github.com/yogeshkumararora/slsa-github-generator@v1.10.1-0.20240520161934-11278bd5afb4/RELEASE.md (about) 1 # How to cut a release 2 3 This is a document to describe the release process for the slsa-github-generator repository. 4 5 --- 6 7 <!-- markdown-toc --bullets="-" -i RELEASE.md --> 8 9 <!-- toc --> 10 11 - [Prerequisites](#prerequisites) 12 - [Release candidate](#release-candidate) 13 - [Update CHANGELOG](#update-changelog) 14 - [Update dependencies](#update-dependencies) 15 - [RC tagging](#rc-tagging) 16 - [Verify RC version references](#verify-rc-version-references) 17 - [Adversarial verifier tests](#adversarial-verifier-tests) 18 - [Go builder verifier test](#go-builder-verifier-test) 19 - [Generic generator verifier test](#generic-generator-verifier-test) 20 - [Container generator verifier test](#container-generator-verifier-test) 21 - [Container-based builder verifier test](#container-based-builder-verifier-test) 22 - [Adversarial builder tests](#adversarial-builder-tests) 23 - [Adversarial Go builder](#adversarial-go-builder) 24 - [Adversarial generic generator](#adversarial-generic-generator) 25 - [Adversarial container generator](#adversarial-container-generator) 26 - [Adversarial container-based builder](#adversarial-container-based-builder) 27 - [Finalize release candidate](#finalize-release-candidate) 28 - [Code Freeze](#code-freeze) 29 - [Finalize release](#finalize-release) 30 - [Update CHANGELOG](#update-changelog-1) 31 - [Release tagging](#release-tagging) 32 - [Verify final version references](#verify-final-version-references) 33 - [Final adversarial tests](#final-adversarial-tests) 34 - [Reference Actions at main](#reference-actions-at-main) 35 - [Update verifier](#update-verifier) 36 - [Finish the release](#finish-the-release) 37 - [Update SECURITY.md](#update-securitymd) 38 - [Update the starter workflows](#update-the-starter-workflows) 39 - [Announce](#announce) 40 41 <!-- tocstop --> 42 43 --- 44 45 ## Prerequisites 46 47 Set up env variables: 48 49 ```shell 50 export GITHUB_USERNAME="laurentsimon" 51 # This is the existing slsa-verifier version used by the builder. (https://github.com/yogeshkumararora/slsa-github-generator/blob/main/.github/actions/generate-builder/action.yml#L55) 52 export VERIFIER_TAG="v2.1.0" 53 export VERIFIER_REPOSITORY="$GITHUB_USERNAME/slsa-verifier" 54 # Release tag of the builder we want to release. Release Candidates end with "-rc.#" 55 export BUILDER_TAG="v1.5.0-rc.0" 56 # Branch name for our test 57 export BUILDER_REF="release/bad-verifier-$BUILDER_TAG" 58 export BUILDER_REPOSITORY="$GITHUB_USERNAME/slsa-github-generator" 59 export GH=/path/to/gh 60 GH_TOKEN=$(${GH} auth token) 61 export GH_TOKEN 62 ``` 63 64 ## Release candidate 65 66 The first step in creating a release is to create a release candidate. Release candidates exercise the release and testing process. 67 68 If any tests fail for a release candidate you can address the issues and create a new release candidate after incrementing the release candidate number. 69 70 ### Update CHANGELOG 71 72 Finalize the [CHANGELOG](./CHANGELOG.md) entry for the release candidate noting changes since the last release or release candidate. 73 74 ### Update dependencies 75 76 In order to minimize vulnerabilities in releases, merge 77 [outstanding PRs from Renovate](https://github.com/yogeshkumararora/slsa-github-generator/pulls/renovate-bot) 78 as best as possible. Renovate PRs that update major versions can be skipped. 79 80 ### RC tagging 81 82 Create a new tag for the Release Candidate via [yogeshkumararora/slsa-github-generator/releases/new](https://github.com/yogeshkumararora/slsa-github-generator/releases/new). The tag _MUST_ be a "canonical" [semantic version](https://semver.org/) without metadata (`$BUILDER_TAG`). Shorter versions are not accepted by the builder's and verifier's code. 83 84 Release candidates should include a suffix indicating the release candidate number of the form `-rc.#` where `#` is a number starting from `0`. 85 86 1. Set the title to `$BUILDER_TAG` 87 2. Add the following description. 