Add GitHub attestation

.github/workflows/ci.yml

@@ -28,6 +28,7 @@ jobs:
       - uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
+      - uses: anchore/sbom-action/download-syft@v0
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@v6
         with:

.github/workflows/release.yml

@@ -6,24 +6,114 @@ on:
       - '*'
   workflow_dispatch:
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   goreleaser:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    outputs:
+      build-provenance-artifact-id: ${{ steps.upload-build-provenance.outputs.artifact-id }}
+      sbom-artifact-id: ${{ steps.upload-sbom.outputs.artifact-id }}
+      sbom-attestations: ${{ steps.upload-sbom.outputs.attestations }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - uses: actions/setup-go@v5
         with:
           go-version-file: 'go.mod'
+      - uses: anchore/sbom-action/download-syft@v0
       - name: GoReleaser release
         uses: goreleaser/goreleaser-action@v6
         with:
-          distribution: goreleaser
-          version: latest
+          version: '~> v2'
           args: release
         env:
           GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_ACCESS_TOKEN }}
+      - uses: actions/upload-artifact@v4
+        id: upload-build-provenance
+        with:
+          name: build-provenance
+          path: |
+            dist/trellis_*/trellis
+            dist/trellis_*/trellis.exe
+            dist/trellis_*.tar.gz
+            dist/trellis_*.zip
+            dist/**/*.sbom.json
+      - uses: typisttech/upload-goreleaser-sboms-action@v0
+        id: upload-sbom
+
+  attest-build-provenance:
+    needs: [goreleaser]
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          path: dist
+          name: build-provenance
+      - uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: |
+            dist/trellis_*/trellis
+            dist/trellis_*/trellis.exe
+            dist/trellis_*.tar.gz
+            dist/trellis_*.zip
+            dist/**/*.sbom.json
+
+  attest-sbom:
+    needs: [goreleaser]
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+    strategy:
+      matrix:
+        attestation: ${{ fromJSON(needs.goreleaser.outputs.sbom-attestations) }}
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          name: sboms
+      - uses: actions/attest-sbom@v1
+        with:
+          subject-path: ${{ matrix.attestation.subject }}
+          sbom-path: ${{ matrix.attestation.sbom }}
+
+  verify:
+    needs: [goreleaser, attest-build-provenance, attest-sbom]
+    runs-on: ubuntu-latest
+    steps:
+      - run: gh release download --clobber --dir artifacts -p '*.tar.gz' -p '*.zip' -p '*.sbom.json' --repo $REPO $TAG
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          TAG: ${{ github.ref_name }}
+      - run: tree artifacts
+      - run: ls | xargs -I {} gh attestation verify --repo $REPO {}
+        working-directory: artifacts
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+
+  cleanup:
+    needs: [goreleaser, verify]
+    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+    steps:
+      - run: >
+          gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/$REPO/actions/artifacts/$ARTIFACT_ID
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          ARTIFACT_ID: ${{ needs.goreleaser.outputs.build-provenance-artifact-id }}
+      - run: >
+          gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/$REPO/actions/artifacts/$ARTIFACT_ID
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPO: ${{ github.repository }}
+          ARTIFACT_ID: ${{ needs.goreleaser.outputs.sbom-artifact-id }}

.goreleaser.yml

@@ -29,6 +29,8 @@ archives:
       format: zip
 checksum:
   name_template: '{{ .ProjectName }}_checksums.txt'
+sboms:
+  - artifacts: archive
 changelog:
   sort: asc
   filters:

README.md

@@ -76,6 +76,39 @@ setup after downloading the Windows build:
 4. Edit path from system variables and add new named `%TRELLIS%`
 5. Save the changes
 
+## Verify Attestation
+trellis-cli artifacts can be [cryptographically verified via GitHub CLI](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli).
+
+```console
+# The archive with both predicates
+$ gh attestation verify --repo roots/trellis-cli /path/to/trellis_Darwin_arm64.tar.gz
+## ...snipped...
+✓ Verification succeeded!
+
+sha256:xxx was attested by:
+REPO                   PREDICATE_TYPE                  WORKFLOW
+roots/trellis-cli  https://slsa.dev/provenance/v1  .github/workflows/release.yml@refs/tags/v9.8.7
+roots/trellis-cli  https://spdx.dev/Document/v2.3  .github/workflows/release.yml@refs/tags/v9.8.7
+
+# The binary
+$ gh attestation verify --repo roots/trellis-cli /path/to/trellis
+## ...snipped...
+✓ Verification succeeded!
+
+sha256:xxx was attested by:
+REPO                   PREDICATE_TYPE                  WORKFLOW
+roots/trellis-cli  https://slsa.dev/provenance/v1  .github/workflows/release.yml@refs/tags/v9.8.7
+
+# The SBOM
+$ gh attestation verify --repo roots/trellis-cli /path/to/trellis_Darwin_arm64.tar.gz.sbom.json
+## ...snipped...
+✓ Verification succeeded!
+
+sha256:xxx was attested by:
+REPO                   PREDICATE_TYPE                  WORKFLOW
+roots/trellis-cli  https://slsa.dev/provenance/v1  .github/workflows/release.yml@refs/tags/v9.8.7
+```
+
 ## Shell Integration
 
 ### Autocompletes