Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add GitHub attestation #481

Merged
merged 1 commit into from
Sep 30, 2024
Merged

Add GitHub attestation #481

merged 1 commit into from
Sep 30, 2024

Conversation

tangrufus
Copy link
Collaborator

Example: https://github.com/tangrufus/trellis-cli/releases/tag/v1.12.2-alpha.9 which build with https://github.com/tangrufus/trellis-cli/blob/a8091f35faa0e2eaed38d28de7ba2d723e267f8c/.github/workflows/release.yml

$ wget https://github.com/tangrufus/trellis-cli/releases/download/v1.12.2-alpha.9/trellis_Darwin_arm64.tar.gz.sbom.json
$ wget https://github.com/tangrufus/trellis-cli/releases/download/v1.12.2-alpha.9/trellis_Darwin_arm64.tar.gz
$ tar -zxvf trellis_Darwin_arm64.tar.gz

$ gh attestation verify --repo tangrufus/trellis-cli trellis_Darwin_arm64.tar.gz
Loaded digest sha256:60472939603d4ab8120f99d3106cc89cb48db8e59464b53c7ba7ab7e8601a153 for file://trellis_Darwin_arm64.tar.gz
Loaded 2 attestations from GitHub API
✓ Verification succeeded!

sha256:60472939603d4ab8120f99d3106cc89cb48db8e59464b53c7ba7ab7e8601a153 was attested by:
REPO                   PREDICATE_TYPE                  WORKFLOW
tangrufus/trellis-cli  https://slsa.dev/provenance/v1  .github/workflows/release.yml@refs/tags/v1.12.2-alpha.9
tangrufus/trellis-cli  https://spdx.dev/Document/v2.3  .github/workflows/release.yml@refs/tags/v1.12.2-alpha.9

$ gh attestation verify --repo tangrufus/trellis-cli trellis
Loaded digest sha256:98f9b387bb1e47a75a3bca010f97f0c71ad8653d1e94251810c6fb2a309788fe for file://trellis
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:98f9b387bb1e47a75a3bca010f97f0c71ad8653d1e94251810c6fb2a309788fe was attested by:
REPO                   PREDICATE_TYPE                  WORKFLOW
tangrufus/trellis-cli  https://slsa.dev/provenance/v1  .github/workflows/release.yml@refs/tags/v1.12.2-alpha.9

$ gh attestation verify --repo tangrufus/trellis-cli trellis_Darwin_arm64.tar.gz.sbom.json
Loaded digest sha256:cd9ff82f98e3201afcb16d19fc7baa8c0427025d379ecc4c66e2042d293588be for file://trellis_Darwin_arm64.tar.gz.sbom.json
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:cd9ff82f98e3201afcb16d19fc7baa8c0427025d379ecc4c66e2042d293588be was attested by:
REPO                   PREDICATE_TYPE                  WORKFLOW
tangrufus/trellis-cli  https://slsa.dev/provenance/v1  .github/workflows/release.yml@refs/tags/v1.12.2-alpha.9

@swalkinshaw
Copy link
Member

TIL... complicated 😓 But looks good

@swalkinshaw swalkinshaw merged commit 5f93ee8 into roots:master Sep 30, 2024
3 checks passed
@tangrufus tangrufus deleted the gh-attest branch September 30, 2024 15:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@swalkinshaw swalkinshaw Awaiting requested review from swalkinshaw

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tangrufus @swalkinshaw