From 5722a0ad8f98949af88c38979470b83c613ec81f Mon Sep 17 00:00:00 2001 From: Ilija Matoski Date: Sat, 13 Apr 2024 21:39:56 +0200 Subject: [PATCH] chore: remove SLSA from the workflow --- .github/workflows/release.yml | 84 +++++++++++++++++------------------ 1 file changed, 42 insertions(+), 42 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 36f9fc7..9179827 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,45 +47,45 @@ jobs: checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" - binary-provenance: - needs: [goreleaser] - permissions: - actions: read - id-token: write - contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 - with: - base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" - upload-assets: true - - verification-with-slsa-verifier: - needs: [goreleaser, binary-provenance] - runs-on: ubuntu-latest - permissions: read-all - steps: - - name: Install the verifier - uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1 - - name: Download assets - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}" - run: | - set -euo pipefail - gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz" - gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.zip" - gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE" - - name: Verify assets - env: - CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }} - PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}" - run: | - set -euo pipefail - checksums=$(echo "$CHECKSUMS" | base64 -d) - while read -r line; do - fn=$(echo $line | cut -d ' ' -f2) - echo "Verifying $fn" - slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \ - --source-uri "github.com/$GITHUB_REPOSITORY" \ - --source-tag "$GITHUB_REF_NAME" \ - "$fn" - done <<<"$checksums" \ No newline at end of file +# binary-provenance: +# needs: [goreleaser] +# permissions: +# actions: read +# id-token: write +# contents: write +# uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 +# with: +# base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" +# upload-assets: true +# +# verification-with-slsa-verifier: +# needs: [goreleaser, binary-provenance] +# runs-on: ubuntu-latest +# permissions: read-all +# steps: +# - name: Install the verifier +# uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1 +# - name: Download assets +# env: +# GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} +# PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}" +# run: | +# set -euo pipefail +# gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz" +# gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.zip" +# gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE" +# - name: Verify assets +# env: +# CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }} +# PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}" +# run: | +# set -euo pipefail +# checksums=$(echo "$CHECKSUMS" | base64 -d) +# while read -r line; do +# fn=$(echo $line | cut -d ' ' -f2) +# echo "Verifying $fn" +# slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \ +# --source-uri "github.com/$GITHUB_REPOSITORY" \ +# --source-tag "$GITHUB_REF_NAME" \ +# "$fn" +# done <<<"$checksums" \ No newline at end of file