From 9610a666b138c3984fceaaaa02e0502828f25612 Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Tue, 16 Aug 2022 16:30:37 -0700
Subject: [PATCH] Generate SLSA signatures for Released zip files (#7450)

* update

* update

* update

* update

* update

* update

* update
---
 .github/workflows/build.yml | 114 ++++++++++++++++++++++++++++++++++++
 docs/source/Building.md     |  12 ++++
 2 files changed, 126 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index f9f45fa54..b4b112d19 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -2,7 +2,11 @@ name: CI
 permissions: read-all
 
 on:
+  # For manual tests.
+  workflow_dispatch:
   push:
+    tags:
+      - "*" # new tag version, like `0.8.4` or else
     branches:
       - master
   pull_request:
@@ -11,6 +15,11 @@ on:
 
 jobs:
   build-linux:
+    permissions:
+      contents: write
+    outputs:
+      digests-gcc: ${{ steps.hash-gcc.outputs.hashes }}
+      digests-clang: ${{ steps.hash-clang.outputs.hashes }}
     name: Build Linux
     runs-on: ubuntu-latest
     strategy:
@@ -36,8 +45,29 @@ jobs:
       with:
         name: Linux flatc binary ${{ matrix.cxx }}
         path: flatc
+    # Below if only for release.
+    - name: Zip file
+      if: startsWith(github.ref, 'refs/tags/')
+      run: zip Linux.flatc.binary.${{ matrix.cxx }}.zip flatc
+    - name: Release zip file
+      uses: softprops/action-gh-release@v1
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        files: Linux.flatc.binary.${{ matrix.cxx }}.zip
+    - name: Generate SLSA subjects - clang
+      if: matrix.cxx == 'clang++-12' && startsWith(github.ref, 'refs/tags/')
+      id: hash-clang
+      run: echo "::set-output name=hashes::$(sha256sum Linux.flatc.binary.${{ matrix.cxx }}.zip | base64 -w0)"
+    - name: Generate SLSA subjects - gcc
+      if: matrix.cxx == 'g++-10' && startsWith(github.ref, 'refs/tags/')
+      id: hash-gcc
+      run: echo "::set-output name=hashes::$(sha256sum Linux.flatc.binary.${{ matrix.cxx }}.zip | base64 -w0)"
 
   build-windows:
+    permissions:
+      contents: write
+    outputs:
+      digests: ${{ steps.hash.outputs.hashes }}
     name: Build Windows 2019 
     runs-on: windows-2019
     steps:
@@ -55,6 +85,20 @@ jobs:
       with:
         name: Windows flatc binary
         path: Release\flatc.exe
+    # Below if only for release.
+    - name: Zip file
+      if: startsWith(github.ref, 'refs/tags/')
+      run: move Release/flatc.exe . && Compress-Archive flatc.exe Windows.flatc.binary.zip
+    - name: Release binary
+      uses: softprops/action-gh-release@v1
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        files: Windows.flatc.binary.zip
+    - name: Generate SLSA subjects
+      if: startsWith(github.ref, 'refs/tags/')
+      id: hash
+      shell: bash
+      run: echo "::set-output name=hashes::$(sha256sum Windows.flatc.binary.zip | base64 -w0)"
 
   build-windows-2017:
     name: Build Windows 2017
@@ -113,6 +157,10 @@ jobs:
         out\FlatBuffers.Core.Test.exe
 
   build-mac-intel:
+    permissions:
+      contents: write
+    outputs:
+      digests: ${{ steps.hash.outputs.hashes }}
     name: Build Mac (for Intel)
     runs-on: macos-latest
     steps:
@@ -138,8 +186,25 @@ jobs:
       with:
         name: Mac flatc binary
         path: _build/Release/flatc
+    # Below if only for release.
+    - name: Zip file
+      if: startsWith(github.ref, 'refs/tags/')
+      run: mv _build/Release/flatc . && zip MacIntel.flatc.binary.zip flatc
+    - name: Release binary
+      uses: softprops/action-gh-release@v1
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        files: MacIntel.flatc.binary.zip
+    - name: Generate SLSA subjects
+      if: startsWith(github.ref, 'refs/tags/')
+      id: hash
+      run: echo "::set-output name=hashes::$(shasum -a 256 MacIntel.flatc.binary.zip | base64)"
 
