Merge pull request #28 from somtochiama/supply-chain

Paulo Gomes · web-flow · commit 842e24fcb1bf · 2022-07-06T17:51:30.000+01:00
Improve supply chain security
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -14,6 +14,7 @@ on:
 
 permissions:
   packages: write # needed for ghcr access
+  id-token: write # needed for keyless signing
 
 jobs:
 
@@ -48,6 +49,8 @@ jobs:
         uses: actions/checkout@v2
       - name: Unshallow
         run: git fetch --prune --unshallow
+      - name: Setup Cosign
+        uses: sigstore/cosign-installer@main
       - name: Set up QEMU
         id: qemu
         uses: docker/setup-qemu-action@v1
@@ -148,6 +151,16 @@ jobs:
           tags: ${{ steps.meta_libgit2_all.outputs.tags }}
           labels: ${{ steps.meta_libgit2_all.outputs.labels }}
           cache-from: type=local,src=/tmp/.buildx-cache
+      - name: Sign images
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          array=($(echo ${{ steps.meta_libgit2_all.outputs.tags }} | tr '\n' " "))
+          for image in "${array[@]}"
+          do
+            echo  "Signing $image"
+            cosign sign $image
+          done
 
       - name: Compose release candidate metadata - golang-with-libgit2-only
         id: meta_libgit2_only
@@ -174,3 +187,13 @@ jobs:
           tags: ${{ steps.meta_libgit2_only.outputs.tags }}
           labels: ${{ steps.meta_libgit2_only.outputs.labels }}
           cache-from: type=local,src=/tmp/.buildx-cache
+      - name: Sign images
+        env:
+          COSIGN_EXPERIMENTAL: 1
+        run: |
+          array=($(echo ${{ steps.meta_libgit2_all.outputs.tags }} | tr '\n' " "))
+          for element in "${array[@]}"
+          do
+            echo ${element}
+            cosign sign $element
+          done
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -15,36 +15,12 @@ on:
 
 permissions:
   contents: write # needed to write releases
+  id-token: write # needed for keyless signing
 
 jobs:
 
-  github_release:
-    runs-on: ubuntu-latest
-    outputs:
-      release_upload_url: ${{ steps.create_release.outputs.upload_url }}
-    steps:
-      - name: Prepare
-        id: prep
-        run: |
-          VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}"
-          if [[ $GITHUB_REF == refs/tags/* ]]; then
-            VERSION=${GITHUB_REF/refs\/tags\//}
-          fi
-          echo ::set-output name=VERSION::${VERSION}
-      - name: Create Release
-        id: create_release
-        uses: actions/create-release@v1
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        with:
-          release_name: ${{ steps.prep.outputs.VERSION }}
-          tag_name: ${{ steps.prep.outputs.VERSION }}
-          draft: false
-          prerelease: true
-
   linux-amd64-release:
     runs-on: ubuntu-latest
-    needs: github_release
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -62,16 +38,6 @@ jobs:
 
           tar -zcvf linux-x86_64-libgit2-all-libs.tar.gz libgit2-linux-libgit2-all
           rm -rf ${GITHUB_WORKSPACE}/build ${GITHUB_WORKSPACE}/libgit2
-      - name: Upload Release Asset
-        id: upload-release-asset-libgit2-all
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        with:
-          upload_url: ${{ needs.github_release.outputs.release_upload_url }}
-          asset_path: ./linux-x86_64-libgit2-all-libs.tar.gz
-          asset_name: linux-x86_64-libgit2-all-libs.tar.gz
-          asset_content_type: application/gzip
 
       - name: Build static libraries - libgit2 only
         run: |
@@ -85,16 +51,11 @@ jobs:
 
           tar -zcvf linux-x86_64-libgit2-only-lib.tar.gz libgit2-linux-libgit2-only
           rm -rf ${GITHUB_WORKSPACE}/build ${GITHUB_WORKSPACE}/libgit2
-      - name: Upload Release Asset
-        id: upload-release-asset-libgit2-only
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
+      - uses: actions/upload-artifact@v3
         with:
-          upload_url: ${{ needs.github_release.outputs.release_upload_url }}
-          asset_path: ./linux-x86_64-libgit2-only-lib.tar.gz
-          asset_name: linux-x86_64-libgit2-only-lib.tar.gz
-          asset_content_type: application/gzip
+          name: release-artifact
+          path: '*.tar.gz'
+          if-no-files-found: error
 
   darwin-release:
     # This job builds and releases "universal libraries" that are
@@ -108,7 +69,6 @@ jobs:
     # of testing, GitHub's macos-10.15 did not seem to. 
     # Cross-compiling to arm64 on that runner consistently failed.
     runs-on: macos-11
-    needs: github_release
     steps:
       - name: Checkout
         uses: actions/checkout@v2
@@ -156,16 +116,6 @@ jobs:
           rm -rf ${GITHUB_WORKSPACE}/build ${GITHUB_WORKSPACE}/libgit2
         env:
           MACOSX_DEPLOYMENT_TARGET: 10.15
-      - name: Upload Release Asset
-        id: upload-release-asset-libgit2-all
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
-        with:
-          upload_url: ${{ needs.github_release.outputs.release_upload_url }}
-          asset_path: ./darwin-libgit2-all-libs.tar.gz
-          asset_name: darwin-libgit2-all-libs.tar.gz
-          asset_content_type: application/gzip
 
