Skip to content

Commit f4aded1

Browse files
committed
build: adding provenance generation to ruby release-please workflow
1 parent 42ccae5 commit f4aded1

File tree

5 files changed

+79
-1
lines changed

5 files changed

+79
-1
lines changed

.github/actions/publish/action.yml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,10 @@ inputs:
44
dry_run:
55
description: 'Is this a dry run. If so no package will be published.'
66
required: true
7+
outputs:
8+
gem-hash:
9+
description: "base64-encoded sha256 hashes of distribution files"
10+
value: ${{ steps.gem-hash.outputs.gem-hash }}
711

812
runs:
913
using: composite
@@ -12,6 +16,12 @@ runs:
1216
shell: bash
1317
run: gem build launchdarkly-server-sdk.gemspec
1418

19+
- name: Hash gem for provenance
20+
id: gem-hash
21+
shell: bash
22+
run: |
23+
echo "gem-hash=$(sha256sum launchdarkly-server-sdk-*.gem | base64 -w0)" >> "$GITHUB_OUTPUT"
24+
1525
- name: Publish Library
1626
shell: bash
1727
if: ${{ inputs.dry_run == 'false' }}

.github/workflows/manual-publish.yml

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ jobs:
1414
permissions:
1515
id-token: write
1616
contents: read
17+
outputs:
18+
gem-hash: ${{ steps.publish.outputs.gem-hash}}
1719
steps:
1820
- uses: actions/checkout@v4
1921

@@ -34,3 +36,17 @@ jobs:
3436
uses: ./.github/actions/publish
3537
with:
3638
dry_run: ${{ inputs.dry_run }}
39+
40+
release-provenance:
41+
needs: [ 'build-publish' ]
42+
runs-on: ubuntu-latest
43+
permissions:
44+
actions: read
45+
id-token: write
46+
contents: write
47+
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
48+
with:
49+
base64-subjects: "${{ needs.build-publish.outputs.gem-hash }}"
50+
upload-assets: true
51+
upload-tag-name: TBD
52+

.github/workflows/release-please.yml

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,10 @@ jobs:
1212
id-token: write # Needed if using OIDC to get release secrets.
1313
contents: write # Contents and pull-requests are for release-please to make releases.
1414
pull-requests: write
15+
outputs:
16+
release-created: ${{ steps.release.outputs.release_created }}
17+
upload-tag-name: ${{ steps.release.outputs.tag_name }}
18+
gem-hash: ${{ steps.publish.outputs.gem-hash}}
1519
steps:
1620
- uses: google-github-actions/release-please-action@v3
1721
id: release
@@ -41,6 +45,7 @@ jobs:
4145
if: ${{ steps.release.outputs.releases_created }}
4246

4347
- uses: ./.github/actions/publish
48+
id: publish
4449
if: ${{ steps.release.outputs.releases_created }}
4550
with:
4651
dry_run: false
@@ -49,3 +54,17 @@ jobs:
4954
if: ${{ steps.release.outputs.releases_created }}
5055
with:
5156
token: ${{secrets.GITHUB_TOKEN}}
57+
58+
release-provenance:
59+
needs: [ 'release-package' ]
60+
if: ${{ needs.release-package.outputs.release-created }}
61+
runs-on: ubuntu-latest
62+
permissions:
63+
actions: read
64+
id-token: write
65+
contents: write
66+
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
67+
with:
68+
base64-subjects: "${{ needs.release-package.outputs.gem-hash }}"
69+
upload-assets: true
70+
upload-tag-name: ${{ needs.release-package.outputs.upload-tag-name }}

PROVENANCE.md

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
## Verifying SDK build provenance with the SLSA framework
2+
3+
LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) (Supply-chain Levels for Software Artifacts) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.
4+
5+
As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds using [GitHub's generic SLSA3 provenance generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#generation-of-slsa3-provenance-for-arbitrary-projects) for distribution alongside our packages. These attestations are available for download from the GitHub release page for the release version under Assets > `multiple-provenance.intoto.jsonl`.
6+
7+
To verify SLSA provenance attestations, we recommend using [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Example usage for verifying SDK packages is included below:
8+
9+
```
10+
# Download gem
11+
$ gem fetch launchdarkly-server-sdk
12+
13+
# Download provenance from Github release
14+
$ curl --location -O \
15+
https://github.com/launchdarkly/ruby-server-sdk/releases/download/VERSION/multiple.intoto.jsonl
16+
17+
# Run slsa-verifier to verify provenance against package artifacts
18+
$ slsa-verifier verify-artifact \
19+
--provenance-path multiple-provenance.intoto.jsonl \
20+
--source-uri github.com/launchdarkly/ruby-server-sdk \
21+
launchdarkly-server-sdk-VERSION.gem
22+
23+
TBD OUTPUT
24+
```
25+
26+
Alternatively, to verify the provenance manually, the SLSA framework specifies [recommendations for verifying build artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) in their documentation.
27+
28+
**Note:** These instructions do not apply when building our SDKs from source.

README.md

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,12 @@ Contributing
3939
------------
4040

4141
We encourage pull requests and other contributions from the community. Check out our [contributing guidelines](CONTRIBUTING.md) for instructions on how to contribute to this SDK.
42-
42+
43+
Verifying SDK build provenance with the SLSA framework
44+
------------
45+
46+
LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) (Supply-chain Levels for Software Artifacts) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages. To learn more, see the [provenance guide](PROVENANCE.md).
47+
4348
About LaunchDarkly
4449
-----------
4550

0 commit comments

Comments
 (0)