feat: Add attestations (#58)

* feat: Add attestations

* Trial attestation

* fix: Permissions

* feat: Add attestation on main only

* docs: Mention how to verify downloads

Author: PossibleLlama

.devcontainer/devcontainer.json

@@ -10,6 +10,10 @@
 		},
 		"ghcr.io/guiyomh/features/golangci-lint:0": {
 			"version": "latest"
+		},
+		"ghcr.io/devcontainers/features/github-cli:1": {
+			"installDirectlyFromGitHubRelease": true,
+			"version": "latest"
 		}
 	}
 

.github/workflows/commit-all.yaml

@@ -15,7 +15,7 @@ jobs:
         goarch:
           - amd64
           - arm64
-    uses: PossibleLlama/workflows/.github/workflows/[email protected].15
+    uses: PossibleLlama/workflows/.github/workflows/[email protected].16
     with:
       source-path: "./exec/cli/main.go"
       build-flags: "-ldflags=\"-w -s -X 'main.VERSION=$(git rev-list -1 HEAD)'\""

.github/workflows/commit-main.yaml

@@ -20,13 +20,18 @@ jobs:
         goarch:
           - amd64
           - arm64
-    uses: PossibleLlama/workflows/.github/workflows/[email protected]
+    uses: PossibleLlama/workflows/.github/workflows/[email protected]
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     with:
       source-path: "./exec/cli/main.go"
       build-flags: "-ldflags=\"-w -s -X 'main.VERSION=$(git rev-list -1 HEAD)'\""
       os: ${{ matrix.goos }}
       arch: ${{ matrix.goarch }}
       retention-days: 30
+      attestation: true
 
   security:
     name: Security checks

docs/README.md

@@ -92,3 +92,27 @@ Required configuration:
 
 Optional configuration:
 - `assignee` - Filter the card to only those assigned this email.
+
+## Verification
+
+To verify that the downloaded artifacts were built from
+this repository, you can run a check using the [Github CLI](https://cli.github.com/manual/gh_attestation_verify).
+
+If these commands fail, it indicates that they were not
+built correctly, and it's advised that you download the
+artifacts directly from the [releases page](https://github.com/PossibleLlama/commit-check/releases).
+
+To verify that the downloaded artifact originates from
+this repo, you can run the following against the binary.
+
+``` bash
+gh attestation verify --owner "PossibleLlama" commit-check.bin
+```
+
+The build uses [this reusable workflow](https://github.com/PossibleLlama/workflows/blob/main/.github/workflows/golang-binary.yaml),
+and as such the build can be verified that it was built
+from that workflow.
+
+```bash
+Run gh attestation verify --owner PossibleLlama --signer-workflow "PossibleLlama/workflows/.github/workflows/golang-binary.yaml" commit-check-linux-amd64.bin
+```