88 89 ```text 90 **This is an un-finalized pre-release.** 91 92 See the [CHANGELOG](./CHANGELOG.md) for details. 93 ``` 94 95 3. Tick the `This is a pre-release` option. 96 4. Click `Publish release`. 97 98 This will trigger the [release workflow](https://github.com/yogeshkumararora/slsa-github-generator/actions/workflows/release.yml). Cancel this in the [UI](https://github.com/yogeshkumararora/slsa-github-generator/actions/workflows/release.yml). 99 100 ### Verify RC version references 101 102 Update version references with the following command: 103 104 ```shell 105 find .github/workflows/ .github/actions/ actions/ internal/builders/ -name '*.yaml' -o -name '*.yml' -type f | xargs sed -i "s/uses: slsa-framework\/slsa-github-generator\/\(.*\)@\(main\|v[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc\.[0-9]\+\)\?\)/uses: slsa-framework\/slsa-github-generator\/\1@$BUILDER_TAG/" 106 find actions/maven/ internal/builders/maven/ -name '*.yaml' -o -name '*.yml' -type f | xargs sed -i "s/\(ref:[ ]*\)\(main\|v[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc\.[0-9]\+\)\?\)/\1$BUILDER_TAG/" 107 ``` 108 109 Send a PR with this update and add the following to the PR description. 110 111 ```text 112 #label:release ${BUILDER_TAG} 113 ``` 114 115 Once the PR is merged, immediately update the tag to point to HEAD. 116 117 ```shell 118 git tag $BUILDER_TAG -f 119 git push origin $BUILDER_TAG -f 120 ``` 121 122 This will trigger the [release workflow](https://github.com/yogeshkumararora/slsa-github-generator/actions/workflows/release.yml). Ensure this workflow succeeds and that the release assets are updated. 123 124 ### Adversarial verifier tests 125 126 There is one integration test we cannot easily test "live", so we need to simulate it by changing the code: malicious verifier binary in assets. We want to be sure the builder fails if the verifier's binary is tampered with. For this: 127 128 1. Create a new release for your fork of the slsa-verifier repository with a malicious binary. 129 130 Create a release. Note that this will create a release workflow: cancel it in the GitHub UI. 131 132 ```shell 133 "$GH" release -R "$VERIFIER_REPOSITORY" create "$VERIFIER_TAG" --title "$VERIFIER_TAG" --notes "pre-release tests for builder $BUILDER_TAG $(date)" 134 ``` 135 136 Simulate uploading a malicious binary. 137 138 ```shell 139 echo hello > slsa-verifier-linux-amd64 140 "$GH" release -R "$VERIFIER_REPOSITORY" upload "$VERIFIER_TAG" slsa-verifier-linux-amd64 141 ``` 142 143 2. Ensure your fork of the builder is at the same commit hash as the official builder's `$BUILDER_TAG` release. 144 3. Create a new branch 145 146 ```shell 147 git checkout -b "$BUILDER_REF" 148 ``` 149 150 4. Update the file `.github/actions/generate-builder/action.yml` by replacing the strings `BUILDER_REPOSITORY` and `VERIFIER_REPOSITORY` with your own username (value of `$GITHUB_USERNAME`). Then push the changes. 151 152 ```shell 153 sed -i "s/BUILDER_REPOSITORY: slsa-framework\/slsa-github-generator/BUILDER_REPOSITORY: ${GITHUB_USERNAME}\/slsa-github-generator/" .github/actions/generate-builder/action.yml 154 sed -i "s/VERIFIER_REPOSITORY: slsa-framework\/slsa-verifier/VERIFIER_REPOSITORY: ${GITHUB_USERNAME}\/slsa-verifier/" .github/actions/generate-builder/action.yml 155 ``` 156 157 5. For the Go builder, update the file `.github/workflows/builder_go_slsa3.yml` to: 158 159 ```yaml 160 uses: $BUILDER_REPOSITORY/.github/actions/generate-builder@$BUILDER_TAG 161 ``` 162 163 using this command: 164 165 ```shell 166 sed -i "s/uses: slsa-framework\/slsa-github-generator\/\.github\/actions\/generate-builder@\(main\|v[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc\.[0-9]\+\)\?\)/uses: ${BUILDER_REPOSITORY/\//\/}\/.github\/actions\/generate-builder@${BUILDER_TAG}/" .github/workflows/builder_go_slsa3.yml 167 ``` 168 169 Add `testing: true` as an input. 170 171 6. For the Generic generator, update the file `.github/workflows/generator_generic_slsa3.yml` to: 172 173 ```yaml 174 uses: $BUILDER_REPOSITORY/.github/actions/generate-builder@$BUILDER_TAG 175 ``` 176 177 using this command: 178 179 ```shell 180 sed -i "s/uses: slsa-framework\/slsa-github-generator\/\.github\/actions\/generate-builder@\(main\|v[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc\.[0-9]\+\)\?\)/uses: ${BUILDER_REPOSITORY/\//\/}\/.github\/actions\/generate-builder@${BUILDER_TAG}/" .github/workflows/generator_generic_slsa3.yml 181 ``` 182 183 Add `testing: true` as an input. 184 185 7. For the Container generator, update the file `.github/workflows/generator_container_slsa3.yml` to: 186 187 ```yaml 188 uses: $BUILDER_REPOSITORY/.github/actions/generate-builder@$BUILDER_TAG 189 ``` 190 191 using this command: 192 193 ```shell 194 sed -i "s/uses: slsa-framework\/slsa-github-generator\/\.github\/actions\/generate-builder@\(main\|v[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc\.[0-9]\+\)\?\)/uses: ${BUILDER_REPOSITORY/\//\/}\/.github\/actions\/generate-builder@${BUILDER_TAG}/" .github/workflows/generator_container_slsa3.yml 195 ``` 196 197 Add `testing: true` as an input. 198 199 8. For the Container-based generator, update the file `.github/workflows/builder_container-based_slsa3.yml` to: 200 201 ```yaml 202 uses: $BUILDER_REPOSITORY/.github/actions/generate-builder@$BUILDER_TAG 203 ``` 204 205 using this command: 206 207 ```shell 208 sed -i "s/uses: slsa-framework\/slsa-github-generator\/\.github\/actions\/generate-builder@\(main\|v[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc\.[0-9]\+\)\?\)/uses: ${BUILDER_REPOSITORY/\//\/}\/.github\/actions\/generate-builder@${BUILDER_TAG}/" .github/workflows/builder_container-based_slsa3.yml 209 ``` 210 211 Add `testing: true` as an input. 212 213 9. Commit and push the changes 214 215 10. Create a release for the builders for this branch: 216 217 ```shell 218 "$GH" release -R "$BUILDER_REPOSITORY" create "$BUILDER_TAG" --title "$BUILDER_TAG" --notes "pre-release tests for $BUILDER_TAG $(date)" --target "$BUILDER_REF" 219 ``` 220 221 This will trigger a workflow release, let it complete and generate the release assets. 222 223 #### Go builder verifier test 224 225 1. Edit the file [slsa-framework/example-package/.github/workflows/e2e.go.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.go.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml) by using `$BUILDER_REPOSITORY` and `$BUILDER_TAG`: 226 227 ```yaml 228 uses: $BUILDER_REPOSITORY/.github/workflows/builder_go_slsa3.yml@$BUILDER_TAG 229 ``` 230 231 2. Run the test manually via the GitHub UX in [https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml](https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml) by cliking `Run Workflow`. 232 3. Verify the run fails with log message: 233 234 ```text 235 verifier hash computed is 5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03 236 Error: Process completed with exit code 4. 237 ``` 238 239 #### Generic generator verifier test 240 241 1. Edit the file [slsa-framework/example-package/.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml) by using `$BUILDER_REPOSITORY` and `$BUILDER_TAG`: 242 243 ```yaml 244 uses: $BUILDER_REPOSITORY/.github/workflows/generator_generic_slsa3.yml@$BUILDER_TAG 245 ``` 246 247 2. Run the test manually via the GitHub UX in [https://github.com/slsa-framework/example-package/actions/workflows/e2e.generic.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml](https://github.com/slsa-framework/example-package/actions/workflows/e2e.generic.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml) by cliking `Run Workflow`. 248 3. Verify the run fails with log message: 249 250 ```text 251 verifier hash computed is 5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03 252 Error: Process completed with exit code 4. 253 ``` 254 255 #### Container generator verifier test 256 257 1. Edit the file [slsa-framework/example-package/.github/workflows/e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml) by using `$BUILDER_REPOSITORY` and `$BUILDER_TAG`: 258 259 ```yaml 260 uses: $BUILDER_REPOSITORY/.github/workflows/generator_container_slsa3.yml@$BUILDER_TAG 261 ``` 262 263 2. Run the test manually via the GitHub UX in 264 [https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml](https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml) 265 by cliking `Run Workflow`. 