Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Github Artifact Attestations #4852

Open
2 of 3 tasks
smlx opened this issue May 10, 2024 · 1 comment
Open
2 of 3 tasks

Support Github Artifact Attestations #4852

smlx opened this issue May 10, 2024 · 1 comment
Assignees
@caarlos0
Labels
enhancement New feature or request triage Issue pending triage by one of the maintainers

Comments

@smlx
Copy link
Contributor

smlx commented May 10, 2024

Is your feature request related to a problem? Please describe.

Github recently added a new feature called "Artifact Attestations". From what I can tell, it isn't straightforward to integrate this feature with Goreleaser.

Describe the solution you'd like

Github recently introduced native integration of sigstore signatures. They're calling this "Artifact Attestations". It would be very cool if Goreleaser supported automatic artifact attestations for all release artifacts. Or at least documented the recommended integration approach.

https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

Describe alternatives you've considered

Goreleaser already supports signing various artifacts using sigstore's cosign. However checking signatures is not straightforward and requires a fairly complex cosign command.

Search

  • I did search for other open and closed issues before opening this

Supporter

Code of Conduct

  • I agree to follow this project's Code of Conduct

Additional context

No response
@smlx smlx added enhancement New feature or request triage Issue pending triage by one of the maintainers labels May 10, 2024
@smlx
Copy link
Contributor Author

smlx commented May 21, 2024

This is actually pretty simple to do yourself in case anyone else is interested:

    - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
      id: goreleaser
      with:
        version: latest
        args: release --clean
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    # parse artifacts to the format required for image attestation
    - run: |
        echo "digest=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.extra.Digest')" >> "$GITHUB_OUTPUT"
        echo "name=$(echo "$ARTIFACTS" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT"
      id: image_metadata
      env:
        ARTIFACTS: ${{steps.goreleaser.outputs.artifacts}}
    # attest archives
    - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
      with:
        subject-path: "dist/*.tar.gz"
    # attest image
    - uses: actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
      with:
        subject-digest: ${{steps.image_metadata.outputs.digest}}
        subject-name: ${{steps.image_metadata.outputs.name}}
        push-to-registry: true

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@caarlos0 caarlos0

Labels
enhancement New feature or request triage Issue pending triage by one of the maintainers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@caarlos0 @smlx