Merge pull request #841 from google/verify

ci: Verify SLSA3 provenance after release.
google · Apr 23, 2024 · fc4094a · fc4094a
2 parents d4761fe + c395207
commit fc4094a
Showing 1 changed file with 32 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -90,3 +90,35 @@ jobs:
  push: ${{ github.event_name != 'pull_request' && github.event_name != 'merge_group' }}
  tags: ${{ steps.meta.outputs.tags }}
  labels: ${{ steps.meta.outputs.labels }}
+
+ verify:
+ needs: [goreleaser, provenance]
+ if: ${{ startsWith(github.ref, 'refs/tags/v') }}
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ env:
+ CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
+ PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
+ steps:
+ - uses: slsa-framework/slsa-verifier/actions/[email protected]
+ - name: download assets
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ run: |
+ set -euo pipefail
+ gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
+ gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.zip"
+ gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"
+ - name: verify assets
+ run: |
+ set -euo pipefail
+ checksums=$(echo "$CHECKSUMS" | base64 -d)
+ while read -r line; do
+ fn=$(echo $line | cut -d ' ' -f2)
+ echo "Verifying $fn"
+ slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
+ --source-uri "github.com/$GITHUB_REPOSITORY" \
+ --source-tag "$GITHUB_REF_NAME" \
+ "$fn"
+ done <<<"$checksums"