266 267 3. Verify the run fails with log message: 268 269 ```text 270 verifier hash computed is 5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03 271 Error: Process completed with exit code 4. 272 ``` 273 274 #### Container-based builder verifier test 275 276 1. Edit the file [slsa-framework/example-package/.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml) by using `$BUILDER_REPOSITORY` and `$BUILDER_TAG`: 277 278 ```yaml 279 uses: $BUILDER_REPOSITORY/.github/workflows/builder_container-based_slsa3.yml@$BUILDER_TAG 280 ``` 281 282 2. Run the test manually via the GitHub UX in 283 [https://github.com/slsa-framework/example-package/actions/workflows/e2e.container-based.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml](https://github.com/slsa-framework/example-package/actions/workflows/e2e.container-based.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml) 284 by cliking `Run Workflow`. 285 286 3. Verify the run fails with log message: 287 288 ```text 289 verifier hash computed is 5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03 290 Error: Process completed with exit code 4. 291 ``` 292 293 ### Adversarial builder tests 294 295 End-to-end tests run daily in [github.com/slsa-framework/example-package/.github/workflows/](github.com/slsa-framework/example-package/.github/workflows/), and contain adversarial tests (developer tampers with the artifacts used by the builders). All these adversarial tests compile the builder from source (`compile-builder: true`). But we need to verify that the builder detects malicious builder's binary when `compile-builder: false` (default). 296 297 #### Adversarial Go builder 298 299 1. Make sure you have downloaded the `$BUILDER_TAG` builder's binary locally `slsa-builder-go-linux-amd64`, either via the web UI or via: 300 301 ```shell 302 "$GH" release -R yogeshkumararora/slsa-github-generator download "$BUILDER_TAG" -p "slsa-builder-go-linux-amd64" 303 mv slsa-builder-go-linux-amd64 slsa-builder-go-linux-amd64-"$BUILDER_TAG".original 304 ``` 305 306 2. Upload a different binary to the assets: 307 308 ```shell 309 echo hello > slsa-builder-go-linux-amd64 310 "$GH" release -R yogeshkumararora/slsa-github-generator upload "$BUILDER_TAG" slsa-builder-go-linux-amd64 --clobber 311 ``` 312 313 3. Update the version of the workflow 314 [slsa-framework/example-package/.github/workflows/e2e.go.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.go.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml) 315 with the `$BUILDER_TAG` to test. 316 317 4. Trigger the test in [slsa-framework/example-package/actions/workflows/e2e.go.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml](https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml) by cliking `Run workflow`. Verify that it fails, with a message: 318 319 ```shell 320 verifier hash computed is 60c91c9d5b9a059e37ac46da316f20c81da335b5d00e1f74d03dd50f819694bd 321 verifier hash verification has passed 322 ... 323 FAILED: SLSA verification failed: expected hash '5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03', got 'e8af48495ca3c5a7737b4a34322afc7e95a85cf1457a37473fb81cff9b4f0d05': binary artifact hash does not match provenance subject 324 Error: Process completed with exit code 6. 325 ``` 326 327 5. If the test above failed with the expected message, re-upload the original binary back to the assets, e.g. via: 328 329 ```shell 330 mv slsa-builder-go-linux-amd64-"$BUILDER_TAG".original slsa-builder-go-linux-amd64 331 "$GH" release -R yogeshkumararora/slsa-github-generator upload "$BUILDER_TAG" slsa-builder-go-linux-amd64 --clobber 332 ``` 333 334 6. Re-run the workflow above and verify that it succeeds. (TODO: https://github.com/yogeshkumararora/slsa-github-generator/issues/116). 