Skip to content

Commit df04fbe

Browse files
committed
feat(ci): add author verification workflow on merge to main
Add a dedicated workflow and contract that performs commit author and signature verification via Chainloop attestation on every merge to main. Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
1 parent 3cfc998 commit df04fbe

2 files changed

Lines changed: 70 additions & 0 deletions

File tree

Lines changed: 51 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,51 @@
1+
name: Author Verification
2+
3+
on:
4+
push:
5+
branches: ["main"]
6+
7+
permissions:
8+
contents: read
9+
id-token: write # required for SLSA attestation
10+
11+
jobs:
12+
verify:
13+
name: Verify Author
14+
runs-on: ubuntu-latest
15+
permissions:
16+
contents: read
17+
id-token: write # required for SLSA provenance - https://docs.chainloop.dev/guides/slsa/
18+
env:
19+
CHAINLOOP_WORKFLOW_NAME: "author-verification"
20+
CHAINLOOP_PROJECT: "chainloop"
21+
22+
steps:
23+
- name: Install Chainloop
24+
run: |
25+
curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s
26+
27+
- name: Checkout repository
28+
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
29+
30+
- name: Initialize Attestation
31+
run: |
32+
chainloop attestation init --workflow $CHAINLOOP_WORKFLOW_NAME --project $CHAINLOOP_PROJECT
33+
env:
34+
# Needed for commit signature verification: https://docs.chainloop.dev/concepts/attestations#commit-verification
35+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
36+
37+
- name: Finish and Record Attestation
38+
if: ${{ success() }}
39+
run: |
40+
chainloop attestation status --full
41+
chainloop attestation push
42+
43+
- name: Mark attestation as failed
44+
if: ${{ failure() }}
45+
run: |
46+
chainloop attestation reset
47+
48+
- name: Mark attestation as cancelled
49+
if: ${{ cancelled() }}
50+
run: |
51+
chainloop attestation reset --trigger cancellation
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
# Contract for author verification workflow
2+
apiVersion: chainloop.dev/v1
3+
kind: Contract
4+
metadata:
5+
name: chainloop-vault-author-verification
6+
description: Contract for author verification on merge to main
7+
spec:
8+
runner:
9+
type: GITHUB_ACTION
10+
policies:
11+
attestation:
12+
- ref: source-commit
13+
with:
14+
check_signature: "yes"
15+
check_author_verified: "yes"
16+
policyGroups:
17+
- ref: slsa-checks
18+
with:
19+
runner: GITHUB_ACTION

0 commit comments

Comments
 (0)