Create a release as part of generic workflow (slsa-framework#413)

Ian Lewis · laurentsimon · web-flow · commit 2541976b6b95 · 2022-06-29T00:22:11.000Z
* Add ability to upload to a release

* add release id output

Co-authored-by: laurentsimon &lt;64505099+laurentsimon@users.noreply.github.com&gt;
diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml
@@ -47,7 +47,7 @@ on:
         required: true
         type: string
       upload-assets:
-        description: "Whether to upload assets to a GitHub release or not."
+        description: "If true provenance is uploaded to a GitHub release for new tags."
         required: false
         type: boolean
         default: true
@@ -61,7 +61,7 @@ on:
         required: false
         type: string
       compile-builder:
-        description: "Build the builder from source. This increases build time by ~2mn."
+        description: "Build the builder from source. This increases build time by ~2m."
         required: false
         type: boolean
         default: false
@@ -181,7 +181,7 @@ jobs:
           go-version: ${{ inputs.go-version }}
 
       - name: Download builder
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
         with:
           name: "${{ env.BUILDER_BINARY }}"
 
@@ -241,7 +241,7 @@ jobs:
           go-version: ${{ inputs.go-version }}
 
       - name: Download builder
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
         with:
           name: "${{ env.BUILDER_BINARY }}"
 
@@ -328,7 +328,7 @@ jobs:
     needs: [build, build-dry]
     steps:
       - name: Download generated binary
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
         with:
           name: "${{ env.GENERATED_BINARY_NAME }}"
 
@@ -373,7 +373,7 @@ jobs:
       go-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }}
     steps:
       - name: Download builder
-        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v2.1.0
+        uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
         with:
           name: "${{ env.BUILDER_BINARY }}"
 
@@ -439,7 +439,7 @@ jobs:
     if: startsWith(github.ref, 'refs/tags/') && inputs.upload-assets == true
     steps:
       # Verify binary hash.
-      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
         with:
           name: ${{ needs.build-dry.outputs.go-binary-name }}
       - name: Verify binary hash
@@ -458,7 +458,7 @@ jobs:
           echo "$UNTRUSTED_BINARY_HASH $UNTRUSTED_BINARY_NAME" | sha256sum --strict --check --status || exit -2
 
       # Verify provenance hash.
-      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0.
         with:
           name: ${{ needs.provenance.outputs.go-provenance-name }}
       - name: Verify provenance hash
diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml
@@ -30,29 +30,34 @@ env:
   VERIFIER_RELEASE_BINARY_SHA256: 60c91c9d5b9a059e37ac46da316f20c81da335b5d00e1f74d03dd50f819694bd
   VERIFIER_RELEASE: v1.1.1
 
-###################################################################
-#                                                                 #
-#            Input and output argument definitions                #
-#                                                                 #
-###################################################################
 on:
   workflow_call:
     inputs:
       base64-subjects:
         description: "Artifacts for which to generate provenance, formatted the same as the output of sha256sum (SHA256 NAME\\n[...]) and base64 encoded."
         required: true
         type: string
+      upload-to-release:
+        description: "If true provenance is uploaded to a GitHub release for new tags."
+        required: false
+        type: boolean
+        default: true
       compile-generator:
-        description: "Build the generator from source. This increases build time by ~2mn."
+        description: "Build the generator from source. This increases build time by ~2m."
         required: false
         type: boolean
         default: false
     outputs:
+      release-id:
+        description: "The name of the release where provenance was uploaded."
+        value: ${{ jobs.create-release.outputs.release-id }}
       attestation-name:
         description: "The artifact name of the signed provenance"
         value: ${{ jobs.generator.outputs.attestation-name }}
 
 jobs:
+  # detect-env detects the reusable workflow's repository and ref for use later
+  # in the workflow.
   detect-env:
     outputs:
       repository: ${{ steps.detect.outputs.repository }}
@@ -65,14 +70,19 @@ jobs:
         id: detect
         uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow@d995948e8d53cc639c0d3ef69db31dbc243519c4
 
-  ###################################################################
-  #                                                                 #
-  #                       Build the generator                       #
-  #                                                                 #
-  ###################################################################
+  # generator builds the generator binary and runs it to generate SLSA
+  # provenance.
+  #
+  # If `compile-generator` is true then the generator is compiled
+  # from source at the ref detected by `detect-env`.
+  #
+  # If `compile-generator` is false, then the generator binary is downloaded
+  # with the release at the ref detected by `detect-env`. This must be a tag
+  # reference.
   generator:
     outputs:
       attestation-name: ${{ steps.sign-prov.outputs.attestation-name }}
+      attestation-sha256: ${{ steps.sign-prov.outputs.attestation-sha256 }}
     runs-on: ubuntu-latest
     needs: [detect-env]
     permissions:
@@ -133,8 +143,11 @@ jobs:
           set -euo pipefail
           # Create and sign provenance
           # This sets attestation-name to the name of the signed DSSE envelope.
-          ./"$BUILDER_BINARY" attest --subjects "${SUBJECTS}" -g attestation.intoto.jsonl
-          echo "::set-output name=attestation-name::attestation.intoto.jsonl"
+          attestation_name="attestation.intoto.jsonl"
+          ./"$BUILDER_BINARY" attest --subjects "${SUBJECTS}" -g $attestation_name
+          attestation_sha256=$(sha256sum $attestation_name | awk '{print $1}')
+          echo "::set-output name=attestation-name::$attestation_name"
+          echo "::set-output name=attestation-sha256::$attestation_sha256"
 
       - name: Upload the signed provenance
         uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
@@ -143,3 +156,40 @@ jobs:
           path: "${{ steps.sign-prov.outputs.attestation-name }}"
           if-no-files-found: error
           retention-days: 5
+
+  # create-release creates a release and uploads provenance to the release if
+  # `upload-to-release` is true.
+  create-release:
+    outputs:
+      release-id: ${{ steps.release.outputs.id }}
+    runs-on: ubuntu-latest
+    needs: [generator]
+    permissions:
+      contents: write
+    if: startsWith(github.ref, 'refs/tags/') && inputs.upload-to-release == true
+    steps:
+      # Verify provenance hash.
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0
+        with:
+          name: ${{ needs.generator.outputs.attestation-name }}
+      - name: Verify provenance hash
+        env:
+          UNTRUSTED_PROVENANCE_NAME: "${{ needs.generator.outputs.attestation-name }}"
+          UNTRUSTED_PROVENANCE_HASH: "${{ needs.generator.outputs.attestation-sha256 }}"
+        run: |
+          set -euo pipefail
+
+          echo "hash of provenance $UNTRUSTED_PROVENANCE_NAME should be $UNTRUSTED_PROVENANCE_HASH"
+
+          COMPUTED_HASH=$(sha256sum "$UNTRUSTED_PROVENANCE_NAME" | awk '{print $1}')
+          echo "provenance hash computed is $COMPUTED_HASH"
+
+          # Compare hashes. Explicit exit to be safe.
+          echo "$UNTRUSTED_PROVENANCE_HASH $UNTRUSTED_PROVENANCE_NAME" | sha256sum --strict --check --status || exit -2
+
+      - name: Release
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # v0.1.14
+        id: release
+        with:
+          files: |
+            ${{ needs.generator.outputs.attestation-name }}
