mirror of
https://github.com/google/flatbuffers.git
synced 2026-07-02 18:28:18 +00:00
Generate SLSA signatures for Released zip files (#7450)
* update * update * update * update * update * update * update
This commit is contained in:
114
.github/workflows/build.yml
vendored
114
.github/workflows/build.yml
vendored
@@ -2,7 +2,11 @@ name: CI
|
|||||||
permissions: read-all
|
permissions: read-all
|
||||||
|
|
||||||
on:
|
on:
|
||||||
|
# For manual tests.
|
||||||
|
workflow_dispatch:
|
||||||
push:
|
push:
|
||||||
|
tags:
|
||||||
|
- "*" # new tag version, like `0.8.4` or else
|
||||||
branches:
|
branches:
|
||||||
- master
|
- master
|
||||||
pull_request:
|
pull_request:
|
||||||
@@ -11,6 +15,11 @@ on:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build-linux:
|
build-linux:
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
outputs:
|
||||||
|
digests-gcc: ${{ steps.hash-gcc.outputs.hashes }}
|
||||||
|
digests-clang: ${{ steps.hash-clang.outputs.hashes }}
|
||||||
name: Build Linux
|
name: Build Linux
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
strategy:
|
strategy:
|
||||||
@@ -36,8 +45,29 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
name: Linux flatc binary ${{ matrix.cxx }}
|
name: Linux flatc binary ${{ matrix.cxx }}
|
||||||
path: flatc
|
path: flatc
|
||||||
|
# Below if only for release.
|
||||||
|
- name: Zip file
|
||||||
|
if: startsWith(github.ref, 'refs/tags/')
|
||||||
|
run: zip Linux.flatc.binary.${{ matrix.cxx }}.zip flatc
|
||||||
|
- name: Release zip file
|
||||||
|
uses: softprops/action-gh-release@v1
|
||||||
|
if: startsWith(github.ref, 'refs/tags/')
|
||||||
|
with:
|
||||||
|
files: Linux.flatc.binary.${{ matrix.cxx }}.zip
|
||||||
|
- name: Generate SLSA subjects - clang
|
||||||
|
if: matrix.cxx == 'clang++-12' && startsWith(github.ref, 'refs/tags/')
|
||||||
|
id: hash-clang
|
||||||
|
run: echo "::set-output name=hashes::$(sha256sum Linux.flatc.binary.${{ matrix.cxx }}.zip | base64 -w0)"
|
||||||
|
- name: Generate SLSA subjects - gcc
|
||||||
|
if: matrix.cxx == 'g++-10' && startsWith(github.ref, 'refs/tags/')
|
||||||
|
id: hash-gcc
|
||||||
|
run: echo "::set-output name=hashes::$(sha256sum Linux.flatc.binary.${{ matrix.cxx }}.zip | base64 -w0)"
|
||||||
|
|
||||||
build-windows:
|
build-windows:
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
outputs:
|
||||||
|
digests: ${{ steps.hash.outputs.hashes }}
|
||||||
name: Build Windows 2019
|
name: Build Windows 2019
|
||||||
runs-on: windows-2019
|
runs-on: windows-2019
|
||||||
steps:
|
steps:
