update

Signed-off-by: laurentsimon <[email protected]>

.github/workflows/release.yaml

@@ -9,7 +9,9 @@ on:
 env:
   GO_VERSION: 1.18.4
 jobs:
-  upload-release:
+  build:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code into the Go module directory
@@ -30,14 +32,50 @@ jobs:
         run: make GIT_TAG=${{ github.event.inputs.tag }} -f builder.Makefile cross
 
       - name: Compute checksums
-        run: cd bin; for f in *; do shasum --binary --algorithm 256 $f | tee -a checksums.txt > $f.sha256; done
+        working-directory: bin/
+        run: for f in *; do shasum --binary --algorithm 256 $f | tee -a checksums.txt > $f.sha256; done
+
+      - name: Generate SLSA subjects
+        id: hash
+        working-directory: bin/
+        run: |
+          set -euo pipefail
+          echo "::set-output name=hashes::$(cat checksums.txt | base64 -w0)"
 
       - name: License
         run: cp packaging/* bin/
 
+      - uses: actions/upload-artifact@v3
+        with:
+          name: "bin"
+          path: "bin/*"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions:  read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+
+  release:
+    needs: [build, provenance]
+    runs-on: ubuntu-latest
+    steps:
+      # Download binaries and license.
+      - uses: actions/download-artifact@v3
+        with:
+          name: "bin"
+      # Download provenance file.
+      - uses: actions/download-artifact@v3
+        with:
+          name: "${{ needs.provenance.outputs.attestation-name }}"
+      # Upload to release.
       - uses: ncipollo/release-action@v1
         with:
-          artifacts: "bin/*"
+          artifacts: "*"
           generateReleaseNotes: true
           draft: true
           commit: "v2"

README.md

@@ -1,6 +1,7 @@
 # Docker Compose v2
 
 [![Actions Status](https://github.com/docker/compose/workflows/Continuous%20integration/badge.svg)](https://github.com/docker/compose/actions)
+[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/images/gh-badge-level3.svg)
 
 ![Docker Compose](logo.png?raw=true "Docker Compose Logo")
 
@@ -30,6 +31,16 @@ for Windows and macOS.
 You can download Docker Compose binaries from the
 [release page](https://github.com/docker/compose/releases) on this repository.
 
+We generate [SLSA3 provenance](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). To verify the binaries:
+1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation)
+1. Download the file named `attestation.intoto.jsonl` from the release
+1. Run:
+```shell
+$ slsa-verifier -artifact-path <binary> -provenance attestation.intoto.jsonl -source github.com/docker/compose -branch v2
+  PASSED: Verified SLSA provenance
+```
+
+
 Rename the relevant binary for your OS to `docker-compose` and copy it to `$HOME/.docker/cli-plugins` 
 
 Or copy it into one of these folders for installing it system-wide: