From 1844769572c2f43c27c8a5d4f703aea09264ccf9 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 13:59:44 -0500 Subject: [PATCH 1/7] attest release provenance --- .github/workflows/release.yml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe96cfee..2bc6e522 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,10 +5,6 @@ on: tags: - 'v*.*.*' -# grant write permission to GITHUB_TOKEN for goreleaser -permissions: - contents: write - env: ZITI_DEB_TEST_REPO: ${{ vars.ZITI_DEB_TEST_REPO || 'zitipax-openziti-deb-test' }} ZITI_RPM_TEST_REPO: ${{ vars.ZITI_RPM_TEST_REPO || 'zitipax-openziti-rpm-test' }} @@ -263,6 +259,10 @@ jobs: draft-release: runs-on: ubuntu-latest needs: call-publish-docker-images + permissions: + contents: write # need write to draft the release + id-token: write # need write to get OIDC token for generating attestations + attestations: write # need write to create attestations steps: - uses: actions/checkout@v4 @@ -292,12 +292,20 @@ jobs: merge-multiple: true pattern: release-builds-* - - run: | + - name: Create Checksums File + shell: bash + run: | ls -lAR ./automated-release-build/ cd ./automated-release-build/ shasum --algorithm 256 ./* | tee ./checksums.sha256.txt - - uses: goreleaser/goreleaser-action@v6 + - name: Attest Build Provenance + uses: actions/attest-build-provenance@v2 + with: + subject-checksums: ./checksums.sha256.txt + + - name: Draft Release + uses: goreleaser/goreleaser-action@v6 with: distribution: goreleaser version: '~> v2' From 69a29fee95505f896f8ec4638c6085545121f256 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 14:26:37 -0500 Subject: [PATCH 2/7] add an attestations subject checksums file --- .github/workflows/release.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2bc6e522..0531ebc9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -292,17 +292,23 @@ jobs: merge-multiple: true pattern: release-builds-* - - name: Create Checksums File + - name: Create Checksum Files shell: bash run: | + ls -lAR ./automated-release-build/ + + # create checksum file for the attestations + shasum --algorithm 256 ./automated-release-build/* | tee ./attestation-subject-checksums.sha256.txt + + # create checksum file for the release cd ./automated-release-build/ shasum --algorithm 256 ./* | tee ./checksums.sha256.txt - name: Attest Build Provenance uses: actions/attest-build-provenance@v2 with: - subject-checksums: ./checksums.sha256.txt + subject-checksums: ./attestation-subject-checksums.sha256.txt - name: Draft Release uses: goreleaser/goreleaser-action@v6 From e059f0ff5943103bbbfe9cdb864db72c46bf39ec Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 14:26:37 -0500 Subject: [PATCH 3/7] add an attestations subject checksums file --- .github/workflows/release.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2bc6e522..0531ebc9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -292,17 +292,23 @@ jobs: merge-multiple: true pattern: release-builds-* - - name: Create Checksums File + - name: Create Checksum Files shell: bash run: | + ls -lAR ./automated-release-build/ + + # create checksum file for the attestations + shasum --algorithm 256 ./automated-release-build/* | tee ./attestation-subject-checksums.sha256.txt + + # create checksum file for the release cd ./automated-release-build/ shasum --algorithm 256 ./* | tee ./checksums.sha256.txt - name: Attest Build Provenance uses: actions/attest-build-provenance@v2 with: - subject-checksums: ./checksums.sha256.txt + subject-checksums: ./attestation-subject-checksums.sha256.txt - name: Draft Release uses: goreleaser/goreleaser-action@v6 From d56d6c222e969921b6d2d4d3c188080e5a3a8880 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 14:45:46 -0500 Subject: [PATCH 4/7] place attestations subject checksums file outside git wc --- .github/workflows/release.yml | 4 ++-- .gitignore | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0531ebc9..63b37405 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -299,7 +299,7 @@ jobs: ls -lAR ./automated-release-build/ # create checksum file for the attestations - shasum --algorithm 256 ./automated-release-build/* | tee ./attestation-subject-checksums.sha256.txt + shasum --algorithm 256 ./automated-release-build/* | tee ./dist/attestation-subject-checksums.sha256.txt # create checksum file for the release cd ./automated-release-build/ @@ -308,7 +308,7 @@ jobs: - name: Attest Build Provenance uses: actions/attest-build-provenance@v2 with: - subject-checksums: ./attestation-subject-checksums.sha256.txt + subject-checksums: ./dist/attestation-subject-checksums.sha256.txt - name: Draft Release uses: goreleaser/goreleaser-action@v6 diff --git a/.gitignore b/.gitignore index a830fe64..4566b841 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,7 @@ .idea .vscode *.db -automated-release-build +/automated-release-build/ etc/dev.yml etc/dev-frontend.yml @@ -10,7 +10,7 @@ etc/dev-frontend.yml node_modules/ # Artifacts -dist/ +/dist/ # Generated files .docusaurus From a8419a0fdb520d8af8268e1524a5957a5269a26f Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 15:02:34 -0500 Subject: [PATCH 5/7] create dist dir --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 63b37405..a21d9c57 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -299,6 +299,7 @@ jobs: ls -lAR ./automated-release-build/ # create checksum file for the attestations + mkdir -p ./dist shasum --algorithm 256 ./automated-release-build/* | tee ./dist/attestation-subject-checksums.sha256.txt # create checksum file for the release From 8dd8392cb8e4c5f2f7df6e8e3258eaab2d0bc00f Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 15:17:27 -0500 Subject: [PATCH 6/7] write attestation subjects outside work tree --- .github/workflows/release.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a21d9c57..c0aa572e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -299,8 +299,7 @@ jobs: ls -lAR ./automated-release-build/ # create checksum file for the attestations - mkdir -p ./dist - shasum --algorithm 256 ./automated-release-build/* | tee ./dist/attestation-subject-checksums.sha256.txt + shasum --algorithm 256 ./automated-release-build/* | tee /tmp/attestation-subjects.sha256.txt # create checksum file for the release cd ./automated-release-build/ @@ -309,7 +308,7 @@ jobs: - name: Attest Build Provenance uses: actions/attest-build-provenance@v2 with: - subject-checksums: ./dist/attestation-subject-checksums.sha256.txt + subject-checksums: /tmp/attestation-subjects.sha256.txt - name: Draft Release uses: goreleaser/goreleaser-action@v6 From 9e0c2c42dbabfa3130e00311a354187d78a97f84 Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Mon, 24 Feb 2025 15:46:00 -0500 Subject: [PATCH 7/7] announce attestations --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index dad2d9ea..f8c2d45b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,8 @@ CHANGE: Pre-releases are uploaded to the pre-release Linux package repo and Dock CHANGE: Linux release binaries are now built on the ziti-builder container image based on Ubuntu Focal 20.04 to preserve backward compatibility as the ubuntu-20.04 GitHub runner is end of life. +CHANGE: Release binary and text artifacts are now accompanied by provenance attestations (https://github.com/openziti/zrok/issues/889). + ## v0.4.48 FEATURE: The controller configuration now supports a `disable_auto_migration` boolean in the `store` stanza. When set to `true`, the controller will not attempt to auto-migrate (or otherwise validate the migration state) of the underlying database. Leaving `disable_auto_migration` out, or setting it to false will retain the default behavior of auto-migrating when starting the zrok controller. The `zrok admin migrate` command will still perform a migration regardless of how this setting is configured in the controller configuration (https://github.com/openziti/zrok/issues/866)