@@ -28,6 +28,7 @@ project simply generates provenance as a separate step in an existing workflow.
2828 - [ Provenance for GoReleaser] ( #provenance-for-goreleaser )
2929 - [ Provenance for Bazel] ( #provenance-for-bazel )
3030 - [ Provenance for Java] ( #provenance-for-java )
31+ - [ Provenance for Rust] ( #provenance-for-rust )
3132
3233---
3334
@@ -79,7 +80,7 @@ provenance:
7980 actions : read # Needed for detection of GitHub Actions environment.
8081 id-token : write # Needed for provenance signing and ID
8182 contents : read # Needed for API access
82- uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.1.1
83+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
8384 with :
8485 base64-subjects : " ${{ needs.build.outputs.hashes }}"
8586` ` `
@@ -136,7 +137,7 @@ jobs:
136137 actions: read
137138 id-token: write
138139 contents: read
139- uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.1.1
140+ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
140141 with:
141142 base64-subjects: "${{ needs.build.outputs.hashes }}"
142143 # Upload provenance to a new release
@@ -228,7 +229,7 @@ generated as an [in-toto](https://in-toto.io/) statement with a SLSA predicate.
228229 ],
229230 "predicate": {
230231 "builder": {
231- "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.1.1 "
232+ "id": "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.2.0 "
232233 },
233234 "buildType": "https://github.com/slsa-framework/slsa-github-generator@v1",
234235 "invocation": {
@@ -341,7 +342,7 @@ jobs:
341342 actions : read # To read the workflow path.
342343 id-token : write # To sign the provenance.
343344 contents : write # To add assets to a release.
344- uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.1.1
345+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
345346 with :
346347 base64-subjects : " ${{ needs.goreleaser.outputs.hashes }}"
347348 upload-assets : true # upload to a new release
@@ -420,10 +421,10 @@ jobs:
420421 actions : read # To read the workflow path.
421422 id-token : write # To sign the provenance.
422423 contents : write # To add assets to a release.
423- uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.1.1
424+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
424425 with :
425426 base64-subjects : " ${{ needs.build.outputs.hashes }}"
426- upload-assets : true # upload to a new release
427+ upload-assets : true # Optional: Upload to a new release
427428` ` `
428429
429430### Provenance for Java
@@ -503,7 +504,7 @@ jobs:
503504 actions : read # To read the workflow path.
504505 id-token : write # To sign the provenance.
505506 contents : write # To add assets to a release.
506- uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.1.1
507+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
507508 with :
508509 base64-subjects : " ${{ needs.build.outputs.hashes }}"
509510 upload-assets : true # Optional: Upload to a new release
@@ -572,8 +573,76 @@ jobs:
572573 actions : read
573574 id-token : write
574575 contents : read
575- uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.1.1
576+ uses : slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
576577 with :
577578 base64-subjects : " ${{ needs.build.outputs.hashes }}"
578579 upload-assets : true # Optional: Upload to a new release
579580` ` `
581+
582+ ### Provenance for Rust / Cargo
583+
584+ If you use [Cargo](https://doc.rust-lang.org/cargo/) to generate your artifacts, you can
585+ easily generate SLSA3 provenance by updating your existing workflow with the 4
586+ steps indicated in the workflow below:
587+
588+ ` ` ` yaml
589+ jobs :
590+ build :
591+ # ==================================================
592+ #
593+ # Step 1: Declare an `outputs` for the hashes.
594+ #
595+ # ==================================================
596+ outputs :
597+ hashes : ${{ steps.hash.outputs.hashes }}
598+
599+ [...]
600+
601+ steps :
602+ [...]
603+ - name : Build using cargo
604+ # =================================================
605+ #
606+ # Step 2: Add an `id: build` field
607+ # to your build step.
608+ #
609+ # =================================================
610+ id : build
611+ run : |
612+ # Your normal build workflow targets here.
613+ cargo build --release
614+
615+ cp target/release/target_binary .
616+
617+ # ========================================================
618+ #
619+ # Step 4: Add a step to generate the provenance subjects
620+ # as shown below. Update the sha256 sum arguments
621+ # to include all binaries that you generate
622+ # provenance for.
623+ #
624+ # ========================================================
625+ - name : Generate subject
626+ id : hash
627+ run : |
628+ set -euo pipefail
629+
630+ echo "::set-output name=hashes::$(sha256sum target_binary | base64 -w0)"
631+
632+ # =========================================================
633+ #
634+ # Step 5: Call the generic workflow to generate provenance
635+ # by declaring the job below.
636+ #
637+ # =========================================================
638+ provenance :
639+ needs : [build]
640+ permissions :
641+ actions : read # To read the workflow path.
642+ id-token : write # To sign the provenance.
643+ contents : write # To add assets to a release.
644+ uses :
slsa-framework/slsa-github-generator/.github/workflows/[email protected] 645+ with :
646+ base64-subjects : " ${{ needs.build.outputs.hashes }}"
647+ upload-assets : true # Optional: Upload to a new release
648+ ` ` `
0 commit comments