Add SLSA3 provenance to your builds

[udf2457]

Since you appear to be using goreleaser in your GH workflow, please consider tweaking your workflow to add SLSA3 provenance:

https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/ https://github.blog/enterprise-software/devsecops/enhance-build-security-and-reach-slsa-level-3-with-github-artifact-attestations/

[tlimoncelli]

note to self: https://goreleaser.com/blog/slsa-generation-for-your-artifacts/

[eliheady]

I started exploring this. My first take is to add a new job to the draft release workflow that calls the generic SLSA generator workflow and signs the build artifacts in dist/ after the release step. This will result in a new file being added to the release assets called multiple.intoto.jsonl and it will contain SLSA provenance attestations for all of the files we select for inclusion. I suggest simply including dist/*dnscontrol* and dist/checksums.txt.

This doesn't cover SLSA attestation for the container images, which I haven't looked into yet.

An alternative is to use the goreleaser action for SLSA/Go, which would be more disruptive to the existing DNSControl release workflow. That approach generates a separate 'intoto' document for each artifact.

Manual verification of the artifacts is about the same either way. In the case of all attestations in one document, the interested user just needs to download the multiple.intoto.jsonl document along with the release artifact(s).

[eliheady]

https://github.com/eliheady/dnscontrol/blob/630cf003731c82f534c084670c41a04d547d4ba0/.github/workflows/release_draft.yml#L67-L84