From ff37570d742f8388a3bb4c09ea8c799f10d54017 Mon Sep 17 00:00:00 2001
From: David Dworken <david@daviddworken.com>
Date: Fri, 8 Apr 2022 20:59:24 -0700
Subject: [PATCH] Added SLSA builder

---
 .github/workflows/slsa-goreleaser.yml | 53 +++++++++++++++++++++++++++
 .slsa-goreleaser.yml                  | 12 ++++++
 2 files changed, 65 insertions(+)
 create mode 100644 .github/workflows/slsa-goreleaser.yml
 create mode 100644 .slsa-goreleaser.yml

diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml
new file mode 100644
index 0000000..c1cd8f3
--- /dev/null
+++ b/.github/workflows/slsa-goreleaser.yml
@@ -0,0 +1,53 @@
+name: SLSA go releaser
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "*" 
+
+permissions: read-all
+      
+jobs:
+  # ldflags to embed the commit hash in the binary
+  args:
+    runs-on: ubuntu-latest
+    outputs:
+      ldflags: ${{ steps.ldflags.outputs.value }}
+    steps:
+      - id: checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
+        with:
+          fetch-depth: 0
+      - id: ldflags
+        run: |
+          echo "::set-output name=value::$(./scripts/version-ldflags)"
+  # Trusted builder.
+  build:
+    permissions:
+      id-token: write
+      contents: read
+    needs: args
+    uses: slsa-framework/slsa-github-generator-go/.github/workflows/builder.yml@main # TODO: use hash upon release.
+    with:
+      go-version: 1.17
+      env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
+  # Upload to GitHub release.
+  upload:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: ${{ needs.build.outputs.go-binary-name }}
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
+      - name: Release
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: |
+            ${{ needs.build.outputs.go-binary-name }}
+            ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
diff --git a/.slsa-goreleaser.yml b/.slsa-goreleaser.yml
new file mode 100644
index 0000000..298d0e8
--- /dev/null
+++ b/.slsa-goreleaser.yml
@@ -0,0 +1,12 @@
+version: 1
+
+flags:
+  - -trimpath
+
+goos: linux
+goarch: amd64
+
+binary: hishtory-{{ .OS }}-{{ .Arch }}
+
+ldflags:
+  - '{{ .Env.VERSION_LDFLAGS }}'