335 336 If it does not, delete the release, fix the bug and re-start the release process at the top of this page. 337 338 #### Adversarial generic generator 339 340 1. Make sure you have downloaded the `$BUILDER_TAG` builder's binary locally `slsa-generator-generic-linux-amd64`, either via the web UI or via: 341 342 ```shell 343 "$GH" release -R yogeshkumararora/slsa-github-generator download "$BUILDER_TAG" -p "slsa-generator-generic-linux-amd64" 344 mv slsa-generator-generic-linux-amd64 slsa-generator-generic-linux-amd64-"$BUILDER_TAG".original 345 ``` 346 347 2. Upload a different binary to the assets: 348 349 ```shell 350 echo hello > slsa-generator-generic-linux-amd64 351 "$GH" release -R yogeshkumararora/slsa-github-generator upload "$BUILDER_TAG" slsa-generator-generic-linux-amd64 --clobber 352 ``` 353 354 3. Update the version of the workflow 355 [slsa-framework/example-package/.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml) 356 with the `$BUILDER_TAG` to test. 357 358 4. Trigger the test in 359 [slsa-framework/example-package/actions/workflows/e2e.generic.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml](https://github.com/slsa-framework/example-package/actions/workflows/e2e.generic.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml) 360 by cliking `Run workflow`. Verify that it fails, with a message: 361 362 ```shell 363 verifier hash computed is 60c91c9d5b9a059e37ac46da316f20c81da335b5d00e1f74d03dd50f819694bd 364 verifier hash verification has passed 365 ... 366 FAILED: SLSA verification failed: expected hash '5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03', got 'e8af48495ca3c5a7737b4a34322afc7e95a85cf1457a37473fb81cff9b4f0d05': binary artifact hash does not match provenance subject 367 Error: Process completed with exit code 6. 368 ``` 369 370 5. If the test above failed with the expected message, re-upload the original binary back to the assets, e.g. via: 371 372 ```shell 373 mv slsa-generator-generic-linux-amd64-"$BUILDER_TAG".original slsa-generator-generic-linux-amd64 374 "$GH" release -R yogeshkumararora/slsa-github-generator upload "$BUILDER_TAG" slsa-generator-generic-linux-amd64 --clobber 375 ``` 376 377 6. Re-run the workflow above and verify that it succeeds. (TODO: https://github.com/yogeshkumararora/slsa-github-generator/issues/116). 378 379 If it does not, delete the release, fix the bug and re-start the release process at the top of this page. 380 381 #### Adversarial container generator 382 383 1. Make sure you have downloaded the `$BUILDER_TAG` builder's binary locally `slsa-generator-container-linux-amd64`, either via the web UI or via: 384 385 ```shell 386 "$GH" release -R yogeshkumararora/slsa-github-generator download "$BUILDER_TAG" -p "slsa-generator-container-linux-amd64" 387 mv slsa-generator-container-linux-amd64 slsa-generator-container-linux-amd64-"$BUILDER_TAG".original 388 ``` 389 390 2. Upload a different binary to the assets: 391 392 ```shell 393 echo hello > slsa-generator-container-linux-amd64 394 "$GH" release -R yogeshkumararora/slsa-github-generator upload "$BUILDER_TAG" slsa-generator-container-linux-amd64 --clobber 395 ``` 396 397 3. Update the version of the workflow 398 [slsa-framework/example-package/.github/workflows/e2e.container.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.container.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml) 399 with the `$BUILDER_TAG` to test. 400 401 4. Trigger the test in 402 [slsa-framework/example-package/actions/workflows/e2e.container.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml](https://github.com/slsa-framework/example-package/actions/workflows/e2e.container.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml) 403 by cliking `Run workflow`. Verify that it fails, with a message: 404 405 ```shell 406 verifier hash computed is 60c91c9d5b9a059e37ac46da316f20c81da335b5d00e1f74d03dd50f819694bd 407 verifier hash verification has passed 408 ... 409 FAILED: SLSA verification failed: expected hash '5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03', got 'e8af48495ca3c5a7737b4a34322afc7e95a85cf1457a37473fb81cff9b4f0d05': binary artifact hash does not match provenance subject 410 Error: Process completed with exit code 6. 