From b90986e78a5e21c0ece2a302aa0bc277cf9907a7 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Tue, 3 Mar 2026 17:22:17 +0400 Subject: [PATCH 1/6] ci: add build provenance attestations for release artifacts Add SLSA build provenance attestations using actions/attest to the release workflow. This allows users to verify the origin of release artifacts with `gh attestation verify`. Changes: - Add attestations:write permission to reusable-release workflow - Add actions/attest step after GoReleaser (skipped for canary builds) - Set fixed checksums filename in goreleaser.yml for predictable path --- .github/workflows/reusable-release.yaml | 7 +++++++ goreleaser.yml | 3 +++ 2 files changed, 10 insertions(+) diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index a08b1106d4..b1cff3ed98 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -25,6 +25,7 @@ jobs: id-token: write # For cosign packages: write # For GHCR contents: read # Not required for public repositories, but for clarity + attestations: write # For build provenance attestations steps: - name: Cosign install uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 @@ -115,6 +116,12 @@ jobs: ghcr.io/aquasecurity/trivy:canary public.ecr.aws/aquasecurity/trivy:canary + - name: Generate build provenance attestations + if: ${{ inputs.goreleaser_config != 'goreleaser-canary.yml' }} + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 + with: + subject-checksums: dist/checksums.txt + - name: Cache Trivy binaries uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 with: diff --git a/goreleaser.yml b/goreleaser.yml index bc8346f07e..e09d5cd00c 100644 --- a/goreleaser.yml +++ b/goreleaser.yml @@ -111,6 +111,9 @@ nfpms: signature: key_file: '{{ .Env.GPG_FILE }}' +checksum: + name_template: checksums.txt + archives: - id: archive format: tar.gz From 88eb9d291f9870953d33b83b564c56a415aa1a07 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Fri, 6 Mar 2026 13:25:49 +0400 Subject: [PATCH 2/6] ci: use versioned checksum filename for build provenance attestations Use the default goreleaser checksum filename (trivy_X.Y.Z_checksums.txt) instead of the custom checksums.txt, to stay consistent with the install script (contrib/install.sh) which expects the versioned filename. --- .github/workflows/reusable-release.yaml | 2 +- goreleaser.yml | 3 --- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index b1cff3ed98..b362406bd6 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -120,7 +120,7 @@ jobs: if: ${{ inputs.goreleaser_config != 'goreleaser-canary.yml' }} uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 with: - subject-checksums: dist/checksums.txt + subject-checksums: dist/trivy_${{ github.ref_name }}_checksums.txt - name: Cache Trivy binaries uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 diff --git a/goreleaser.yml b/goreleaser.yml index e09d5cd00c..bc8346f07e 100644 --- a/goreleaser.yml +++ b/goreleaser.yml @@ -111,9 +111,6 @@ nfpms: signature: key_file: '{{ .Env.GPG_FILE }}' -checksum: - name_template: checksums.txt - archives: - id: archive format: tar.gz From ca86c46b880afe78ad25cd3cc7322f7a1d799bf7 Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Wed, 11 Mar 2026 10:54:25 +0900 Subject: [PATCH 3/6] ci: add test provenance workflow --- .github/workflows/test-provenance.yaml | 39 ++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 .github/workflows/test-provenance.yaml diff --git a/.github/workflows/test-provenance.yaml b/.github/workflows/test-provenance.yaml new file mode 100644 index 0000000000..f133035dfb --- /dev/null +++ b/.github/workflows/test-provenance.yaml @@ -0,0 +1,39 @@ +name: Test Provenance +on: + push: + tags: + - "v*" + +jobs: + release: + name: Release + runs-on: ubuntu-latest + permissions: + id-token: write + packages: write + contents: write + attestations: write + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + + - name: Setup Go + uses: ./.github/actions/setup-go + + - name: GoReleaser + uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 + with: + version: v2.1.0 + args: release -f=goreleaser.yml --clean --timeout 90m --skip=sign,docker,publish,sbom,nfpm,homebrew + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: List dist directory + run: ls -la dist/ | grep -i checksum + + - name: Generate build provenance attestations + uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 + with: + subject-checksums: dist/trivy_${{ github.ref_name }}_checksums.txt From b841126820f19d22c3658a2a0ab18017518921de Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Wed, 11 Mar 2026 11:39:25 +0900 Subject: [PATCH 4/6] ci: fix checksum filename by stripping v prefix and add minimal test config --- .github/workflows/reusable-release.yaml | 7 ++++++- .github/workflows/test-provenance.yaml | 8 ++++++-- goreleaser-test.yml | 27 +++++++++++++++++++++++++ 3 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 goreleaser-test.yml diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index b362406bd6..0cc669ec82 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -116,11 +116,16 @@ jobs: ghcr.io/aquasecurity/trivy:canary public.ecr.aws/aquasecurity/trivy:canary + - name: Extract version + if: ${{ inputs.goreleaser_config != 'goreleaser-canary.yml' }} + id: extract-version + run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" + - name: Generate build provenance attestations if: ${{ inputs.goreleaser_config != 'goreleaser-canary.yml' }} uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 with: - subject-checksums: dist/trivy_${{ github.ref_name }}_checksums.txt + subject-checksums: dist/trivy_${{ steps.extract-version.outputs.version }}_checksums.txt - name: Cache Trivy binaries uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 diff --git a/.github/workflows/test-provenance.yaml b/.github/workflows/test-provenance.yaml index f133035dfb..6bfdc159c7 100644 --- a/.github/workflows/test-provenance.yaml +++ b/.github/workflows/test-provenance.yaml @@ -26,14 +26,18 @@ jobs: uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: version: v2.1.0 - args: release -f=goreleaser.yml --clean --timeout 90m --skip=sign,docker,publish,sbom,nfpm,homebrew + args: release -f=goreleaser-test.yml --clean --timeout 90m --skip=sign,docker,publish,sbom,nfpm,homebrew env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: List dist directory run: ls -la dist/ | grep -i checksum + - name: Extract version + id: extract-version + run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" + - name: Generate build provenance attestations uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 with: - subject-checksums: dist/trivy_${{ github.ref_name }}_checksums.txt + subject-checksums: dist/trivy_${{ steps.extract-version.outputs.version }}_checksums.txt diff --git a/goreleaser-test.yml b/goreleaser-test.yml new file mode 100644 index 0000000000..220427defc --- /dev/null +++ b/goreleaser-test.yml @@ -0,0 +1,27 @@ +version: 2 + +project_name: trivy +builds: + - id: build-linux + main: ./cmd/trivy/ + binary: trivy + ldflags: + - -s -w + - "-extldflags '-static'" + - -X github.com/aquasecurity/trivy/pkg/version/app.ver={{.Version}} + env: + - CGO_ENABLED=0 + - GOEXPERIMENT=jsonv2 + goos: + - linux + goarch: + - amd64 + +archives: + - id: archive + format: tar.gz + name_template: >- + {{ .ProjectName }}_{{ .Version }}_Linux-64bit + files: + - README.md + - LICENSE From 5451ba474385dce709528aec962bc5a35f77228f Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Wed, 11 Mar 2026 11:40:28 +0900 Subject: [PATCH 5/6] ci: use goreleaser metadata output for checksum filename --- .github/workflows/reusable-release.yaml | 8 ++------ .github/workflows/test-provenance.yaml | 9 +++------ 2 files changed, 5 insertions(+), 12 deletions(-) diff --git a/.github/workflows/reusable-release.yaml b/.github/workflows/reusable-release.yaml index 0cc669ec82..7ed82e278d 100644 --- a/.github/workflows/reusable-release.yaml +++ b/.github/workflows/reusable-release.yaml @@ -86,6 +86,7 @@ jobs: mkdir tmp - name: GoReleaser + id: goreleaser uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: version: