Skip to content

Upgrade to SLSA Level 3 with build provenance attestation #62

Upgrade to SLSA Level 3 with build provenance attestation

Upgrade to SLSA Level 3 with build provenance attestation #62

Workflow file for this run

name: Enterprise Release System (SLSA L3)
on:
push:
branches: [ main ]
workflow_dispatch:
inputs:
version:
description: "Manual version (optional)"
required: false
default: ""
publish:
description: "Publish Release"
required: true
type: boolean
default: false
permissions:
contents: write
id-token: write
actions: read
concurrency:
group: enterprise-${{ github.ref }}
cancel-in-progress: true
env:
MODULE_ID: ColorOS-Themes-Rock
jobs:
security:
name: Security Validation (Hardened)
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install security tools
run: |
sudo apt-get update
sudo apt-get install -y curl git
- name: Run Gitleaks Scan
uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Fallback Pattern Scan
run: |
if grep -RInE "AKIA[0-9A-Z]{16}|AIza[0-9A-Za-z\-]{35}|-----BEGIN (RSA|OPENSSH) PRIVATE KEY-----" .; then
echo "Hard secret detected"
exit 1
fi
- name: File Integrity Check
run: |
test -f scripts/package.sh
test -f module.prop
build:
name: Build + SLSA Provenance
needs: security
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install tools
run: |
sudo apt-get update
sudo apt-get install -y zip coreutils
- name: Resolve version
run: |
if [[ "${{ github.event_name }}" == "workflow_dispatch" && "${{ inputs.version }}" != "" ]]; then
VERSION="${{ inputs.version }}"
else
git fetch --tags
LATEST=$(git tag --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+' | head -n 1 || true)
[ -z "$LATEST" ] && LATEST="v0.0.0"
IFS='.' read -r MAJOR MINOR PATCH <<< "${LATEST#v}"
PATCH=$((PATCH+1))
VERSION="v${MAJOR}.${MINOR}.${PATCH}"
fi
echo "MODULE_VERSION=$VERSION" >> $GITHUB_ENV
- name: Build Module
run: bash scripts/package.sh
- name: Generate SBOM
run: |
echo "SBOM for $MODULE_VERSION" > dist/SBOM.txt
echo "Dependencies: zip, bash, coreutils" >> dist/SBOM.txt
- name: Generate Checksums
run: |
cd dist
for f in *.zip; do
sha256sum "$f" > "$f.sha256"
done
- name: Upload Artifact
uses: actions/upload-artifact@v4
with:
name: enterprise-${{ env.MODULE_VERSION }}
path: dist/*
- name: Generate SLSA Provenance
uses: slsa-framework/slsa-github-generator@v2
with:
artifact-path: dist/*.zip
release:
name: Publish Release
needs: build
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/') || inputs.publish == true
environment:
name: production
steps:
- uses: actions/checkout@v4
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: enterprise-${{ env.MODULE_VERSION }}
path: dist
- name: Generate Release Notes
run: |
echo "# Enterprise SLSA L3 Release $MODULE_VERSION" > RELEASE_NOTES.md
echo "## Changes" >> RELEASE_NOTES.md
git log -n 20 --pretty=format:'- %s' >> RELEASE_NOTES.md || true
echo "## Security" >> RELEASE_NOTES.md
echo "- SBOM included" >> RELEASE_NOTES.md
echo "- Checksums verified" >> RELEASE_NOTES.md
echo "- SLSA Level 3 provenance attached" >> RELEASE_NOTES.md
- name: Publish GitHub Release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ env.MODULE_VERSION }}
name: ColorOS Themes SLSA L3 ${{ env.MODULE_VERSION }}
body_path: RELEASE_NOTES.md
files: dist/*
draft: false
prerelease: false