From 4ce8a09b1613aa3c149c66aaf4037b1fd1d30ca0 Mon Sep 17 00:00:00 2001 From: Rouel Joseph Soberano Date: Fri, 31 May 2024 16:16:59 -0700 Subject: [PATCH 1/4] build: adding SLSA provenance generation for nupkg artifacts --- .github/actions/full-release/action.yml | 5 ++++ .github/actions/publish-package/action.yml | 11 ++++++++ .github/workflows/release-please.yml | 33 ++++++++++++++++++++++ 3 files changed, 49 insertions(+) diff --git a/.github/actions/full-release/action.yml b/.github/actions/full-release/action.yml index a9f9accb..b4197b1b 100644 --- a/.github/actions/full-release/action.yml +++ b/.github/actions/full-release/action.yml @@ -25,6 +25,10 @@ inputs: token: description: 'The GitHub token to use for publishing documentation.' required: true +outputs: + hashes: + description: sha256sum hashes of built artifacts + value: ${{ steps.publish.outputs.hashes }} runs: using: composite @@ -59,6 +63,7 @@ runs: dll_name: ${{ inputs.dll_name }} - name: Publish Nupkg + id: publish uses: ./.github/actions/publish-package with: project_file: ${{ inputs.project_file }} diff --git a/.github/actions/publish-package/action.yml b/.github/actions/publish-package/action.yml index 92ea6b11..ed5a467b 100644 --- a/.github/actions/publish-package/action.yml +++ b/.github/actions/publish-package/action.yml @@ -7,6 +7,10 @@ inputs: dry_run: description: 'Is this a dry run. If so no package will be published.' required: true +outputs: + hashes: + description: sha256sum hashes of built artifacts + value: ${{ steps.hash.outputs.hashes }} runs: using: composite @@ -27,6 +31,13 @@ runs: echo "published ${pkg}" done + - name: Hash nuget packages + id: hash + if: ${{ inputs.dry_run == 'false' }} + shell: bash + run: | + echo "hashes=$(sha256sum ./nupkgs/*.nupkg ./nupkgs/*.snupkg | base64 -w0)" >> "$GITHUB_OUTPUT" + - name: Dry Run Publish if: ${{ inputs.dry_run == 'true' }} shell: bash diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 1f00c13a..05aca1a5 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -12,6 +12,7 @@ jobs: outputs: package-sdk-server-released: ${{ steps.release.outputs['pkgs/sdk/server--release_created'] }} package-sdk-server-telemetry-released: ${{ steps.release.outputs['pkgs/telemetry--release_created'] }} + tag_name: ${{ steps.release.outputs.tag_name }} steps: - uses: google-github-actions/release-please-action@v4 @@ -28,9 +29,12 @@ jobs: contents: write pull-requests: write if: ${{ needs.release-please.outputs.package-sdk-server-released == 'true'}} + outputs: + hashes: ${{ steps.full-release.outputs.hashes }} steps: - uses: actions/checkout@v4 - uses: ./.github/actions/full-release + id: full-release with: workspace_path: 'pkgs/sdk/server' project_file: 'pkgs/sdk/server/src/LaunchDarkly.ServerSdk.csproj' @@ -41,6 +45,19 @@ jobs: aws_role: ${{ vars.AWS_ROLE_ARN }} token: ${{ secrets.GITHUB_TOKEN }} + release-sdk-server-provenance: + needs: ['release-please', 'release-sdk-server'] + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 + with: + base64-subjects: "${{ needs.release-sdk-server.outputs.hashes }}" + upload-assets: true + upload-tag-name: ${{ needs.release-please.outputs.tag_name }} + provenance-name: ${{ format('ldcli_{0}_multiple_provenance.intoto.jsonl', needs.release-please.outputs.tag_name) }} + release-telemetry: runs-on: ubuntu-latest needs: release-please @@ -49,9 +66,12 @@ jobs: contents: write pull-requests: write if: ${{ needs.release-please.outputs.package-sdk-server-telemetry-released == 'true'}} + outputs: + hashes: ${{ steps.full-release.outputs.hashes }} steps: - uses: actions/checkout@v4 - uses: ./.github/actions/full-release + id: full-release with: workspace_path: 'pkgs/telemetry' project_file: 'pkgs/telemetry/src/LaunchDarkly.ServerSdk.Telemetry.csproj' @@ -61,3 +81,16 @@ jobs: dry_run: false aws_role: ${{ vars.AWS_ROLE_ARN }} token: ${{ secrets.GITHUB_TOKEN }} + + release-telemetry-provenance: + needs: ['release-please', 'release-telemetry'] + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 + with: + base64-subjects: "${{ needs.release-telemetry.outputs.hashes }}" + upload-assets: true + upload-tag-name: ${{ needs.release-please.outputs.tag_name }} + provenance-name: ${{ format('ldcli_{0}_multiple_provenance.intoto.jsonl', needs.release-please.outputs.tag_name) }} From 12fa0426dfdd68e420d184ca80281b03b9ad1b8e Mon Sep 17 00:00:00 2001 From: Rouel Joseph Soberano Date: Fri, 31 May 2024 16:25:07 -0700 Subject: [PATCH 2/4] build: adding provenance generation for manual workflow --- .github/workflows/manual-publish.yml | 34 ++++++++++++++++++++++++++++ .github/workflows/release-please.yml | 4 ++-- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml index 1097c47e..7e584d64 100644 --- a/.github/workflows/manual-publish.yml +++ b/.github/workflows/manual-publish.yml @@ -20,9 +20,13 @@ jobs: permissions: id-token: write contents: write + outputs: + server-sdk-hashes: ${{ steps.server-sdk-release.outputs.hashes }} + telemetry-hashes: ${{ steps.telemetry-release.outputs.hashes }} steps: - uses: actions/checkout@v4 - uses: ./.github/actions/full-release + id: server-sdk-release if: ${{ inputs.pkg_name == 'LaunchDarkly.ServerSdk' }} with: workspace_path: 'pkgs/sdk/server' @@ -35,6 +39,7 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} - uses: ./.github/actions/full-release + id: telemetry-release if: ${{ inputs.pkg_name == 'LaunchDarkly.ServerSdk.Telemetry' }} with: workspace_path: 'pkgs/telemetry' @@ -45,3 +50,32 @@ jobs: dry_run: ${{ inputs.dry_run }} aws_role: ${{ vars.AWS_ROLE_ARN }} token: ${{ secrets.GITHUB_TOKEN }} + + release-sdk-server-provenance: + needs: ['build'] + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 + if: ${{ inputs.pkg_name == 'LaunchDarkly.ServerSdk' }} + with: + base64-subjects: "${{ needs.build.outputs.server-sdk-hashes }}" + upload-assets: true + upload-tag-name: ${{ input.tag_name }} + provenance-name: ${{ format('LaunchDarkly.ServerSdk-{0}_provenance.intoto.jsonl', input.tag_name) }} + + + release-telemetry-server-provenance: + needs: ['build'] + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 + if: ${{ inputs.pkg_name == 'LaunchDarkly.ServerSdk.Telemetry' }} + with: + base64-subjects: "${{ needs.build.outputs.telemetry-hashes }}" + upload-assets: true + upload-tag-name: ${{ input.tag_name }} + provenance-name: ${{ format('LaunchDarkly.ServerSdk.Telemetry-{0}_provenance.intoto.jsonl', input.tag_name) }} \ No newline at end of file diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 05aca1a5..b92e0a66 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -56,7 +56,7 @@ jobs: base64-subjects: "${{ needs.release-sdk-server.outputs.hashes }}" upload-assets: true upload-tag-name: ${{ needs.release-please.outputs.tag_name }} - provenance-name: ${{ format('ldcli_{0}_multiple_provenance.intoto.jsonl', needs.release-please.outputs.tag_name) }} + provenance-name: ${{ format('LaunchDarkly.ServerSdk-{0}_provenance.intoto.jsonl', needs.release-please.outputs.tag_name) }} release-telemetry: runs-on: ubuntu-latest @@ -93,4 +93,4 @@ jobs: base64-subjects: "${{ needs.release-telemetry.outputs.hashes }}" upload-assets: true upload-tag-name: ${{ needs.release-please.outputs.tag_name }} - provenance-name: ${{ format('ldcli_{0}_multiple_provenance.intoto.jsonl', needs.release-please.outputs.tag_name) }} + provenance-name: ${{ format('LaunchDarkly.ServerSdk.Telemetry-{0}_provenance.intoto.jsonl', needs.release-please.outputs.tag_name) }} From 410a6d7300b6644fb1b9c5eec0c8b24e8f511ceb Mon Sep 17 00:00:00 2001 From: Rouel Joseph Soberano Date: Mon, 3 Jun 2024 09:34:02 -0700 Subject: [PATCH 3/4] build: adding generate provenance toggle to manual publish workflow --- .github/workflows/manual-publish.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml index 7e584d64..4ab9ed2d 100644 --- a/.github/workflows/manual-publish.yml +++ b/.github/workflows/manual-publish.yml @@ -13,6 +13,10 @@ on: description: 'Is this a dry run. If so no package will be published.' type: boolean required: true + generate_provenance: + description: 'Whether or not to generate provenance for this manual publish.' + type: boolean + required: true jobs: build: @@ -58,12 +62,11 @@ jobs: id-token: write contents: write uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 - if: ${{ inputs.pkg_name == 'LaunchDarkly.ServerSdk' }} + if: ${{ inputs.generate_provenance && inputs.pkg_name == 'LaunchDarkly.ServerSdk' }} with: base64-subjects: "${{ needs.build.outputs.server-sdk-hashes }}" upload-assets: true - upload-tag-name: ${{ input.tag_name }} - provenance-name: ${{ format('LaunchDarkly.ServerSdk-{0}_provenance.intoto.jsonl', input.tag_name) }} + provenance-name: ${{ 'LaunchDarkly.ServerSdk_provenance.intoto.jsonl' }} release-telemetry-server-provenance: @@ -73,9 +76,8 @@ jobs: id-token: write contents: write uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 - if: ${{ inputs.pkg_name == 'LaunchDarkly.ServerSdk.Telemetry' }} + if: ${{ inputs.generate_provenance && inputs.pkg_name == 'LaunchDarkly.ServerSdk.Telemetry' }} with: base64-subjects: "${{ needs.build.outputs.telemetry-hashes }}" upload-assets: true - upload-tag-name: ${{ input.tag_name }} - provenance-name: ${{ format('LaunchDarkly.ServerSdk.Telemetry-{0}_provenance.intoto.jsonl', input.tag_name) }} \ No newline at end of file + provenance-name: ${{ 'LaunchDarkly.ServerSdk.Telemetry_provenance.intoto.jsonl' }} \ No newline at end of file From e49710e0d0d899ccd4f14d7fa1bf7adaf7570201 Mon Sep 17 00:00:00 2001 From: Rouel Joseph Soberano Date: Mon, 3 Jun 2024 10:51:34 -0700 Subject: [PATCH 4/4] build: adding additional option for provenance generation in non-main branches --- .github/workflows/manual-publish.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml index 4ab9ed2d..c74851e4 100644 --- a/.github/workflows/manual-publish.yml +++ b/.github/workflows/manual-publish.yml @@ -14,9 +14,12 @@ on: type: boolean required: true generate_provenance: - description: 'Whether or not to generate provenance for this manual publish.' - type: boolean - required: true + description: 'Whether or not to generate provenance for this manual publish. Default behavior: generate only on main branch.' + type: choice + options: + - Default + - Generate + - Do not generate jobs: build: @@ -62,7 +65,9 @@ jobs: id-token: write contents: write uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 - if: ${{ inputs.generate_provenance && inputs.pkg_name == 'LaunchDarkly.ServerSdk' }} + if: | + (inputs.generate_provenance == 'Generate' || (inputs.generate_provenance == 'Default' && github.ref_name == 'main')) && + inputs.pkg_name == 'LaunchDarkly.ServerSdk' with: base64-subjects: "${{ needs.build.outputs.server-sdk-hashes }}" upload-assets: true @@ -76,7 +81,9 @@ jobs: id-token: write contents: write uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 - if: ${{ inputs.generate_provenance && inputs.pkg_name == 'LaunchDarkly.ServerSdk.Telemetry' }} + if: | + (inputs.generate_provenance == 'Generate' || (inputs.generate_provenance == 'Default' && github.ref_name == 'main')) && + inputs.pkg_name == 'LaunchDarkly.ServerSdk.Telemetry' with: base64-subjects: "${{ needs.build.outputs.telemetry-hashes }}" upload-assets: true