Added SLSA builder

.github/workflows/slsa-goreleaser.yml

@@ -0,0 +1,53 @@
+name: SLSA go releaser
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - "*" 
+
+permissions: read-all
+      
+jobs:
+  # ldflags to embed the commit hash in the binary
+  args:
+    runs-on: ubuntu-latest
+    outputs:
+      ldflags: ${{ steps.ldflags.outputs.value }}
+    steps:
+      - id: checkout
+        uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
+        with:
+          fetch-depth: 0
+      - id: ldflags
+        run: |
+          echo "::set-output name=value::$(./scripts/version-ldflags)"
+  # Trusted builder.
+  build:
+    permissions:
+      id-token: write
+      contents: read
+    needs: args
+    uses: slsa-framework/slsa-github-generator-go/.github/workflows/builder.yml@main # TODO: use hash upon release.
+    with:
+      go-version: 1.17
+      env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
+  # Upload to GitHub release.
+  upload:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: ${{ needs.build.outputs.go-binary-name }}
+      - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
+        with:
+          name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
+      - name: Release
+        uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          files: |
+            ${{ needs.build.outputs.go-binary-name }}
+            ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl

.slsa-goreleaser.yml

@@ -0,0 +1,12 @@
+version: 1
+
+flags:
+  - -trimpath
+
+goos: linux
+goarch: amd64
+
+binary: hishtory-{{ .OS }}-{{ .Arch }}
+
+ldflags:
+  - '{{ .Env.VERSION_LDFLAGS }}'