Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build: adding provenance generation to ruby release-please workflow #247

Merged
merged 2 commits into from
Feb 8, 2024
Merged

build: adding provenance generation to ruby release-please workflow #247

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f4aded1
build: adding provenance generation to ruby release-please workflow
rsoberano-ld Jan 24, 2024
41c4ab8
build: updating provenance generation for manual-publish workflows
rsoberano-ld Jan 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .github/actions/publish/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ inputs:
dry_run:
description: 'Is this a dry run. If so no package will be published.'
required: true
outputs:
gem-hash:
description: "base64-encoded sha256 hashes of distribution files"
value: ${{ steps.gem-hash.outputs.gem-hash }}

runs:
using: composite
Expand All @@ -12,6 +16,12 @@ runs:
shell: bash
run: gem build launchdarkly-server-sdk.gemspec

- name: Hash gem for provenance
id: gem-hash
shell: bash
run: |
echo "gem-hash=$(sha256sum launchdarkly-server-sdk-*.gem | base64 -w0)" >> "$GITHUB_OUTPUT"

- name: Publish Library
shell: bash
if: ${{ inputs.dry_run == 'false' }}
Expand Down
15 changes: 15 additions & 0 deletions .github/workflows/manual-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,8 @@ jobs:
permissions:
id-token: write
contents: read
outputs:
gem-hash: ${{ steps.publish.outputs.gem-hash}}
steps:
- uses: actions/checkout@v4

Expand All @@ -34,3 +36,16 @@ jobs:
uses: ./.github/actions/publish
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you need to set the id of the step here to publish.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure I'm understanding this comment - id: publish is set in line 34(?)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤦🏼 just didn't see it since it was collapsed in the UI.

with:
dry_run: ${{ inputs.dry_run }}

release-provenance:
needs: [ 'build-publish' ]
runs-on: ubuntu-latest
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
with:
base64-subjects: "${{ needs.build-publish.outputs.gem-hash }}"
upload-assets: ${{ !inputs.dry_run }}

19 changes: 19 additions & 0 deletions .github/workflows/release-please.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,10 @@ jobs:
id-token: write # Needed if using OIDC to get release secrets.
contents: write # Contents and pull-requests are for release-please to make releases.
pull-requests: write
outputs:
release-created: ${{ steps.release.outputs.release_created }}
upload-tag-name: ${{ steps.release.outputs.tag_name }}
gem-hash: ${{ steps.publish.outputs.gem-hash}}
steps:
- uses: google-github-actions/release-please-action@v3
id: release
Expand Down Expand Up @@ -41,6 +45,7 @@ jobs:
if: ${{ steps.release.outputs.releases_created }}

- uses: ./.github/actions/publish
id: publish
if: ${{ steps.release.outputs.releases_created }}
with:
dry_run: false
Expand All @@ -49,3 +54,17 @@ jobs:
if: ${{ steps.release.outputs.releases_created }}
with:
token: ${{secrets.GITHUB_TOKEN}}

release-provenance:
needs: [ 'release-package' ]
if: ${{ needs.release-package.outputs.release-created }}
runs-on: ubuntu-latest
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
with:
base64-subjects: "${{ needs.release-package.outputs.gem-hash }}"
upload-assets: true
upload-tag-name: ${{ needs.release-package.outputs.upload-tag-name }}
26 changes: 26 additions & 0 deletions PROVENANCE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
## Verifying SDK build provenance with the SLSA framework

LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) (Supply-chain Levels for Software Artifacts) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.

As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds using [GitHub's generic SLSA3 provenance generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#generation-of-slsa3-provenance-for-arbitrary-projects) for distribution alongside our packages. These attestations are available for download from the GitHub release page for the release version under Assets > `multiple-provenance.intoto.jsonl`.

To verify SLSA provenance attestations, we recommend using [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Example usage for verifying SDK packages is included below:

```
# Download gem
$ gem fetch launchdarkly-server-sdk

# Download provenance from Github release
$ curl --location -O \
https://github.com/launchdarkly/ruby-server-sdk/releases/download/VERSION/multiple.intoto.jsonl

# Run slsa-verifier to verify provenance against package artifacts
$ slsa-verifier verify-artifact \
--provenance-path multiple-provenance.intoto.jsonl \
--source-uri github.com/launchdarkly/ruby-server-sdk \
launchdarkly-server-sdk-VERSION.gem
```

Alternatively, to verify the provenance manually, the SLSA framework specifies [recommendations for verifying build artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) in their documentation.

**Note:** These instructions do not apply when building our SDKs from source.
7 changes: 6 additions & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,12 @@ Contributing
------------

We encourage pull requests and other contributions from the community. Check out our [contributing guidelines](CONTRIBUTING.md) for instructions on how to contribute to this SDK.


Verifying SDK build provenance with the SLSA framework
------------

LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) (Supply-chain Levels for Software Artifacts) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages. To learn more, see the [provenance guide](PROVENANCE.md).

About LaunchDarkly
-----------

Expand Down
Loading