diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml new file mode 100644 index 0000000..b18541c --- /dev/null +++ b/.github/workflows/generator-generic-ossf-slsa3-publish.yml @@ -0,0 +1,105 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you generate SLSA provenance file for your project. +# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA generic generator +on: + workflow_dispatch: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + outputs: + digests: ${{ steps.hash.outputs.digests }} + + steps: + - uses: actions/checkout@v4 + + # ======================================================== + # + # Step 1: Build your artifacts. + # + # ======================================================== + - name: Build artifacts + run: | + # These are some amazing artifacts. + echo "artifact1" > artifact1 + echo "artifact2" > artifact2 + + # ======================================================== + # + # Step 2: Add a step to generate the provenance subjects + # as shown below. Update the sha256 sum arguments + # to include all binaries that you generate + # provenance for. + # + # ======================================================== + - name: Generate subject for provenance + id: hash + run: | + set -euo pipefail + + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + needs: [build] + permissions: - name: Deploy HelmFile + # You may pin to the exact commit or the version. + # uses: cloudposse/github-action-deploy-helmfile@fcc0ea83519505047bd34a4e017f1d0c3516a5cc + uses: cloudposse/github-action-deploy-helmfile@0.7.0 + with: + # Cluster name + cluster: + # AWS region + aws-region: # optional, default is us-east-1 + # The path where lives the helmfile. + helmfile-path: # optional, default is deploy + # Helmfile name + helmfile: # optional, default is helmfile.yaml + # Operation with helmfiles. (valid options - `deploy`, `destroy`) + operation: # default is deploy + # Helmfile environment + environment: # optional, default is preview + # Git SHA + gitref-sha: # optional, default is + # Kubernetes namespace + namespace: + # Docker image + image: + # Docker image tag + image-tag: + # Debug mode + debug: # optional, default is false + # The name of the label used to describe the helm release + release_label_name: # optional, default is release + # YAML string with extra values to use in a helmfile deploy + values_yaml: # optional + # Helm version + helm_version: # optional, default is 3.11.1 + # Helmfile version + helmfile_version: # optional, default is 0.143.5 + # Kubectl version + kubectl_version: # optional, default is 1.26.3 + # Kubectl version + chamber_version: # optional, default is 2.11.1 + + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 + with: + base64-subjects: "${{ needs.build.outputs.digests }}" + upload-assets: true # Optional: Upload to a new release diff --git a/release,tagset b/release,tagset new file mode 100644 index 0000000..6602d37 --- /dev/null +++ b/release,tagset @@ -0,0 +1,108 @@ +- uses: actions/checkout@v5 + with: + # Repository name with owner. For example, actions/checkout + # Default: ${{ github.repository }} + repository: '' + + # The branch, tag or SHA to checkout. When checking out the repository that + # triggered a workflow, this defaults to the reference or SHA for that event. + # Otherwise, uses the default branch. + ref: '' + + # Personal access token (PAT) used to fetch the repository. The PAT is configured + # with the local git config, which enables your scripts to run authenticated git + # commands. The post-job step removes the PAT. + # + # We recommend using a service account with the least permissions necessary. Also + # when generating a new PAT, select the least scopes necessary. + # + # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets) + # + # Default: ${{ github.token }} + token: '' + + # SSH key used to fetch the repository. The SSH key is configured with the local + # git config, which enables your scripts to run authenticated git commands. The + # post-job step removes the SSH key. + # + # We recommend using a service account with the least permissions necessary. + # + # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets) + ssh-key: '' + + # Known hosts in addition to the user and global host key database. The public SSH + # keys for a host may be obtained using the utility `ssh-keyscan`. For example, + # `ssh-keyscan github.com`. The public key for github.com is always implicitly + # added. + ssh-known-hosts: '' + + # Whether to perform strict host key checking. When true, adds the options + # `StrictHostKeyChecking=yes` and `CheckHostIP=no` to the SSH command line. Use + # the input `ssh-known-hosts` to configure additional hosts. + # Default: true + ssh-strict: '' + + # The user to use when connecting to the remote SSH host. By default 'git' is + # used. + # Default: git + ssh-user: '' + + # Whether to configure the token or SSH key with the local git config + # Default: true + persist-credentials: '' + + # Relative path under $GITHUB_WORKSPACE to place the repository + path: '' + + # Whether to execute `git clean -ffdx && git reset --hard HEAD` before fetching + # Default: true + clean: '' + + # Partially clone against a given filter. Overrides sparse-checkout if set. + # Default: null + filter: '' + + # Do a sparse checkout on given patterns. Each pattern should be separated with + # new lines. + # Default: null + sparse-checkout: '' + + # Specifies whether to use cone-mode when doing a sparse checkout. + # Default: true + sparse-checkout-cone-mode: '' + + # Number of commits to fetch. 0 indicates all history for all branches and tags. + # Default: 1 + fetch-depth: '' + + # Whether to fetch tags, even if fetch-depth > 0. + # Default: false + fetch-tags: '' + + # Whether to show progress status output when fetching. + # Default: true + show-progress: '' + + # Whether to download Git-LFS files + # Default: false + lfs: '' + + # Whether to checkout submodules: `true` to checkout submodules or `recursive` to + # recursively checkout submodules. + # + # When the `ssh-key` input is not provided, SSH URLs beginning with + # `git@github.com:` are converted to HTTPS. + # + # Default: false + submodules: '' + + # Add repository path as safe.directory for Git global config by running `git + # config --global --add safe.directory ` + # Default: true + set-safe-directory: '' + + # The base URL for the GitHub instance that you are trying to clone from, will use + # environment defaults to fetch from the same instance that the workflow is + # running from unless specified. Example URLs are https://github.com or + # https://my-ghes-server.example.com + github-server-url: ''