From 011ccbb1fbc0fb76982c229c92f556295d4bbb3e Mon Sep 17 00:00:00 2001 From: Tom Binder Date: Mon, 15 Jul 2024 18:44:39 +0000 Subject: [PATCH] Add trusted build for Rekor command line tool. Bug: 345083606 Change-Id: I39380696fed0d86a4bd3a6de20611f65bd98d511 --- .github/workflows/rekor_cli.yaml | 99 ++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 .github/workflows/rekor_cli.yaml diff --git a/.github/workflows/rekor_cli.yaml b/.github/workflows/rekor_cli.yaml new file mode 100644 index 0000000000..9c6b1eadf7 --- /dev/null +++ b/.github/workflows/rekor_cli.yaml @@ -0,0 +1,99 @@ +name: Build and attest Rekor CLI + +# Workflow to build the Rekor command line tool from source, and to generate +# a GitHub provenance/attestation for the build artifact. +# Only to be run manually via: +# gh workflow run .github/workflows/rekor_cli.yaml +# See build.yaml for details. + +on: + workflow_dispatch: + branches: [main] + +jobs: + build_attest_rekor_cli: + permissions: + actions: read + id-token: write + attestations: write + contents: read + + runs-on: ubuntu-20.04 + + steps: + - name: Authenticate to Google Cloud + uses: google-github-actions/auth@v2 + with: + credentials_json: ${{ secrets.GCP_SERVICE_ACCOUNT_KEY_JSON }} + + - name: Setup Google Cloud + uses: google-github-actions/setup-gcloud@v2 + + - name: Mount main branch + uses: actions/checkout@v4 + + - name: Show values + run: | + set -o errexit + gsutil --version + echo "GITHUB_SHA: ${GITHUB_SHA}" + + - name: Build + id: build + run: | + set -o errexit + set -o xtrace + git clone https://github.com/sigstore/rekor.git rekor-cli + cd rekor-cli + make rekor-cli + cp --preserve=timestamps rekor-cli /tmp/rekor-cli + chmod 755 /tmp/rekor-cli + + - name: Show build artifact + run: | + ls -la /tmp/rekor-cli + /tmp/rekor-cli version + + - name: Attest + id: attest + uses: actions/attest-build-provenance@v1.1.1 + with: + subject-path: /tmp/rekor-cli + + - name: Show bundle + run: | + echo "${{ steps.attest.outputs.bundle-path }}" + ls -la "${{ steps.attest.outputs.bundle-path }}" + cat "${{ steps.attest.outputs.bundle-path }}" + + - name: Upload + id: upload + run: | + set -o errexit + set -o nounset + set -o pipefail + set -o xtrace + + bucket=oak-bins + package_name=rekor_cli_linux_amd64 + binary_path=/tmp/rekor-cli + provenance_path=${{ steps.attest.outputs.bundle-path }} + + gcs_binary_path="binary/${GITHUB_SHA}/${package_name}/binary" + gcs_provenance_path="provenance/${GITHUB_SHA}/${package_name}/attestation.jsonl" + binary_url="https://storage.googleapis.com/${bucket}/${gcs_binary_path}" + provenance_url="https://storage.googleapis.com/${bucket}/${gcs_provenance_path}" + + gsutil cp "${binary_path}" "gs://${bucket}/${gcs_binary_path}" + gsutil cp "${provenance_path}" "gs://${bucket}/${gcs_provenance_path}" + + curl --fail \ + --request POST \ + --header 'Content-Type: application/json' \ + --data "{ \"url\": \"${binary_url}\" }" \ + https://api.static.space/v1/snapshot + curl --fail \ + --request POST \ + --header 'Content-Type: application/json' \ + --data "{ \"url\": \"${provenance_url}\" }" \ + https://api.static.space/v1/snapshot