build: adding SLSA provenance generation for build artifacts and cont…

…ainers (#370)


Adding SLSA provenance generation for artifacts and containers built for
ld-relay. Based off goreleaser's guidance for SLSA provenance generation
with goreleaser:
https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator

.github/actions/publish/action.yml

@@ -11,6 +11,16 @@ inputs:
   tag:
     description: 'Tag to upload artifacts to.'
     required: true
+outputs:
+  hashes: 
+    description: sha256sum hashes of built artifacts 
+    value: ${{ steps.binary.outputs.hashes }}
+  image: 
+    description: built docker image names
+    value: ${{ steps.image.outputs.name }}
+  digest: 
+    description: built docker image digests 
+    value: ${{ steps.image.outputs.digest }}
 
 runs:
   using: composite
@@ -29,12 +39,35 @@ runs:
       run: |
         echo $DOCKER_TOKEN | docker login --username $DOCKER_USERNAME --password-stdin
     - name: Run Goreleaser
+      id: goreleaser
       uses: goreleaser/goreleaser-action@v5
       with:
         version: latest
         args: release --clean ${{ inputs.dry-run == 'true' && '--skip=publish' || '' }}
       env:
         GITHUB_TOKEN: ${{ inputs.token }}
+    - name: Generate binary hashes
+      id: binary 
+      shell: bash
+      env: 
+        ARTIFACTS: ${{ steps.goreleaser.outputs.artifacts }}
+      run: |
+        set -euo pipefail
+
+        checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+        echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
+    - name: Image digest 
+      id: image 
+      shell: bash
+      env:
+        ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
+      run: |
+        set -euo pipefail
+        image_and_digest=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Docker Manifest") | .path')
+        image=$(echo "${image_and_digest}" | cut -d'@' -f1 | cut -d':' -f1)
+        digest=$(echo "${image_and_digest}" | cut -d'@' -f2)
+        echo "name=$image" >> "$GITHUB_OUTPUT"
+        echo "digest=$digest" >> "$GITHUB_OUTPUT"
 
     - name: Upload Release Artifacts
       shell: bash

.github/workflows/manual-publish.yml

@@ -22,6 +22,10 @@ jobs:
     permissions:
       id-token: write # Needed to get Docker tokens during publishing.
       contents: write # Needed to upload release artifacts
+    outputs:
+      hashes: ${{ steps.publish.outputs.hashes }}
+      image: ${{ steps.publish.outputs.image }}
+      digest: ${{ steps.publish.outputs.digest }}
     steps:
       - uses: actions/checkout@v4
         with:
@@ -38,8 +42,37 @@ jobs:
           aws_assume_role: ${{ vars.AWS_ROLE_ARN }}
           ssm_parameter_pairs: '/global/services/docker/public/username = DOCKER_USERNAME, /global/services/docker/public/token = DOCKER_TOKEN'
       - name: Publish Package
+        id: publish
         uses: ./.github/actions/publish
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           dry-run: ${{ inputs.dry_run }}
           tag: ${{ inputs.tag }}
+
+  release-relay-binary-provenance:
+    needs: ['build-publish']
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.build-publish.outputs.hashes }}"
+      upload-assets: ${{ !inputs.dry_run }}
+      upload-tag-name: ${{ inputs.tag }}
+      provenance-name: ${{ format('ld-relay-{0}_multiple_provenance.intoto.jsonl', inputs.tag) }}
+
+  release-relay-image-provenance:
+    needs: ['build-publish']
+    if: ${{ !inputs.dry_run }}
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ${{ needs.build-publish.outputs.image }}
+      digest: ${{ needs.build-publish.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release-please.yml

@@ -24,7 +24,10 @@ jobs:
     permissions:
       id-token: write # Needed to obtain Docker tokens
       contents: write # Needed to upload release artifacts
-
+    outputs:
+      hashes: ${{ steps.publish.outputs.hashes }}
+      image: ${{ steps.publish.outputs.image }}
+      digest: ${{ steps.publish.outputs.digest }}
     needs: [ release-please, go-versions ]
     if: ${{ needs.release-please.outputs.release_created == 'true' }}
     runs-on: ubuntu-latest
@@ -47,7 +50,35 @@ jobs:
       - uses: ./.github/actions/unit-tests
 
       - uses: ./.github/actions/publish
+        id: publish
         with:
           dry-run: 'false'
           token: ${{ secrets.GITHUB_TOKEN }}
           tag: ${{ needs.release-please.outputs.tag_name }}
+
+  release-relay-binary-provenance:
+    needs: ['release-please', 'release-relay']
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.release-relay.outputs.hashes }}"
+      upload-assets: true
+      upload-tag-name: ${{ needs.release-please.outputs.tag_name }}
+      provenance-name: ${{ format('ld-relay-{0}_multiple_provenance.intoto.jsonl', needs.release-please.outputs.tag_name) }}
+
+  release-relay-image-provenance:
+    needs: ['release-please', 'release-relay']
+    permissions:
+      actions: read
+      id-token: write
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      image: ${{ needs.release-relay.outputs.image }}
+      digest: ${{ needs.release-relay.outputs.digest }}
+      registry-username: ${{ github.actor }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}