Add provenance to releases and publish SBOMs (#7784)

* Add more names * split build and publish * add attestation and SBOM * format file * Add toplevel permissions * fix missing path * move provenance down * fix release workflow * simplify steps
2024-08-30 18:33:04 +00:00 · 2024-08-02 02:54:19 +02:00 · 2024-08-02 02:54:19 +02:00 · dcc351be11
commit dcc351be11
parent 2cb8f4128e
2 changed files with 30 additions and 5 deletions
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@ -1,13 +1,16 @@
 # Runs on releases

-name: Publish release notes
+name: Publish release
 on:
  release:
    types: [published]
+permissions:
+  contents: read

 jobs:
  stable:
    runs-on: ubuntu-latest
+    name: Write release to stable branch
    permissions:
      contents: write
      pull-requests: write
@ -28,11 +31,13 @@ jobs:
          branch: stable
          force: true

-  publish-build:
+  build:
    runs-on: ubuntu-latest
+    name: Build and attest frontend
    permissions:
+      id-token: write
      contents: write
-      pull-requests: write
+      attestations: write
    steps:
      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4.1.7
      - name: Environment Setup
@ -43,6 +48,11 @@ jobs:
        run: cd src/frontend && yarn install
      - name: Build frontend
        run: cd src/frontend && npm run compile && npm run build
+      - name: Create SBOM for frontend
+        uses: anchore/sbom-action@v0
+        with:
+          artifact-name: frontend-build.spdx
+          path: src/frontend
      - name: Write version file - SHA
        run: cd src/backend/InvenTree/web/static/web/.vite && echo "$GITHUB_SHA" > sha.txt
      - name: Write version file - TAG
@ -51,10 +61,25 @@ jobs:
        run: |
          cd src/backend/InvenTree/web/static/web
          zip -r ../frontend-build.zip * .vite
-      - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # pin@2.9.0
+      - name: Attest Build Provenance
+        id: attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "${{ github.workspace }}/src/backend/InvenTree/web/static/frontend-build.zip"
+
+      - name: Upload frontend
+        uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # pin@2.9.0
        with:
          repo_token: ${{ secrets.GITHUB_TOKEN }}
          file: src/backend/InvenTree/web/static/frontend-build.zip
          asset_name: frontend-build.zip
          tag: ${{ github.ref }}
          overwrite: true
+      - name: Upload Attestation
+        uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # pin@2.9.0
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          asset_name: frontend-build.intoto.jsonl
+          file: ${{ steps.attest.outputs.bundle-path}}
+          tag: ${{ github.ref }}
+          overwrite: true
--- a/pyproject.toml
+++ b/pyproject.toml
@ -87,4 +87,4 @@ known_django="django"
 sections=["FUTURE","STDLIB","DJANGO","THIRDPARTY","FIRSTPARTY","LOCALFOLDER"]

 [tool.codespell]
-ignore-words-list = ["assertIn","SME"]
+ignore-words-list = ["assertIn","SME","intoto"]