Generate SLSA signatures for Released zip files (#7450)

* update

* update

* update

* update

* update

* update

* update
This commit is contained in:
laurentsimon
2022-08-16 16:30:37 -07:00
committed by GitHub
parent 1e0f75a647
commit 9610a666b1
2 changed files with 126 additions and 0 deletions

View File

@@ -2,7 +2,11 @@ name: CI
permissions: read-all permissions: read-all
on: on:
# For manual tests.
workflow_dispatch:
push: push:
tags:
- "*" # new tag version, like `0.8.4` or else
branches: branches:
- master - master
pull_request: pull_request:
@@ -11,6 +15,11 @@ on:
jobs: jobs:
build-linux: build-linux:
permissions:
contents: write
outputs:
digests-gcc: ${{ steps.hash-gcc.outputs.hashes }}
digests-clang: ${{ steps.hash-clang.outputs.hashes }}
name: Build Linux name: Build Linux
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy: strategy:
@@ -36,8 +45,29 @@ jobs:
with: with:
name: Linux flatc binary ${{ matrix.cxx }} name: Linux flatc binary ${{ matrix.cxx }}
path: flatc path: flatc
# Below if only for release.
- name: Zip file
if: startsWith(github.ref, 'refs/tags/')
run: zip Linux.flatc.binary.${{ matrix.cxx }}.zip flatc
- name: Release zip file
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: Linux.flatc.binary.${{ matrix.cxx }}.zip
- name: Generate SLSA subjects - clang
if: matrix.cxx == 'clang++-12' && startsWith(github.ref, 'refs/tags/')
id: hash-clang
run: echo "::set-output name=hashes::$(sha256sum Linux.flatc.binary.${{ matrix.cxx }}.zip | base64 -w0)"
- name: Generate SLSA subjects - gcc
if: matrix.cxx == 'g++-10' && startsWith(github.ref, 'refs/tags/')
id: hash-gcc
run: echo "::set-output name=hashes::$(sha256sum Linux.flatc.binary.${{ matrix.cxx }}.zip | base64 -w0)"
build-windows: build-windows:
permissions:
contents: write
outputs:
digests: ${{ steps.hash.outputs.hashes }}
name: Build Windows 2019 name: Build Windows 2019
runs-on: windows-2019 runs-on: windows-2019
steps: steps:
@@ -55,6 +85,20 @@ jobs:
with: with:
name: Windows flatc binary name: Windows flatc binary
path: Release\flatc.exe path: Release\flatc.exe
# Below if only for release.
- name: Zip file
if: startsWith(github.ref, 'refs/tags/')
run: move Release/flatc.exe . && Compress-Archive flatc.exe Windows.flatc.binary.zip
- name: Release binary
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: Windows.flatc.binary.zip
- name: Generate SLSA subjects
if: startsWith(github.ref, 'refs/tags/')
id: hash
shell: bash
run: echo "::set-output name=hashes::$(sha256sum Windows.flatc.binary.zip | base64 -w0)"
build-windows-2017: build-windows-2017:
name: Build Windows 2017 name: Build Windows 2017
@@ -113,6 +157,10 @@ jobs:
out\FlatBuffers.Core.Test.exe out\FlatBuffers.Core.Test.exe
build-mac-intel: build-mac-intel:
permissions:
contents: write
outputs:
digests: ${{ steps.hash.outputs.hashes }}
name: Build Mac (for Intel) name: Build Mac (for Intel)
runs-on: macos-latest runs-on: macos-latest
steps: steps:
@@ -138,8 +186,25 @@ jobs:
with: with:
name: Mac flatc binary name: Mac flatc binary
path: _build/Release/flatc path: _build/Release/flatc
# Below if only for release.
- name: Zip file
if: startsWith(github.ref, 'refs/tags/')
run: mv _build/Release/flatc . && zip MacIntel.flatc.binary.zip flatc
- name: Release binary
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: MacIntel.flatc.binary.zip
- name: Generate SLSA subjects
if: startsWith(github.ref, 'refs/tags/')
id: hash
run: echo "::set-output name=hashes::$(shasum -a 256 MacIntel.flatc.binary.zip | base64)"
build-mac-universal: build-mac-universal:
