Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update GitHub CLI release process to generate artifact attestations #9041

Open
thepwagner opened this issue May 3, 2024 · 1 comment · May be fixed by #9087
Open

Update GitHub CLI release process to generate artifact attestations #9041

thepwagner opened this issue May 3, 2024 · 1 comment · May be fixed by #9087
Assignees
@malancas
Labels
gh-attestation related to the gh attestation command tech-debt A chore that addresses technical debt

Comments

@thepwagner
Copy link

thepwagner commented May 3, 2024
edited

Describe the feature or problem you’d like to solve

Integrate the features announced in https://github.com/cli/cli/releases/tag/v2.49.0 , to attest the artifacts attached to cli/cli releases.

The only usage of id-token: from Actions I can see looks like a regression test, https://github.com/search?q=repo%3Acli%2Fcli+%2Fattest%2F+language%3AYAML&type=code&l=YAML

Proposed solution

Call actions/attest-build-provenance with each artifact produced.
If you'd prefer to sign the digest file (1 operation vs N operations for each platform/arch), that works for me too!

  • Users of CLI will have a "live" example of a verifiiable artifact to play with.
  • Users of CLI will be able to verify the authentication of the CLI that they just downloaded.
  • Consumers of actions/attest-build-provenance data will have an ~official pattern (e.g. sign each artifact vs the digest file), that other repos may follow.

Additional context

Assumption: I'm doing this right:

$ gh attestation verify gh_2.49.0_macOS_arm64.zip -o cli
Loaded digest sha256:4c589dfabdf92d33df8bb4af474f6a5dc1945e2a67247469260104fbfd58978c for file://gh_2.49.0_macOS_arm64.zip
✗ Loading attestations from GitHub API failed

Error: failed to fetch attestations from cli: HTTP 404: Not Found (https://api.github.com/orgs/cli/attestations/sha256:4c589dfabdf92d33df8bb4af474f6a5dc1945e2a67247469260104fbfd58978c?per_page=30)

$ gh attestation verify gh_2.49.0_checksums.txt -o cli
Loaded digest sha256:ee1fa24e93d70cde0676321c57fe888dc41238b352a14aff3da2a2f7576c71a2 for file://gh_2.49.0_checksums.txt
✗ Loading attestations from GitHub API failed

Error: failed to fetch attestations from cli: HTTP 404: Not Found (https://api.github.com/orgs/cli/attestations/sha256:ee1fa24e93d70cde0676321c57fe888dc41238b352a14aff3da2a2f7576c71a2?per_page=30)
@thepwagner thepwagner added the enhancement a request to improve CLI label May 3, 2024
@cliAutomation cliAutomation added the needs-triage needs to be reviewed label May 3, 2024
@williammartin williammartin added the gh-attestation related to the gh attestation command label May 4, 2024
@andyfeller andyfeller changed the title Attest release artifacts Update GitHub CLI release process to generate artifact attestations May 7, 2024
@andyfeller andyfeller removed the needs-triage needs to be reviewed label May 7, 2024
@andyfeller
Copy link
Contributor

@malancas @phillmv : Any concerns or considerations for the various release assets we generate in order to generate artifact attestations?

Looking at v2.49.0 release will show the various Debian and RPM packages, compiled source code, Windows exe and MSI installer:

  • GitHub CLI 2.49.0 linux 386 deb
  • GitHub CLI 2.49.0 linux 386 RPM
  • GitHub CLI 2.49.0 linux 386
  • GitHub CLI 2.49.0 linux amd64 deb
  • GitHub CLI 2.49.0 linux amd64 RPM
  • GitHub CLI 2.49.0 linux amd64
  • GitHub CLI 2.49.0 linux arm64 deb
  • GitHub CLI 2.49.0 linux arm64 RPM
  • GitHub CLI 2.49.0 linux arm64
  • GitHub CLI 2.49.0 linux armv6 deb
  • GitHub CLI 2.49.0 linux armv6 RPM
  • GitHub CLI 2.49.0 linux armv6
  • GitHub CLI 2.49.0 macOS amd64
  • GitHub CLI 2.49.0 macOS arm64
  • GitHub CLI 2.49.0 windows 386 installer
  • GitHub CLI 2.49.0 windows 386
  • GitHub CLI 2.49.0 windows amd64 installer
  • GitHub CLI 2.49.0 windows amd64
  • GitHub CLI 2.49.0 windows arm64

Looking at the deployment workflow, I assume this would be incorporated into the release job for production environments similar to the GPG signing logic below:

cli/.github/workflows/deployment.yml

Lines 224 to 278 in 4896546

release:
runs-on: ubuntu-latest
needs: [linux, macos, windows]
environment: ${{ inputs.environment }}
if: inputs.release
steps:
- name: Checkout cli/cli
uses: actions/checkout@v4
- name: Merge built artifacts
uses: actions/download-artifact@v4
- name: Checkout documentation site
uses: actions/checkout@v4
with:
repository: github/cli.github.com
path: site
fetch-depth: 0
token: ${{ secrets.SITE_DEPLOY_PAT }}
- name: Update site man pages
env:
GIT_COMMITTER_NAME: cli automation
GIT_AUTHOR_NAME: cli automation
GIT_COMMITTER_EMAIL: [email protected]
GIT_AUTHOR_EMAIL: [email protected]
TAG_NAME: ${{ inputs.tag_name }}
run: |
git -C site rm 'manual/gh*.md' 2>/dev/null || true
tar -xzvf linux/manual.tar.gz -C site
git -C site add 'manual/gh*.md'
sed -i.bak -E "s/(assign version = )\".+\"/\1\"${TAG_NAME#v}\"/" site/index.html
rm -f site/index.html.bak
git -C site add index.html
git -C site diff --quiet --cached || git -C site commit -m "gh ${TAG_NAME#v}"
- name: Prepare release assets
env:
TAG_NAME: ${{ inputs.tag_name }}
run: |
shopt -s failglob
rm -rf dist
mkdir dist
mv -v {linux,macos,windows}/gh_* dist/
- name: Install packaging dependencies
run: sudo apt-get install -y rpm reprepro
- name: Set up GPG
if: inputs.environment == 'production'
env:
GPG_PUBKEY: ${{ secrets.GPG_PUBKEY }}
GPG_KEY: ${{ secrets.GPG_KEY }}
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
GPG_KEYGRIP: ${{ secrets.GPG_KEYGRIP }}
run: |
base64 -d <<<"$GPG_PUBKEY" | gpg --import --no-tty --batch --yes
base64 -d <<<"$GPG_KEY" | gpg --import --no-tty --batch --yes
echo "allow-preset-passphrase" > ~/.gnupg/gpg-agent.conf
gpg-connect-agent RELOADAGENT /bye
/usr/lib/gnupg2/gpg-preset-passphrase --preset "$GPG_KEYGRIP" <<<"$GPG_PASSPHRASE"

@andyfeller andyfeller added tech-debt A chore that addresses technical debt and removed enhancement a request to improve CLI labels May 7, 2024
@malancas malancas self-assigned this May 15, 2024
@malancas malancas linked a pull request May 15, 2024 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@malancas malancas

Labels
gh-attestation related to the gh attestation command tech-debt A chore that addresses technical debt
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add build provenance for gh CLI releases malancas/cli
5 participants
@thepwagner @williammartin @andyfeller @malancas @cliAutomation