       - name: Build universal static libraries for Darwin - libgit2 only
         run: |
@@ -179,9 +129,8 @@ jobs:
           CMAKE_APPLE_SILICON_PROCESSOR=arm64 \
           ./hack/static.sh build_libgit2_only
 
-          mkdir -p ./libgit2-darwin-libgit2-only
+          mkdir -p ./libgit2-darwin-libgit2-only/lib
           mv ${GITHUB_WORKSPACE}/build/libgit2-darwin-amd64/include ./libgit2-darwin-libgit2-only/
-          mv ${GITHUB_WORKSPACE}/build/libgit2-darwin-amd64/lib ./libgit2-darwin-libgit2-only/
 
           libtool -static -o ./libgit2-darwin-libgit2-only/lib/libgit2.a \
             ${GITHUB_WORKSPACE}/build/libgit2-darwin-amd64/lib/libgit2.a \
@@ -191,13 +140,34 @@ jobs:
           rm -rf ${GITHUB_WORKSPACE}/build ${GITHUB_WORKSPACE}/libgit2
         env:
           MACOSX_DEPLOYMENT_TARGET: 10.15
-      - name: Upload Release Asset
-        id: upload-release-asset-libgit2-only
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
+      - uses: actions/upload-artifact@v3
+        with:
+          name: release-artifact
+          path: '*.tar.gz'
+          if-no-files-found: error
+
+  goreleaser:
+    runs-on: ubuntu-latest
+    needs: [linux-amd64-release, darwin-release]
+    if:  ${{ always() && contains(join(needs.*.result, ','), 'success') }}
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-go@v2
+        with:
+          go-version: 1.17.x
+      - name: Setup Cosign
+        uses: sigstore/cosign-installer@main
+      - name: Setup Syft
+        uses: anchore/sbom-action/download-syft@v0
+      - name: Download Files
+        uses: actions/download-artifact@v3
         with:
-          upload_url: ${{ needs.github_release.outputs.release_upload_url }}
-          asset_path: ./darwin-libs-libgit2-only.tar.gz
-          asset_name: darwin-libs-libgit2-only.tar.gz
-          asset_content_type: application/gzip
+          name: release-artifact
+      - uses: goreleaser/goreleaser-action@v2
+        with:
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,5 @@
 build/
 vendor/
+
+# Built library files
+*.tar.gz
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -0,0 +1,40 @@
+project_name: golang-with-libgit2
+
+builds:
+- skip: true
+
+release:
+  prerelease: auto
+  extra_files:
+    - glob: '*.tar.gz'
+
+changelog:
+  use: github-native
+
+sboms:
+  - artifacts: archive
+  - id: source
+    artifacts: source
+    documents:
+    - "{{ .ProjectName }}_{{ .Version }}_sbom.spdx.json"
+
+checksum:
+  name_template: 'checksums.txt'
+  extra_files:
+    - glob: '*.tar.gz'
+
+source:
+  enabled: true
+
+signs:
+  - cmd: cosign
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    certificate: '${artifact}.pem'
+    args:
+      - sign-blob
+      - '--output-certificate=${certificate}'
+      - '--output-signature=${signature}'
+      - '${artifact}'
+    artifacts: checksum
+    output: true
diff --git a/README.md b/README.md
@@ -139,3 +139,23 @@ $ readelf -h /usr/local/aarch64-alpine-linux-musl/lib/libz.a | grep Machine | so
 [libssh2-1-misconfiguration]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=668271
 [mbedtls-ed25519]: https://github.com/ARMmbed/mbedtls/issues/2452
 [libgit2-5750]: https://github.com/libgit2/libgit2/pull/5750
+
+## To verify artefacts
+
+Download the following files from the releases section:
+1. checksum.txt
+2. checksum.txt.pem
+3. checksum.txt.sig
+4. The compressed library files
+
+You can verify that the `checksum.txt` wasn't tampered with using `cosign` and the downloaded certificate and signature.
+
+```
+cosign verify-blob --cert checksums.txt.pem --signature checksums.txt.sig checksums.txt
+```
+
+Verify the hashes of the other files using `checksum.txt`:
+
+```
+sha256sum --ignore-missing -c checksums.txt
+```
