add bom and attestation to release jobs

Signed-off-by: cpanato <[email protected]>
kubernetes · Mar 31, 2024 · bc4d1a2 · bc4d1a2
1 parent d67aed5
commit bc4d1a2
Show file tree

Hide file tree

Showing 6 changed files with 226 additions and 5 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,8 +6,11 @@ on:
     tags:
       - 'v*'
 
+permissions:
+  contents: read
+
 jobs:
-  build:
+  release:
     runs-on: ubuntu-latest
 
     permissions:
@@ -34,6 +37,9 @@ jobs:
 
       - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
 
+      - name: Install bom
+        uses: kubernetes-sigs/release-actions/setup-bom@10fecc1c66829d291b2f2fb1a27329d152f212e6 # v0.1.3
+
       - name: Build and publish release
         uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
         if: contains(github.ref, 'refs/tags')
@@ -46,3 +52,44 @@ jobs:
         with:
           name: artifacts
           path: dist/*
+
+  attestation:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: write
+
+    needs:
+      - release
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+
+      - name: Check out code onto GOPATH
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 1
+
+      - name: Set tag output
+        id: tag
+        run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
+
+      - name: Install tejolote
+        uses: kubernetes-sigs/release-actions/setup-tejolote@10fecc1c66829d291b2f2fb1a27329d152f212e6 # v0.1.3
+
+      - run: |
+          tejolote attest --artifacts github://kubernetes/release/${{ steps.tag.outputs.tag_name }} github://kubernetes/release/"${GITHUB_RUN_ID}" --output release.intoto.json --sign
+
+      - name: Release
+        uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
+        with:
+          files: release.intoto.json
+          tag_name: "${{ steps.tag.outputs.tag_name }}"
+          token: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          GITHUB_REPOSITORY: kubernetes/release
diff --git a/.github/workflows/snapshot.yaml b/.github/workflows/snapshot.yaml
@@ -4,13 +4,13 @@ name: test-snapshot-release
 on:
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
-  build:
+  snapshot:
     runs-on: ubuntu-latest
 
-    permissions:
-      contents: read
-
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
@@ -29,14 +29,55 @@ jobs:
           go-version: '1.22'
           check-latest: true
 
+      - name: Install bom
+        uses: kubernetes-sigs/release-actions/setup-bom@10fecc1c66829d291b2f2fb1a27329d152f212e6 # v0.1.3
+
       - name: Test release build
         uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
         with:
           args: release --clean --snapshot --skip=sign
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: check binary
+        run: |
+          ./dist/krel-amd64-linux version
+          ./dist/publish-release-amd64-linux help
+          ./dist/release-notes-amd64-linux version
+
       - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: artifacts
           path: dist/*
+
+  attestation:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    needs:
+      - snapshot
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+
+      - name: Check out code onto GOPATH
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          fetch-depth: 1
+
+      - name: Install tejolote
+        uses: kubernetes-sigs/release-actions/setup-tejolote@841d76a188a7c121231a863572e27012805715a2 # v0.1.4
+
+      - run: |
+          tejolote attest github://kubernetes/release/"${GITHUB_RUN_ID}" --output release.intoto.json
+
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: release.intoto.json
+          path: ./release.intoto.json
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -60,6 +60,55 @@ signs:
     args: ["sign-blob", "--output-signature", "${artifact}.sig", "--output-certificate", "${artifact}.pem", "${artifact}"]
     artifacts: all
 
+sboms:
+  - id: krel
+    cmd: bom
+    args:
+      - generate
+      - "--output"
+      - "krel-bom.json.spdx"
+      - "-d"
+      - "../"
+      - "-c"
+      - "../.krel-bom-config.yaml"
+      - "--format"
+      - "json"
+    artifacts: any
+    documents:
+      - "krel-bom.json.spdx"
+
+  - id: release-notes
+    cmd: bom
+    args:
+      - generate
+      - "--output"
+      - "release-notes-bom.json.spdx"
+      - "-d"
+      - "../"
+      - "-c"
+      - "../.release-notes-bom-config.yaml"
+      - "--format"
+      - "json"
+    artifacts: any
+    documents:
+      - "release-notes-bom.json.spdx"
+
+  - id: publish-release
+    cmd: bom
+    args:
+      - generate
+      - "--output"
+      - "publish-release-bom.json.spdx"
+      - "-d"
+      - "../"
+      - "-c"
+      - "../.publish-release-bom-config.yaml"
+      - "--format"
+      - "json"
+    artifacts: any
+    documents:
+      - "publish-release-bom.json.spdx"
+
 checksum:
   name_template: 'checksums.txt'
 

diff --git a/.krel-bom-config.yaml b/.krel-bom-config.yaml
@@ -0,0 +1,28 @@
+---
+namespace: https://k8s.io/release
+license: Apache-2.0
+name: krel
+creator:
+ person: The Kubernetes Authors
+ tool: krel
+
+artifacts:
+  - type: file
+    source: krel-amd64-darwin
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: krel-amd64-linux
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: krel-arm64-darwin
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: krel-arm64-linux
+    license: Apache-2.0
+    gomodules: true
diff --git a/.publish-release-bom-config.yaml b/.publish-release-bom-config.yaml
@@ -0,0 +1,28 @@
+---
+namespace: https://k8s.io/release
+license: Apache-2.0
+name: publish-release
+creator:
+ person: The Kubernetes Authors
+ tool: publish-release
+
+artifacts:
+  - type: file
+    source: publish-release-amd64-darwin
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: publish-release-amd64-linux
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: publish-release-arm64-darwin
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: publish-release-arm64-linux
+    license: Apache-2.0
+    gomodules: true
diff --git a/.release-notes-bom-config.yaml b/.release-notes-bom-config.yaml
@@ -0,0 +1,28 @@
+---
+namespace: https://k8s.io/release
+license: Apache-2.0
+name: release-notes
+creator:
+ person: The Kubernetes Authors
+ tool: release-notes
+
+artifacts:
+  - type: file
+    source: release-notes-amd64-darwin
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: release-notes-amd64-linux
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: release-notes-arm64-darwin
+    license: Apache-2.0
+    gomodules: true
+
+  - type: file
+    source: release-notes-arm64-linux
+    license: Apache-2.0
+    gomodules: true