chore: slsa 3 provenance generation

[developer-guy]

Signed-off-by: Batuhan Apaydın batuhan.apaydin@trendyol.com

experimental try out with slsa 3 provenance generation for ko project

cc: @imjasonh @ianlewis

https://github.com/developer-guy/ko/releases/tag/v0.0.0

[imjasonh]

@laurentsimon possibly superceding #730 ?

[developer-guy]

ah 🤦 I've missed that issue

[imjasonh]

To clarify, I think this PR may be on a better track than #730, which AIUI is blocked on goreleaser including provenance generation itself. The alternative in #730 is to fork our goreleaser process to use the SLSA trusted builder, but I'd rather not have us diverge from standard vanilla goreleaser that much.

[codecov-commenter]

Codecov Report

Merging #753 (98c2c67) into main (9139f45) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main     #753   +/-   ##
=======================================
  Coverage   51.19%   51.19%           
=======================================
  Files          44       44           
  Lines        3313     3313           
=======================================
  Hits         1696     1696           
  Misses       1404     1404           
  Partials      213      213           

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 9139f45...98c2c67. Read the comment docs.

[laurentsimon]

We're working on a solution that will help you keep GoReleaser and attach provenance to it, see https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/generic#provenance-for-goreleaser

TL;DR: it will let you build yourself (so no change needed to your GoReleaser config), and the generator will attest to the origin of the repo ("provenance" requirement in SLSA https://slsa.dev/spec/v0.1/requirements). This won't satisfy the "build" requirements of SLSA, but it's still a good improvement.

We'll release this provenance generator this month. Later, when our Go builder has feature parity (or close to) with GoReleaser, we can discuss Go builder :)

Wdut?

[imjasonh]

Sounds good to me. I'm glad so many folks are looking into improving the SLSAbility of these release workflows, and I'm happy to just ride that wave 🏄

[laurentsimon]

I updated my original #730 and just realized your PR does the same thing :) We released the generic generator today, and it supports uploading the provenance using upload-assets: true, so the workflow need not do itself anymore.

Let me know if I should drop my PR and let this one go thru, or the other way around.
I'm excited either way :)!

One thing I would add is a mention in the README to tell users how to verify binaries they download.

[laurentsimon]

v1.2.0 is the release to use to support the generic generator.

[laurentsimon]

no longer necessary, you can use:

with:
  base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
  upload-assets: true

[imjasonh]

#730 was merged, closing this

Please feel free to reopen this or open a new issue if there's anything else we should do on top of #730