Skip to content

Commit a9cd83d

Browse files
update slsa github action to v2 (#75)
* update github action version Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> * update go in GA Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> * remove redundant header #76 Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> * remove duplicate lines Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> * remove duplicate lines Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> * setup go version from file in g action Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com> --------- Signed-off-by: Nicolas-Peiffer <102670102+Nicolas-Peiffer@users.noreply.github.com>
1 parent f195cc9 commit a9cd83d

6 files changed

Lines changed: 18 additions & 35 deletions

File tree

.github/actions/publish-release/action.yaml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -34,11 +34,12 @@ outputs:
3434
runs:
3535
using: composite
3636
steps:
37-
# Install go with specific version
37+
# Install go with specific version for go build
38+
- uses: actions/checkout@v5
3839
- name: Set up Go
39-
uses: actions/setup-go@v5
40+
uses: actions/setup-go@v6
4041
with:
41-
go-version: ${{ inputs.go-version }} # same version than the one in the go.mod or in the .go-version
42+
go-version-file: ${{ github.workspace }}/go.mod # same version than the one in the go.mod
4243
# Register to ghcr.io container Registry
4344
- name: 'Login to GitHub Container Registry'
4445
uses: docker/login-action@v3
@@ -48,10 +49,10 @@ runs:
4849
password: ${{ inputs.registry_password }}
4950
# Install ko to publish container images
5051
- name: Set up Ko
51-
uses: ko-build/setup-ko@v0.7
52+
uses: ko-build/setup-ko@v0.9
5253
# Install cosign to sign artfacts with goreleaser
5354
- name: Install Cosign
54-
uses: sigstore/cosign-installer@v3.5.0
55+
uses: sigstore/cosign-installer@v3.10.0
5556
# Get LDFLAGS with a makefile command
5657
- shell: bash
5758
name: Get LDFLAGS

.github/actions/verify-attestations/action.yaml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -23,20 +23,20 @@ inputs:
2323
runs:
2424
using: composite
2525
steps:
26-
# Install go with specific version
26+
# Install go latest stable
2727
- name: Set up Go
28-
uses: actions/setup-go@v5
28+
uses: actions/setup-go@v6
2929
with:
30-
go-version: ${{ inputs.go-version }} # same version than the one in the go.mod or in the .go-version
30+
go-version: 'stable'
3131

3232
- shell: bash
3333
name : Install dependencies
3434
run : |
35-
go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.5.1
35+
go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.7.1
3636
- shell: bash
3737
name: verify image provenance
3838
id: image-provenance
3939
run: |
4040
slsa-verifier verify-image ${{ inputs.image }} \
4141
--source-uri github.com/${{github.repository}} \
42-
--builder-id https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v1.10.0
42+
--builder-id https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v2.1.0

.github/workflows/Goreleaser.yaml

Lines changed: 6 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,6 @@ on:
99
- "*"
1010

1111
jobs:
12-
1312
goreleaser:
1413
runs-on: ubuntu-latest
1514
env:
@@ -22,14 +21,13 @@ jobs:
2221
digest: ${{ steps.publish-artifacts.outputs.digest }}
2322
steps:
2423
- name: Checkout
25-
uses: actions/checkout@v4
24+
uses: actions/checkout@v5
2625
with:
2726
fetch-depth: 0
2827
- name: Publish Artifacts
2928
id : publish-artifacts
3029
uses: ./.github/actions/publish-release
3130
with:
32-
go-version: 1.23.6
3331
github_token : ${{ secrets.GITHUB_TOKEN }}
3432
registry: ghcr.io
3533
registry_username: ${{ github.actor }}
@@ -43,7 +41,7 @@ jobs:
4341
actions: read # To read the workflow path.
4442
id-token: write # To sign the provenance.
4543
contents: write # To add assets to a release.
46-
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
44+
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
4745
with:
4846
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
4947
upload-assets: true
@@ -54,7 +52,7 @@ jobs:
5452
actions: read
5553
id-token: write
5654
packages: write
57-
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
55+
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
5856
with:
5957
image: ${{ needs.goreleaser.outputs.image }}
6058
digest: ${{ needs.goreleaser.outputs.digest }}
@@ -72,13 +70,12 @@ jobs:
7270
packages: write
7371
steps:
7472
- name: Checkout
75-
uses: actions/checkout@v4
73+
uses: actions/checkout@v5
7674
with:
77-
fetch-depth: 0
75+
fetch-depth: 0
7876
- name: Verify provenance attestations
7977
id : slsa-verifier
8078
uses: ./.github/actions/verify-attestations
8179
with:
82-
go-version: 1.23.6
8380
github_token : ${{ secrets.GITHUB_TOKEN }}
84-
image: ${{needs.goreleaser.outputs.image}}@${{needs.goreleaser.outputs.digest}}
81+
image: ${{needs.goreleaser.outputs.image}}@${{needs.goreleaser.outputs.digest}}

README.md

Lines changed: 1 addition & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -526,13 +526,11 @@ During the release workflow, certificates and signatures of artifacts are genera
526526
They are signed by a tool named cosign using a keyless mode.
527527
It required an authentication by clicking in links present in logs.
528528

529-
![Screenshot of one example of logs containing three authentication links generating tokens](docs/images/cosign/AuthLinksCosign.png)
530529
![Screenshot of one example of logs containing three authentication links generating tokens](docs/images/cosign/AuthLinksCosign.png)
531530

532531
Once you click on one, you can submit a verification code that will redirect you to three types of authentication. Then click on Github authentication.
533532

534-
![Screenshot of the interface for submitting a code](docs/images/cosign/CodeSubmit.png)
535-
![Screenshot of the interface for submitting a code](docs/images/cosign/CodeSubmit.png)
533+
![Screenshot of the interface for submitting a code](docs/images/cosign/CodeSubmit.png)
536534

537535
Do these actions for every authentication links and the signatures and the certificates will be generated with the artifacts in the release.
538536

pkg/providers/p11.go

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -716,7 +716,6 @@ func (p *P11) decryptWithContext(req *k8skmsv2.DecryptRequest, isRotation bool)
716716
return nil, err
717717
}
718718
case jose.AlgRSAOAEP:
719-
logrus.Tracef("p11:Decrypt case %s", jose.AlgRSAOAEP)
720719
logrus.Tracef("p11:Decrypt case %s", jose.AlgRSAOAEP)
721720
// load pkcs11 context
722721
var rsaKeyPair crypto11.SignerDecrypter
@@ -778,7 +777,6 @@ func (p *P11) Encrypt(ctx context.Context, req *k8skmsv2.EncryptRequest) (resp *
778777
// Select algorithm
779778
switch p.algorithm {
780779
case jose.AlgA256GCM:
781-
logrus.Tracef("p11:Encrypt case %s", jose.AlgA256GCM)
782780
logrus.Tracef("p11:Encrypt case %s", jose.AlgA256GCM)
783781
// Find the KEK in the KMS
784782
var kek *crypto11.SecretKey
@@ -812,7 +810,6 @@ func (p *P11) Encrypt(ctx context.Context, req *k8skmsv2.EncryptRequest) (resp *
812810
}
813811

814812
case jose.AlgA256CBC:
815-
logrus.Tracef("p11:Encrypt case %s", jose.AlgA256CBC)
816813
logrus.Tracef("p11:Encrypt case %s", jose.AlgA256CBC)
817814
// Find the KEK in the KMS
818815
var kek *crypto11.SecretKey
@@ -864,7 +861,6 @@ func (p *P11) Encrypt(ctx context.Context, req *k8skmsv2.EncryptRequest) (resp *
864861
}
865862

866863
case jose.AlgRSAOAEP:
867-
logrus.Tracef("p11:Encrypt case %s", jose.AlgRSAOAEP)
868864
logrus.Tracef("p11:Encrypt case %s", jose.AlgRSAOAEP)
869865
//TODO generate a jwk with the kid of the public key. Ex :
870866
// {"kty":"EC",

pkg/providers/p11_test.go

Lines changed: 0 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -7,15 +7,6 @@
77
* https://opensource.org/licenses/MIT.
88
*/
99

10-
/*
11-
* Copyright 2025 Thales Group
12-
* SPDX-License-Identifier: MIT
13-
*
14-
* Use of this source code is governed by an MIT-style
15-
* license that can be found in the LICENSE file or at
16-
* https://opensource.org/licenses/MIT.
17-
*/
18-
1910
package providers
2011

2112
import (

0 commit comments

Comments
 (0)