ci: refactor slsa flow

Signed-off-by: Josef Andersson <[email protected]>

.github/workflows/release-slsa.yml

@@ -0,0 +1,112 @@
+# SPDX-FileCopyrightText: Josef Andersson
+#
+# SPDX-License-Identifier: CC0-1.0
+---
+name: SLSA
+on:
+  workflow_call:
+    inputs:
+      hashes:
+        required: true
+        type: string
+      image:
+        required: false
+        type: string
+      digest:
+        required: false
+        type: string
+      ref_name:
+        required: true
+        type: string
+permissions:
+  contents: read
+jobs:
+  binary-provenance:
+    permissions:
+      actions: read # To read the workflow path.
+      contents: write # To add assets to a release.
+      id-token: write # To sign the provenance.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      private-repository: true
+      base64-subjects: "${{ inputs.hashes }}"
+      upload-assets: true # upload to a new release
+
+  image-provenance:
+    if: ${{ inputs.image != '' && inputs.digest != '' }}
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ${{ inputs.image }}
+      digest: ${{ inputs.digest }}
+      private-repository: true
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+  verification-with-slsa-verifier:
+    needs: [binary-provenance]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    steps:
+      - name: Install the verifier
+        uses: slsa-framework/slsa-verifier/actions/[email protected]
+
+      - name: Download assets
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
+        run: |
+          set -euo pipefail
+          gh -R "$GITHUB_REPOSITORY" release download "${{ inputs.ref_name }}" -p '*.*'
+
+      - name: Verify assets
+        env:
+          CHECKSUMS: ${{ inputs.hashes }}
+          PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
+        run: |
+          set -euo pipefail
+          # shellcheck disable=SC2153
+          checksums=$(echo "$CHECKSUMS" | base64 -d)
+          while read -r line; do
+              fn=$(echo "$line" | cut -d ' ' -f3)
+              echo "Verifying $fn"
+              slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
+                                          --source-uri "github.com/$GITHUB_REPOSITORY" \
+                                          --source-tag "${{ inputs.ref_name }}" \
+                                          "$fn"
+          done <<<"$checksums"
+
+  verification-with-cosign:
+    if: ${{ inputs.image != '' && inputs.digest != '' }}
+    needs: [image-provenance]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    steps:
+      - name: Login
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da #v3.7.0
+
+      - name: Verify image
+        env:
+          IMAGE: ${{ inputs.image }}
+          DIGEST: ${{ inputs.digest }}
+        run: |
+          cosign verify-attestation \
+             --type slsaprovenance \
+             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+             --certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
+             "$IMAGE@$DIGEST"

.github/workflows/release-workflow.yml

@@ -7,7 +7,7 @@ name: Release Workflow
 on:
   push:
     tags:
-      - 'v[0-9]*.[0-9]*' # Forces at least vX.Y and then allows anything after
+      - "v[0-9]*.[0-9]*" # Forces at least vX.Y and then allows anything after
 
 permissions:
   contents: read
@@ -17,13 +17,28 @@ jobs:
     permissions:
       contents: write
     secrets: inherit
-    uses: ./.github/workflows/version-bump-changelog.yml
+    uses: ./.github/workflows/release-version-bump-changelog.yml
+
   release:
+    needs: [version-bump]
     permissions:
-      actions: read # Required for SLSA
       contents: write # For releases
-      id-token: write # For SLSA/signing
+      id-token: write # For keyless signing
       packages: write # For container registry
     secrets: inherit
-    needs: [version-bump]
     uses: ./.github/workflows/release.yml
+
+  slsa:
+    needs: [release]
+    permissions:
+      actions: read # For SLSA
+      contents: write # For releases
+      id-token: write # For signing
+      packages: write # For container registry
+    secrets: inherit
+    uses: ./.github/workflows/release-slsa.yml
+    with:
+      ref_name: ${{ github.ref_name }}
+      hashes: ${{ needs.release.outputs.hashes }}
+      image: ${{ needs.release.outputs.image }}
+      digest: ${{ needs.release.outputs.digest }}

.github/workflows/release.yml

@@ -6,6 +6,13 @@ name: GoReleaser
 
 on:
   workflow_call:
+    outputs:
+      hashes:
+        value: ${{ jobs.goreleaser.outputs.hashes }}
+      image:
+        value: ${{ jobs.goreleaser.outputs.image }}
+      digest:
+        value: ${{ jobs.goreleaser.outputs.digest }}
 
 permissions:
   contents: read
@@ -95,93 +102,3 @@ jobs:
           digest=$(echo "${image_and_digest}" | cut -d':' -f3,4 | uniq)
           echo "name=$image" >> "$GITHUB_OUTPUT"
           echo "digest=$digest" >> "$GITHUB_OUTPUT"
-
-  binary-provenance:
-    needs: [goreleaser]
-    permissions:
-      actions: read # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write # To add assets to a release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      private-repository: true
-      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
-      upload-assets: true # upload to a new release
-
-  image-provenance:
-    needs: [goreleaser]
-    permissions:
-      actions: read
-      id-token: write
-      packages: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      image: ${{ needs.goreleaser.outputs.image }}
-      digest: ${{ needs.goreleaser.outputs.digest }}
-      private-repository: true
-      registry-username: ${{ github.actor }}
-    secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}
-
-  verification-with-slsa-verifier:
-    needs: [goreleaser, binary-provenance]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: read
-    steps:
-      - name: Install the verifier
-        uses: slsa-framework/slsa-verifier/actions/[email protected]
-
-      - name: Download assets
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
-        run: |
-          set -euo pipefail
-          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p '*.*'
-          # gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"
-      - name: Verify assets
-        env:
-          CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
-          PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
-        run: |
-          set -euo pipefail
-          # shellcheck disable=SC2153
-          checksums=$(echo "$CHECKSUMS" | base64 -d)
-          while read -r line; do
-              fn=$(echo "$line" | cut -d ' ' -f3)
-              echo "Verifying $fn"
-              slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
-                                            --source-uri "github.com/$GITHUB_REPOSITORY" \
-                                            --source-tag "$GITHUB_REF_NAME" \
-                                            "$fn"
-          done <<<"$checksums"
-
-  verification-with-cosign:
-    needs: [goreleaser, image-provenance]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: read
-    steps:
-      - name: Login
-        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da #v3.7.0
-
-      - name: Verify image
-        env:
-          IMAGE: ${{ needs.goreleaser.outputs.image }}
-          DIGEST: ${{ needs.goreleaser.outputs.digest }}
-        run: |
-          cosign verify-attestation \
-             --type slsaprovenance \
-             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-             --certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
-             "$IMAGE@$DIGEST"

REUSE.toml

@@ -11,6 +11,7 @@ path = [
   "docs/dco.txt",
   "assets/*.png",
   "renovate.json",
+  "CHANGELOG.md",
 ]
 precedence = "aggregate"
 SPDX-FileCopyrightText = "janderssonse. <https://github.com/janderssonse>"

development/megalinter.yml

@@ -30,7 +30,7 @@ ENABLE_LINTERS: [
     # GO_GOLANGCI_LINT, #wait for 1.22 update
     BASH_SHELLCHECK,
     BASH_SHFMT,
-    MARKDOWN_MARKDOWNLINT,
+    # MARKDOWN_MARKDOWNLINT,
     YAML_PRETTIER,
     ACTION_ACTIONLINT,
     REPOSITORY_GITLEAKS,