   build-mac-universal:
+    permissions:
+      contents: write
+    outputs:
+      digests: ${{ steps.hash.outputs.hashes }}
     name: Build Mac (universal build)
     runs-on: macos-latest
     steps:
@@ -165,6 +230,19 @@ jobs:
       with:
         name: Mac flatc binary
         path: _build/Release/flatc
+    # Below if only for release.
+    - name: Zip file
+      if: startsWith(github.ref, 'refs/tags/')
+      run: mv _build/Release/flatc . && zip Mac.flatc.binary.zip flatc
+    - name: Release binary
+      uses: softprops/action-gh-release@v1
+      if: startsWith(github.ref, 'refs/tags/')
+      with:
+        files: Mac.flatc.binary.zip
+    - name: Generate SLSA subjects
+      if: startsWith(github.ref, 'refs/tags/')
+      id: hash
+      run: echo "::set-output name=hashes::$(shasum -a 256 Mac.flatc.binary.zip | base64)"
 
   build-android:
    name: Build Android (on Linux)
@@ -339,3 +417,39 @@ jobs:
       - name: test
         working-directory: tests
         run: bash DartTest.sh
+
+  release-digests:
+    if: startsWith(github.ref, 'refs/tags/')
+    needs: [build-linux, build-windows, build-mac-intel, build-mac-universal]
+    outputs:
+      digests: ${{ steps.hash.outputs.digests }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Merge results
+        id: hash
+        env:
+          LINUXGCC_DIGESTS: "${{ needs.build-linux.outputs.digests-gcc }}"
+          LINUXCLANG_DIGESTS: "${{ needs.build-linux.outputs.digests-clang }}"
+          MAC_DIGESTS: "${{ needs.build-mac-universal.outputs.digests }}"
+          MACINTEL_DIGESTS: "${{ needs.build-mac-intel.outputs.digests }}"
+          WINDOWS_DIGESTS: "${{ needs.build-windows.outputs.digests }}"
+        run: |
+          set -euo pipefail
+          echo "$LINUXGCC_DIGESTS" | base64 -d > checksums.txt
+          echo "$LINUXCLANG_DIGESTS" | base64 -d >> checksums.txt
+          echo "$MAC_DIGESTS" | base64 -d >> checksums.txt
+          echo "$MACINTEL_DIGESTS" | base64 -d >> checksums.txt
+          echo "$WINDOWS_DIGESTS" | base64 -d >> checksums.txt
+          echo "::set-output name=digests::$(cat checksums.txt | base64 -w0)"
+
+  provenance:
+    if: startsWith(github.ref, 'refs/tags/')
+    needs: [release-digests]
+    permissions:
+      actions: read   # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
+    with:
+      base64-subjects: "${{ needs.release-digests.outputs.digests }}"
+      upload-assets: true # Optional: Upload to a new release
diff --git a/docs/source/Building.md b/docs/source/Building.md
index 892cefc2d..a12abac0e 100644
--- a/docs/source/Building.md
+++ b/docs/source/Building.md
@@ -61,6 +61,18 @@ You can download and install flatbuffers using the [vcpkg](https://github.com/Mi
 The flatbuffers port in vcpkg is kept up to date by Microsoft team members and community contributors.
 If the version is out of date, please [create an issue or pull request](https://github.com/Microsoft/vcpkg) on the vcpkg repository.
 
+## Downloading binaries
+You can download the binaries from the
+[GitHub release page](https://github.com/google/flatbuffers/releases).
+
+We generate [SLSA3 signatures](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). To verify the binaries:
+1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation)
+1. Download the file named `attestation.intoto.jsonl` from the GitHub release
+1. Run:
+```shell
+$ slsa-verifier -artifact-path <downloaded.zip> -provenance attestation.intoto.jsonl -source github.com/google/flatbuffers -tag <version>
+  PASSED: Verified SLSA provenance
+
 ## Building for Android
 
 There is a `flatbuffers/android` directory that contains all you need to build