permissions:
contents: write
outputs:
digests: ${{ steps.hash.outputs.hashes }}
name: Build Mac (universal build) name: Build Mac (universal build)
runs-on: macos-latest runs-on: macos-latest
steps: steps:
@@ -165,6 +230,19 @@ jobs:
with: with:
name: Mac flatc binary name: Mac flatc binary
path: _build/Release/flatc path: _build/Release/flatc
# Below if only for release.
- name: Zip file
if: startsWith(github.ref, 'refs/tags/')
run: mv _build/Release/flatc . && zip Mac.flatc.binary.zip flatc
- name: Release binary
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: Mac.flatc.binary.zip
- name: Generate SLSA subjects
if: startsWith(github.ref, 'refs/tags/')
id: hash
run: echo "::set-output name=hashes::$(shasum -a 256 Mac.flatc.binary.zip | base64)"
build-android: build-android:
name: Build Android (on Linux) name: Build Android (on Linux)
@@ -339,3 +417,39 @@ jobs:
- name: test - name: test
working-directory: tests working-directory: tests
run: bash DartTest.sh run: bash DartTest.sh
release-digests:
if: startsWith(github.ref, 'refs/tags/')
needs: [build-linux, build-windows, build-mac-intel, build-mac-universal]
outputs:
digests: ${{ steps.hash.outputs.digests }}
runs-on: ubuntu-latest
steps:
- name: Merge results
id: hash
env:
LINUXGCC_DIGESTS: "${{ needs.build-linux.outputs.digests-gcc }}"
LINUXCLANG_DIGESTS: "${{ needs.build-linux.outputs.digests-clang }}"
MAC_DIGESTS: "${{ needs.build-mac-universal.outputs.digests }}"
MACINTEL_DIGESTS: "${{ needs.build-mac-intel.outputs.digests }}"
WINDOWS_DIGESTS: "${{ needs.build-windows.outputs.digests }}"
run: |
set -euo pipefail
echo "$LINUXGCC_DIGESTS" | base64 -d > checksums.txt
echo "$LINUXCLANG_DIGESTS" | base64 -d >> checksums.txt
echo "$MAC_DIGESTS" | base64 -d >> checksums.txt
echo "$MACINTEL_DIGESTS" | base64 -d >> checksums.txt
echo "$WINDOWS_DIGESTS" | base64 -d >> checksums.txt
echo "::set-output name=digests::$(cat checksums.txt | base64 -w0)"
provenance:
if: startsWith(github.ref, 'refs/tags/')
needs: [release-digests]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
with:
base64-subjects: "${{ needs.release-digests.outputs.digests }}"
upload-assets: true # Optional: Upload to a new release

View File

@@ -61,6 +61,18 @@ You can download and install flatbuffers using the [vcpkg](https://github.com/Mi
The flatbuffers port in vcpkg is kept up to date by Microsoft team members and community contributors. The flatbuffers port in vcpkg is kept up to date by Microsoft team members and community contributors.
If the version is out of date, please [create an issue or pull request](https://github.com/Microsoft/vcpkg) on the vcpkg repository. If the version is out of date, please [create an issue or pull request](https://github.com/Microsoft/vcpkg) on the vcpkg repository.
## Downloading binaries
You can download the binaries from the
[GitHub release page](https://github.com/google/flatbuffers/releases).
We generate [SLSA3 signatures](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). To verify the binaries:
1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation)
1. Download the file named `attestation.intoto.jsonl` from the GitHub release
1. Run:
```shell
$ slsa-verifier -artifact-path <downloaded.zip> -provenance attestation.intoto.jsonl -source github.com/google/flatbuffers -tag <version>
PASSED: Verified SLSA provenance
## Building for Android ## Building for Android
There is a `flatbuffers/android` directory that contains all you need to build There is a `flatbuffers/android` directory that contains all you need to build