fix(ci): SLSA provenance must attest pre-built release artifacts #54
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,8 +1,21 @@ | ||
| # SLSA Provenance Generation for RAG Processor | ||
| # Generates SLSA Level 3 provenance attestations for published packages. | ||
| # | ||
| # This workflow downloads pre-built distribution artifacts (never rebuilds | ||
| # from source), hashes them, and calls the org-level SLSA provenance | ||
| # workflow to create cryptographic attestations. | ||
| # | ||
| # Why download instead of rebuild? | ||
| # SLSA attestation must describe the exact files that were published. If | ||
| # the provenance job rebuilt the package locally, the attested hashes | ||
| # would diverge from the artifacts attached to the GitHub Release (and | ||
| # any future PyPI upload), defeating the supply-chain guarantee. | ||
| # | ||
| # Artifact sources: | ||
| # - workflow_run trigger: downloads the `release-dist` artifact uploaded | ||
| # by the upstream "Semantic Release" run that produced this version. | ||
| # - workflow_dispatch trigger: downloads the dist files attached to the | ||
| # matching GitHub Release (`v<version>` tag) via the GitHub CLI. | ||
| # | ||
| # Reference: https://slsa.dev/ | ||
| name: SLSA Provenance | ||
|
|
@@ -13,29 +26,28 @@ on: | |
| workflows: ["Semantic Release"] | ||
| types: [completed] | ||
| branches: [main, master] | ||
| # Manual trigger for re-generating provenance against an existing release | ||
| workflow_dispatch: | ||
| inputs: | ||
| version: | ||
| description: 'Released version to generate provenance for (e.g., 0.1.0)' | ||
| required: true | ||
| type: string | ||
|
|
||
| permissions: {} | ||
|
|
||
| jobs: | ||
| # ========================================================================== | ||
| # Download Pre-Built Artifacts and Generate Hashes | ||
| # ========================================================================== | ||
| collect: | ||
| name: Collect Release Artifacts | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 15 | ||
| if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }} | ||
| permissions: | ||
| contents: read | ||
| actions: read | ||
| outputs: | ||
| hashes: ${{ steps.hashes.outputs.hashes }} | ||
| version: ${{ steps.version.outputs.version }} | ||
|
|
@@ -46,64 +58,95 @@ jobs: | |
| with: | ||
| egress-policy: audit # TODO: switch to block after 2026-06-30 (SLSA L3 hermetic build isolation) | ||
|
|
||
| # workflow_run path: the upstream Semantic Release job uploads dist/ | ||
| # as the `release-dist` artifact (5-day retention). Pull it directly | ||
| # so the hashes attest the published bytes, not a fresh local build. | ||
| - name: Download release-dist from upstream Semantic Release run | ||
| if: ${{ github.event_name == 'workflow_run' }} | ||
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | ||
| with: | ||
| name: release-dist | ||
| path: dist/ | ||
| github-token: ${{ github.token }} | ||
| repository: ${{ github.repository }} | ||
| run-id: ${{ github.event.workflow_run.id }} | ||
|
|
||
| # workflow_dispatch path: a release was published earlier and the | ||
| # GHA artifact retention may have lapsed. Download the dist files | ||
| # that were attached to the GitHub Release for the requested tag. | ||
| - name: Download dist from GitHub Release | ||
| if: ${{ github.event_name == 'workflow_dispatch' }} | ||
| env: | ||
| GH_TOKEN: ${{ github.token }} | ||
| INPUT_VERSION: ${{ inputs.version }} | ||
| run: | | ||
| set -euo pipefail | ||
| if ! [[ "$INPUT_VERSION" =~ ^[A-Za-z0-9._+-]+$ ]]; then | ||
| echo "::error::Invalid version input: must match ^[A-Za-z0-9._+-]+$" | ||
| exit 1 | ||
| fi | ||
| TAG="v$INPUT_VERSION" | ||
| mkdir -p dist | ||
| # Pull wheels and sdists attached to the release. | ||
| gh release download "$TAG" \ | ||
| --repo "$GITHUB_REPOSITORY" \ | ||
| --dir dist \ | ||
| --pattern '*.whl' \ | ||
| --pattern '*.tar.gz' | ||
|
|
||
| - name: Determine version | ||
| id: version | ||
| env: | ||
| EVENT_NAME: ${{ github.event_name }} | ||
| INPUT_VERSION: ${{ inputs.version }} | ||
| run: | | ||
| set -euo pipefail | ||
| if [ "$EVENT_NAME" = "workflow_dispatch" ]; then | ||
| VERSION="$INPUT_VERSION" | ||
| else | ||
| # Extract version from the wheel filename produced upstream. | ||
| WHEEL=$(find dist -maxdepth 1 -name '*.whl' -print -quit) | ||
| if [ -z "$WHEEL" ]; then | ||
| echo "::error::No wheel found in downloaded dist/ artifact" | ||
| find dist -maxdepth 1 -type f -printf '%p\n' || true | ||
| exit 1 | ||
| fi | ||
| BASENAME=$(basename "$WHEEL") | ||
| VERSION=$(echo "$BASENAME" | awk -F'-' '{print $2}') | ||
| fi | ||
| echo "version=$VERSION" >> "$GITHUB_OUTPUT" | ||
|
|
||
| - name: Verify dist contents | ||
| run: | | ||
| set -euo pipefail | ||
| echo "Files attested by this provenance run:" | ||
| find dist -maxdepth 1 -type f -printf '%f %s bytes\n' | ||
| # Refuse to attest an empty directory; SLSA generator would | ||
| # otherwise emit a meaningless provenance. | ||
| WHEEL=$(find dist -maxdepth 1 -name '*.whl' -print -quit) | ||
| SDIST=$(find dist -maxdepth 1 -name '*.tar.gz' -print -quit) | ||
| if [ -z "$WHEEL" ] && [ -z "$SDIST" ]; then | ||
| echo "::error::No wheel or sdist found in dist/; nothing to attest" | ||
| exit 1 | ||
| fi | ||
|
|
||
| - name: Generate SHA256 hashes | ||
| id: hashes | ||
| working-directory: dist | ||
| run: | | ||
| set -euo pipefail | ||
| HASHES=$(sha256sum ./* | base64 -w0) | ||
|
Contributor
Author
There was a problem hiding this comment. Resolved by williaby in |
||
| echo "hashes=$HASHES" >> "$GITHUB_OUTPUT" | ||
|
|
||
| # ========================================================================== | ||
| # SLSA Level 3 Provenance (Org-Level Reusable Workflow) | ||
| # ========================================================================== | ||
| slsa: | ||
| name: SLSA Level 3 | ||
| needs: [collect] | ||
| uses: ByronWilliamsCPA/.github/.github/workflows/python-slsa.yml@961eb17d8e9b7fe0d8bfc5dbe9d23c824484fb11 # main | ||
| with: | ||
| base64-subjects: ${{ needs.collect.outputs.hashes }} | ||
| upload-assets: true | ||
| permissions: | ||
| id-token: write | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Resolved by williaby in
1f4e9da: theworkflow_dispatchinput changed from aversionstring to an integer-validatedrun_id, so theTAG="v$INPUT_VERSION"concatenation no longer exists. The tag is now resolved by querying the GitHub Releases API for the head SHA.