v2.1.0 @@ -116,16 +117,11 @@ jobs: ghcr.io/aquasecurity/trivy:canary public.ecr.aws/aquasecurity/trivy:canary - - name: Extract version - if: ${{ inputs.goreleaser_config != 'goreleaser-canary.yml' }} - id: extract-version - run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" - - name: Generate build provenance attestations if: ${{ inputs.goreleaser_config != 'goreleaser-canary.yml' }} uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 with: - subject-checksums: dist/trivy_${{ steps.extract-version.outputs.version }}_checksums.txt + subject-checksums: dist/trivy_${{ fromJSON(steps.goreleaser.outputs.metadata).version }}_checksums.txt - name: Cache Trivy binaries uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 diff --git a/.github/workflows/test-provenance.yaml b/.github/workflows/test-provenance.yaml index 6bfdc159c7..1abe30045e 100644 --- a/.github/workflows/test-provenance.yaml +++ b/.github/workflows/test-provenance.yaml @@ -23,21 +23,18 @@ jobs: uses: ./.github/actions/setup-go - name: GoReleaser + id: goreleaser uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 with: version: v2.1.0 - args: release -f=goreleaser-test.yml --clean --timeout 90m --skip=sign,docker,publish,sbom,nfpm,homebrew + args: release -f=goreleaser-test.yml --clean --timeout 90m --skip=sign,docker,sbom,nfpm,homebrew env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: List dist directory run: ls -la dist/ | grep -i checksum - - name: Extract version - id: extract-version - run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT" - - name: Generate build provenance attestations uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 with: - subject-checksums: dist/trivy_${{ steps.extract-version.outputs.version }}_checksums.txt + subject-checksums: dist/trivy_${{ fromJSON(steps.goreleaser.outputs.metadata).version }}_checksums.txt From badc6e2cde6f23356fce89b532b51197e2f7318d Mon Sep 17 00:00:00 2001 From: knqyf263 Date: Wed, 11 Mar 2026 11:52:37 +0900 Subject: [PATCH 6/6] ci: remove test provenance workflow and config --- .github/workflows/test-provenance.yaml | 40 -------------------------- goreleaser-test.yml | 27 ----------------- 2 files changed, 67 deletions(-) delete mode 100644 .github/workflows/test-provenance.yaml delete mode 100644 goreleaser-test.yml diff --git a/.github/workflows/test-provenance.yaml b/.github/workflows/test-provenance.yaml deleted file mode 100644 index 1abe30045e..0000000000 --- a/.github/workflows/test-provenance.yaml +++ /dev/null @@ -1,40 +0,0 @@ -name: Test Provenance -on: - push: - tags: - - "v*" - -jobs: - release: - name: Release - runs-on: ubuntu-latest - permissions: - id-token: write - packages: write - contents: write - attestations: write - steps: - - name: Checkout code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: 0 - - - name: Setup Go - uses: ./.github/actions/setup-go - - - name: GoReleaser - id: goreleaser - uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 - with: - version: v2.1.0 - args: release -f=goreleaser-test.yml --clean --timeout 90m --skip=sign,docker,sbom,nfpm,homebrew - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: List dist directory - run: ls -la dist/ | grep -i checksum - - - name: Generate build provenance attestations - uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0 - with: - subject-checksums: dist/trivy_${{ fromJSON(steps.goreleaser.outputs.metadata).version }}_checksums.txt diff --git a/goreleaser-test.yml b/goreleaser-test.yml deleted file mode 100644 index 220427defc..0000000000 --- a/goreleaser-test.yml +++ /dev/null @@ -1,27 +0,0 @@ -version: 2 - -project_name: trivy -builds: - - id: build-linux - main: ./cmd/trivy/ - binary: trivy - ldflags: - - -s -w - - "-extldflags '-static'" - - -X github.com/aquasecurity/trivy/pkg/version/app.ver={{.Version}} - env: - - CGO_ENABLED=0 - - GOEXPERIMENT=jsonv2 - goos: - - linux - goarch: - - amd64 - -archives: - - id: archive - format: tar.gz - name_template: >- - {{ .ProjectName }}_{{ .Version }}_Linux-64bit - files: - - README.md - - LICENSE