From ccbfc938a4075f20c88951ea0ac75a9c24136108 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Mon, 23 Mar 2026 11:27:12 +0100 Subject: [PATCH 1/2] feat(ci): add author verification workflow on merge to main Add a dedicated workflow and contract that performs commit author and signature verification via Chainloop attestation on every merge to main. Signed-off-by: Miguel Martinez Trivino --- .github/workflows/author_verification.yml | 51 +++++++++++++++++++ .../chainloop-vault-author-verification.yaml | 19 +++++++ 2 files changed, 70 insertions(+) create mode 100644 .github/workflows/author_verification.yml create mode 100644 .github/workflows/contracts/chainloop-vault-author-verification.yaml diff --git a/.github/workflows/author_verification.yml b/.github/workflows/author_verification.yml new file mode 100644 index 000000000..64cf6df21 --- /dev/null +++ b/.github/workflows/author_verification.yml @@ -0,0 +1,51 @@ +name: Author Verification + +on: + push: + branches: ["main"] + +permissions: + contents: read + id-token: write # required for SLSA attestation + +jobs: + verify: + name: Verify Author + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # required for SLSA provenance - https://docs.chainloop.dev/guides/slsa/ + env: + CHAINLOOP_WORKFLOW_NAME: "author-verification" + CHAINLOOP_PROJECT: "chainloop" + + steps: + - name: Install Chainloop + run: | + curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s + + - name: Checkout repository + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + + - name: Initialize Attestation + run: | + chainloop attestation init --workflow $CHAINLOOP_WORKFLOW_NAME --project $CHAINLOOP_PROJECT + env: + # Needed for commit signature verification: https://docs.chainloop.dev/concepts/attestations#commit-verification + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Finish and Record Attestation + if: ${{ success() }} + run: | + chainloop attestation status --full + chainloop attestation push + + - name: Mark attestation as failed + if: ${{ failure() }} + run: | + chainloop attestation reset + + - name: Mark attestation as cancelled + if: ${{ cancelled() }} + run: | + chainloop attestation reset --trigger cancellation diff --git a/.github/workflows/contracts/chainloop-vault-author-verification.yaml b/.github/workflows/contracts/chainloop-vault-author-verification.yaml new file mode 100644 index 000000000..b769e7aa7 --- /dev/null +++ b/.github/workflows/contracts/chainloop-vault-author-verification.yaml @@ -0,0 +1,19 @@ +# Contract for author verification workflow +apiVersion: chainloop.dev/v1 +kind: Contract +metadata: + name: chainloop-vault-author-verification + description: Contract for author verification on merge to main +spec: + runner: + type: GITHUB_ACTION + policies: + attestation: + - ref: source-commit + with: + check_signature: "yes" + check_author_verified: "yes" + policyGroups: + - ref: slsa-checks + with: + runner: GITHUB_ACTION From 80f429acd570e09df3d0369aa7e359fc9493b9d2 Mon Sep 17 00:00:00 2001 From: Miguel Martinez Trivino Date: Mon, 23 Mar 2026 12:05:23 +0100 Subject: [PATCH 2/2] fix(ci): remove id-token:write from workflow-level permissions Keep workflow-level permissions minimal; id-token:write is already granted at the job level where it's needed. Signed-off-by: Miguel Martinez Trivino --- .github/workflows/author_verification.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/author_verification.yml b/.github/workflows/author_verification.yml index 64cf6df21..3c3c5aae0 100644 --- a/.github/workflows/author_verification.yml +++ b/.github/workflows/author_verification.yml @@ -4,9 +4,7 @@ on: push: branches: ["main"] -permissions: - contents: read - id-token: write # required for SLSA attestation +permissions: read-all jobs: verify: