From 87dee94aab2f85e66eef7af6268b24c5d1316b39 Mon Sep 17 00:00:00 2001 From: David Dworken Date: Fri, 3 Nov 2023 22:09:54 -0700 Subject: [PATCH] Add initial version of slsa releaser that validates the generated SLSA signatures --- .github/workflows/slsa-releaser.yml | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) diff --git a/.github/workflows/slsa-releaser.yml b/.github/workflows/slsa-releaser.yml index eac6d47..a80e0c9 100644 --- a/.github/workflows/slsa-releaser.yml +++ b/.github/workflows/slsa-releaser.yml @@ -2,6 +2,7 @@ name: SLSA Client Releaser on: workflow_dispatch: push: + branches: [ master ] tags: - "*" @@ -141,10 +142,10 @@ jobs: run: | curl https://api.hishtory.dev/api/v1/trigger-cron - # Upload to GitHub release. - upload: + # Validate the signed binaries + validate: permissions: - contents: write + contents: read runs-on: ubuntu-latest needs: - build-linux-amd64 @@ -169,14 +170,14 @@ jobs: - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: hishtory-darwin-arm64.intoto.jsonl - - name: Release - uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 - if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }} - with: - files: | - hishtory-linux-amd64 - hishtory-linux-amd64.intoto.jsonl - hishtory-darwin-amd64 - hishtory-darwin-amd64.intoto.jsonl - hishtory-darwin-arm64 - hishtory-darwin-arm64.intoto.jsonl + - name: Validate Release + run: | + curl https://hishtory.dev/install.py | python3 - + source ~/.bashrc + ls + pwd + which hishtory + echo $PATH + hishtory validate-binary v0.`cat VERSION` hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl + # TODO: Validate other binaries here + \ No newline at end of file