage: Library

This package is also usable as a JavaScript or TypeScript library. Simply
install `hashlocks` and you should have the main code + typings. The package
ships with source maps as well.

---

## Dependency Security

SLSA, Sigstore provenance, and SPDX are all supported by this package. All
release artifacts are shipped with provenance metadata.
6 changes: 3 additions & 3 deletions package.json
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "verify-hashes",
"name": "hashlock",
"version": "1.0.0-rc1",
"description": "Verify hash files (like something.sha256) from GitHub Actions",
"description": "Verify hash files (like something.sha256)",
"keywords": [
"actions",
"cli",
Expand Down Expand Up @@ -137,6 +137,6 @@
},
"publishConfig": {
"access": "public",
"provenance": false
"provenance": true
}
}

0 comments on commit eb5fdcf

Please sign in to comment.