|
||||||
@@ -55,6 +85,20 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
name: Windows flatc binary
|
name: Windows flatc binary
|
||||||
path: Release\flatc.exe
|
path: Release\flatc.exe
|
||||||
|
# Below if only for release.
|
||||||
|
- name: Zip file
|
||||||
|
if: startsWith(github.ref, 'refs/tags/')
|
||||||
|
run: move Release/flatc.exe . && Compress-Archive flatc.exe Windows.flatc.binary.zip
|
||||||
|
- name: Release binary
|
||||||
|
uses: softprops/action-gh-release@v1
|
||||||
|
if: startsWith(github.ref, 'refs/tags/')
|
||||||
|
with:
|
||||||
|
files: Windows.flatc.binary.zip
|
||||||
|
- name: Generate SLSA subjects
|
||||||
|
if: startsWith(github.ref, 'refs/tags/')
|
||||||
|
id: hash
|
||||||
|
shell: bash
|
||||||
|
run: echo "::set-output name=hashes::$(sha256sum Windows.flatc.binary.zip | base64 -w0)"
|
||||||
|
|
||||||
build-windows-2017:
|
build-windows-2017:
|
||||||
name: Build Windows 2017
|
name: Build Windows 2017
|
||||||
@@ -113,6 +157,10 @@ jobs:
|
|||||||
out\FlatBuffers.Core.Test.exe
|
out\FlatBuffers.Core.Test.exe
|
||||||
|
|
||||||
build-mac-intel:
|
build-mac-intel:
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
outputs:
|
||||||
|
digests: ${{ steps.hash.outputs.hashes }}
|
||||||
name: Build Mac (for Intel)
|
name: Build Mac (for Intel)
|
||||||
runs-on: macos-latest
|
runs-on: macos-latest
|
||||||
steps:
|
steps:
|
||||||
@@ -138,8 +186,25 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
name: Mac flatc binary
|
name: Mac flatc binary
|
||||||
path: _build/Release/flatc
|
path: _build/Release/flatc
|
||||||
|
# Below if only for release.
|
||||||
|
- name: Zip file
|
||||||
|
if: startsWith(github.ref, 'refs/tags/')
|
||||||
|
run: mv _build/Release/flatc . && zip MacIntel.flatc.binary.zip flatc
|
||||||
|
- name: Release binary
|
||||||
|
uses: softprops/action-gh-release@v1
|
||||||
|
if: startsWith(github.ref, 'refs/tags/')
|
||||||
|
with:
|
||||||
|
files: MacIntel.flatc.binary.zip
|
||||||
|
- name: Generate SLSA subjects
|
||||||
|
if: startsWith(github.ref, 'refs/tags/')
|
||||||
|
id: hash
|
||||||
|
run: echo "::set-output name=hashes::$(shasum -a 256 MacIntel.flatc.binary.zip | base64)"
|
||||||
|
|
||||||
build-mac-universal:
|
build-mac-universal:
|
||||||
|
permissions:
|
||||||
|
contents: write
|
||||||
|
outputs:
|
||||||
|
digests: ${{ steps.hash.outputs.hashes }}
|
||||||
name: Build Mac (universal build)
|
name: Build Mac (universal build)
|
||||||
runs-on: macos-latest
|
runs-on: macos-latest
|
||||||
steps:
|
steps:
|
||||||
@@ -165,6 +230,19 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
name: Mac flatc binary
|
name: Mac flatc binary
|
||||||
path: _build/Release/flatc
|
path: _build/Release/flatc
|
||||||
|
# Below if only for release.
|
||||||
|
- name: Zip file
|
||||||
|
if: startsWith(github.ref, 'refs/tags/')
|
||||||
|
run: mv _build/Release/flatc . && zip Mac.flatc.binary.zip flatc
|
||||||
|
- name: Release binary
|
||||||
|
uses: softprops/action-gh-release@v1
|
||||||
|
if: startsWith(github.ref, 'refs/tags/')
|
||||||
|
with:
|
||||||
|
files: Mac.flatc.binary.zip
|
||||||
|
- name: Generate SLSA subjects
|
||||||
|
if: startsWith(github.ref, 'refs/tags/')
|
||||||
|
id: hash
|
||||||
|
run: echo "::set-output name=hashes::$(shasum -a 256 Mac.flatc.binary.zip | base64)"
|
||||||
|
|
||||||
build-android:
|
build-android:
|
||||||
name: Build Android (on Linux)
|
name: Build Android (on Linux)
|
||||||
@@ -339,3 +417,39 @@ jobs:
|
|||||||
- name: test
|
- name: test
|
||||||
working-directory: tests
|
working-directory: tests
|
||||||
run: bash DartTest.sh
|
run: bash DartTest.sh
|
||||||
|
|
||||||
|
release-digests:
|
||||||
|
if: startsWith(github.ref, 'refs/tags/')
|
||||||
|
needs: [build-linux, build-windows, build-mac-intel, build-mac-universal]
|
||||||
|
outputs:
|
||||||
|
digests: ${{ steps.hash.outputs.digests }}
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Merge results
|
||||||
|
id: hash
|
||||||
|
env:
|
||||||
|
LINUXGCC_DIGESTS: "${{ needs.build-linux.outputs.digests-gcc }}"
|
||||||
|
LINUXCLANG_DIGESTS: "${{ needs.build-linux.outputs.digests-clang }}"
|
||||||
|
MAC_DIGESTS: "${{ needs.build-mac-universal.outputs.digests }}"
|
||||||
|
MACINTEL_DIGESTS: "${{ needs.build-mac-intel.outputs.digests }}"
|
||||||
|
WINDOWS_DIGESTS: "${{ needs.build-windows.outputs.digests }}"
|
||||||
|
run: |
|
||||||
|
set -euo pipefail
|
||||||
|
echo "$LINUXGCC_DIGESTS" | base64 -d > checksums.txt
|
||||||
|
echo "$LINUXCLANG_DIGESTS" | base64 -d >> checksums.txt
|
||||||
|
echo "$MAC_DIGESTS" | base64 -d >> checksums.txt
|
||||||
|
echo "$MACINTEL_DIGESTS" | base64 -d >> checksums.txt
|
||||||
|
echo "$WINDOWS_DIGESTS" | base64 -d >> checksums.txt
|
||||||
|
echo "::set-output name=digests::$(cat checksums.txt | base64 -w0)"
|
||||||
|
|
||||||
|
provenance:
|
||||||
|
if: startsWith(github.ref, 'refs/tags/')
|
||||||
|
needs: [release-digests]
|
||||||
|
permissions:
|
||||||
|
actions: read # To read the workflow path.
|
||||||
|
id-token: write # To sign the provenance.
|
||||||
|
contents: write # To add assets to a release.
|
||||||
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
|
||||||
|
with:
|
||||||
|
base64-subjects: "${{ needs.release-digests.outputs.digests }}"
|
||||||
|
upload-assets: true # Optional: Upload to a new release
|
||||||
|
|||||||
@@ -61,6 +61,18 @@ You can download and install flatbuffers using the [vcpkg](https://github.com/Mi
|
|||||||
The flatbuffers port in vcpkg is kept up to date by Microsoft team members and community contributors.
|
The flatbuffers port in vcpkg is kept up to date by Microsoft team members and community contributors.
|
||||||
If the version is out of date, please [create an issue or pull request](https://github.com/Microsoft/vcpkg) on the vcpkg repository.
|
If the version is out of date, please [create an issue or pull request](https://github.com/Microsoft/vcpkg) on the vcpkg repository.
|
||||||
|
|
||||||
|
## Downloading binaries
|
||||||
|
You can download the binaries from the
|
||||||
|
[GitHub release page](https://github.com/google/flatbuffers/releases).
|
||||||
|
|
||||||
|
We generate [SLSA3 signatures](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). To verify the binaries:
|
||||||
|
1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation)
|
||||||
|
1. Download the file named `attestation.intoto.jsonl` from the GitHub release
|
||||||
|
1. Run:
|
||||||
|
```shell
|
||||||
|
$ slsa-verifier -artifact-path <downloaded.zip> -provenance attestation.intoto.jsonl -source github.com/google/flatbuffers -tag <version>
|
||||||
|
PASSED: Verified SLSA provenance
|
||||||
|
|
||||||
## Building for Android
|
## Building for Android
|
||||||
|
|
||||||
There is a `flatbuffers/android` directory that contains all you need to build
|
There is a `flatbuffers/android` directory that contains all you need to build
|
||||||
|
|||||||
Reference in New Issue
Block a user