Home Explore Help
Sign In
mirrors
/
borg
mirror of https://github.com/borgbackup/borg
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

CI: add GitHub artifact attestations for release binaries (fixes #9134)

- grant id-token and attestations permissions to posix_tests job
- add actions/attest-build-provenance@v1 step for built artifacts

This publishes SLSA-style provenance for our tag builds (only when binaries
are produced) so users can verify the origin of downloaded borg binaries.
Thomas Waldmann 1 month ago
parent
b9508a8f55
commit
a5c8aed7cf
2 changed files with 28 additions and 0 deletions
Unified View Show Diff Stats
  1. 10 0
      .github/workflows/ci.yml
  2. 18 0
      docs/binaries/00_README.txt

+ 10 - 0
.github/workflows/ci.yml
View File 

@@ -62,6 +62,10 @@ jobs:
 
   posix_tests:
 
   posix_tests:
 
 
 
     needs: [lint, security]
 
     needs: [lint, security]
 
+    permissions:
 
+      contents: read
 
+      id-token: write
 
+      attestations: write
 
     strategy:
 
     strategy:
 
       fail-fast: true
 
       fail-fast: true
 
       # noinspection YAMLSchemaValidation
 
       # noinspection YAMLSchemaValidation
 
@@ -268,6 +272,12 @@ jobs:
 
         echo "binary files"
 
         echo "binary files"
 
         ls -l artifacts/
 
         ls -l artifacts/
 
 
 
+    - name: Attest binaries provenance (${{ matrix.binary }})
 
+      if: ${{ matrix.binary && steps.detect_tag.outputs.tagged }}
 
+      uses: actions/attest-build-provenance@v3
 
+      with:
 
+        subject-path: 'artifacts/*'
 
+
 
     - name: Upload binaries (${{ matrix.binary }})
 
     - name: Upload binaries (${{ matrix.binary }})
 
       if: ${{ matrix.binary && steps.detect_tag.outputs.tagged }}
 
       if: ${{ matrix.binary && steps.detect_tag.outputs.tagged }}
 
       uses: actions/upload-artifact@v4
 
       uses: actions/upload-artifact@v4

+ 18 - 0
docs/binaries/00_README.txt
View File 

@@ -68,6 +68,24 @@ GPG key fingerprint: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393
 
 My fingerprint is also in the footer of all my BorgBackup mailing list posts.
 
 My fingerprint is also in the footer of all my BorgBackup mailing list posts.
 
 
 
 
 
+Provenance attestations for GitHub-built binaries
 
+-------------------------------------------------
 
+
 
+For binaries built on GitHub (files with a "-gh" suffix in the name), we publish
 
+an artifact provenance attestation that proves the binary was built by our
 
+GitHub Actions workflow from a specific commit or tag. You can verify this using
 
+the GitHub CLI (gh). Install it from https://cli.github.com/ and make sure you
 
+use a recent version that supports "gh attestation".
 
+
 
+Practical example (Linux, 2.0.0b20 tag):
 
+
 
+    curl -LO https://github.com/borgbackup/borg/releases/download/2.0.0b20/borg-linux-glibc235-x86_64-gh
 
+    gh attestation verify --repo borgbackup/borg --ref 2.0.0b20 ./borg-linux-glibc235-x86_64-gh
 
+
 
+If verification succeeds, gh prints a summary stating the subject (your file),
 
+that it was attested by GitHub Actions, and the job/workflow reference.
 
+
 
+
 
 Installing
 
 Installing
 
 ----------
 
 ----------