Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GH Actions: provide attestations for release PHAR files #574

Merged
merged 1 commit into from
Jul 31, 2024

Conversation

jrfnl
Copy link
Member

@jrfnl jrfnl commented Jul 23, 2024

Description

GitHub has released a new feature called Artifact Attestations, which allows for verifying the integrity of artifacts build via GitHub Actions.

This is an additional security and compliance feature, which allows for checking which workflow build the artifact and ensuring the artifact has not been tampered with after the generation via the workflow.

To me, this sounds like a good addition to the build process for release phars, so this commit implements attesting PHARs for releases.

To verify the phar files (after the next release, which will be the first to use this feature):

  • Download the PHAR file(s), either from "Releases", from the tag "Test" workflow run or via PHIVE.
  • If downloaded as a zipped artifact, unzip to get to the actual PHAR files.
  • Using the GitHub CLI tool, run the below command to verify:
    gh attestation verify phpcs.phar -o PHPCSStandards
    gh attestation verify phpcbf.phar -o PHPCSStandards

Note: I've tested this by (temporary) commenting out the "releases only" condition and have succeeded in verifying the generated artifacts using the above steps.

References:

Suggested changelog entry

  • The provenance of PHAR files associated with a release can now be verified via GitHub Artifact Attestations using the GitHub CLI tool with the following command: gh attestation verify [phpcs|phpcbf].phar -o PHPCSStandards

Note: this should probably also be mentioned in the README.

GitHub has released a new feature called Artifact Attestations, which allows for verifying the integrity of artifacts build via GitHub Actions.

This is an additional security and compliance feature, which allows for checking which workflow build the artifact and ensuring the artifact has not been tampered with after the generation via the workflow.

To me, this sounds like a good addition to the build process for release phars, so this commit implements attesting PHARS for releases.

To verify the phar files (after the next release, which will be the first to use this feature):
* Download the PHAR file(s), either from "Releases", from the tag "Test" workflow run or via PHIVE.
* If downloaded as a zipped artifact, unzip to get to the actual PHAR files.
* Using the GitHub CLI tool, run the below command to verify:
    ```bash
    gh attestation verify phpcs.phar -o PHPCSStandards
    gh attestation verify phpcbf.phar -o PHPCSStandards
    ```

References:
* https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/
* https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds
* https://github.com/actions/attest-build-provenance
* https://cli.github.com/
* https://github.com/cli/cli
@jrfnl jrfnl force-pushed the feature/ghactions-attest-phars-for-tags branch from 927d93a to 51e7828 Compare July 31, 2024 04:17
@jrfnl
Copy link
Member Author

jrfnl commented Jul 31, 2024

Rebased without changes. Merging once the build has passed.

@jrfnl jrfnl merged commit 0855bf2 into master Jul 31, 2024
48 checks passed
@jrfnl jrfnl deleted the feature/ghactions-attest-phars-for-tags branch July 31, 2024 04:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant