sigstore · cpanato · Feb 14, 2023 · Feb 13, 2023
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -23,6 +23,8 @@ jobs:
           check-latest: true
           cache: true
 
+      - uses: anchore/sbom-action/download-syft@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
+
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
         with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,92 @@
+name: Cut Release
+
+on:
+  push:
+    tags:
+      - "v*"
+
+concurrency: cut-release
+
+permissions:
+  contents: write # needed to write releases
+  id-token: write # needed for keyless signing
+  packages: write # needed for pushing the images to ghcr.io
+
+jobs:
+  release:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
+
+      - name: Set env
+        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> "$GITHUB_ENV"
+
+      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
+        with:
+          go-version: '1.20'
+          check-latest: true
+
+      - uses: sigstore/cosign-installer@4079ad3567a89f68395480299c77e40170430341
+      - uses: anchore/sbom-action/download-syft@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
+      - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
+      - uses: imjasonh/setup-crane@e82f1b9a8007d399333baba4d75915558e9fb6a4 # v0.2
+
+      - name: Run GoReleaser
+        id: run-goreleaser
+        uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
+        with:
+          version: latest
+          args: release --clean --timeout 120m
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          KO_DOCKER_REPO: ghcr.io/sigstore/cosign-gatekeeper-provider
+
+      - name: sign image
+        run: |
+          digest=$(crane digest ghcr.io/sigstore/cosign-gatekeeper-provider:${{ env.RELEASE_VERSION }})
+          cosign sign --yes --force "ghcr.io/sigstore/cosign-gatekeeper-provider@${digest}"
+        env:
+          COSIGN_EXPERIMENTAL: true
+
+      - name: Generate subject
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  provenance:
+    needs:
+      - release
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+    with:
+      base64-subjects: "${{ needs.release.outputs.hashes }}"
+      upload-assets: false # do not upload to a new release since goreleaser creates it
+
+  release-provenance:
+    needs:
+      - provenance
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read # To read the workflow path.
+      contents: write # To add assets to a release.
+    steps:
+      - name: Download the provenance
+        uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+        with:
+          name: ${{needs.provenance.outputs.provenance-name}}
+
+      - name: Release Provenance
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        id: release-provenance
+        with:
+          draft: true
+          files: ${{needs.provenance.outputs.provenance-name}}
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -15,11 +15,15 @@ before:
 gomod:
   proxy: true
 
+sboms:
+  - artifacts: binary
+
 builds:
   - main: .
     flags:
       - -trimpath
     mod_timestamp: '{{ .CommitTimestamp }}'
+    binary: cosign-gatekeeper-provider-{{ .Os }}-{{ .Arch }}
     goos:
       - linux
       - darwin
@@ -34,6 +38,37 @@ builds:
     env:
       - CGO_ENABLED=0
 
+kos:
+  - repository: ghcr.io/sigstore/cosign-gatekeeper-provider
+    tags:
+      - 'v{{.Version}}'
+    main: .
+    bare: true
+    preserve_import_paths: false
+    sbom: spdx
+    base_image: cgr.dev/chainguard/static:latest
+    platforms:
+      - linux/amd64
+      - linux/arm64
+      - linux/s390x
+      - linux/ppc64le
+      - linux/arm
+
+signs:
+  # Keyless
+  - id: binary
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--output-certificate", "${artifact}.pem", "${artifact}"]
+    artifacts: binary
+  - id: checksum-keyless
+    signature: "${artifact}.sig"
+    certificate: "${artifact}.pem"
+    cmd: cosign
+    args: ["sign-blob", "--output-signature", "${artifact}.sig", "--output-certificate", "${artifact}.pem", "${artifact}"]
+    artifacts: checksum
+
 archives:
   - format: binary
     name_template: "{{ .Binary }}"

diff --git a/Dockerfile b/Dockerfile