411 ``` 412 413 5. If the test above failed with the expected message, re-upload the original binary back to the assets, e.g. via: 414 415 ```shell 416 mv slsa-generator-container-linux-amd64-"$BUILDER_TAG".original slsa-generator-container-linux-amd64 417 "$GH" release -R yogeshkumararora/slsa-github-generator upload "$BUILDER_TAG" slsa-generator-container-linux-amd64 --clobber 418 ``` 419 420 6. Re-run the workflow above and verify that it succeeds. (TODO: https://github.com/yogeshkumararora/slsa-github-generator/issues/116). 421 422 If it does not, delete the release, fix the bug and re-start the release process at the top of this page. 423 424 #### Adversarial container-based builder 425 426 1. Make sure you have downloaded the `$BUILDER_TAG` builder's binary locally `slsa-builder-docker-linux-amd64`, either via the web UI or via: 427 428 ```shell 429 "$GH" release -R yogeshkumararora/slsa-github-generator download "$BUILDER_TAG" -p "slsa-builder-docker-linux-amd64" 430 mv slsa-builder-docker-linux-amd64 slsa-builder-docker-linux-amd64-"$BUILDER_TAG".original 431 ``` 432 433 2. Upload a different binary to the assets: 434 435 ```shell 436 echo hello > slsa-builder-docker-linux-amd64 437 "$GH" release -R yogeshkumararora/slsa-github-generator upload "$BUILDER_TAG" slsa-builder-docker-linux-amd64 --clobber 438 ``` 439 440 3. Update the version of the workflow 441 [slsa-framework/example-package/.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml) 442 with the `$BUILDER_TAG` to test. 443 444 4. Trigger the test in 445 [slsa-framework/example-package/actions/workflows/e2e.container-based.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml](https://github.com/slsa-framework/example-package/actions/workflows/e2e.container-based.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml) 446 by cliking `Run workflow`. Verify that it fails, with a message: 447 448 ```shell 449 verifier hash computed is 60c91c9d5b9a059e37ac46da316f20c81da335b5d00e1f74d03dd50f819694bd 450 verifier hash verification has passed 451 ... 452 FAILED: SLSA verification failed: expected hash '5891b5b522d5df086d0ff0b110fbd9d21bb4fc7163af34d08286a2e846f6be03', got 'e8af48495ca3c5a7737b4a34322afc7e95a85cf1457a37473fb81cff9b4f0d05': binary artifact hash does not match provenance subject 453 Error: Process completed with exit code 6. 454 ``` 455 456 5. If the test above failed with the expected message, re-upload the original binary back to the assets, e.g. via: 457 458 ```shell 459 mv slsa-builder-docker-linux-amd64-"$BUILDER_TAG".original slsa-builder-docker-linux-amd64 460 "$GH" release -R yogeshkumararora/slsa-github-generator upload "$BUILDER_TAG" slsa-builder-docker-linux-amd64 --clobber 461 ``` 462 463 6. Re-run the workflow above and verify that it succeeds. (TODO: https://github.com/yogeshkumararora/slsa-github-generator/issues/116). 464 465 If it does not, delete the release, fix the bug and re-start the release process at the top of this page. 466 467 ### Finalize release candidate 468 469 Remove the "This is an un-finalized pre-release." note from the release description. 470 471 ### Code Freeze 472 473 Code freeze the repository for 1-2 days. 474 475 After the code freeze, verify all the e2e tests in 476 [github.com/slsa-framework/example-package/.github/workflows/](github.com/slsa-framework/example-package/.github/workflows/) 477 are passing. (They run daily). 478 479 ## Finalize release 480 481 Once the code release is complete you may create a final release. 482 483 Update your `BUILDER_TAG` environment variable to the final release tag. 484 485 ```shell 486 export BUILDER_TAG="vX.Y.Z" 487 ``` 488 489 ### Update CHANGELOG 490 491 Finalize the [CHANGELOG](./CHANGELOG.md) entry for the release candidate noting changes since the last major release (not including release candidates). 492 493 ### Release tagging 494 495 Create a new tag for the final release via [yogeshkumararora/slsa-github-generator/releases/new](https://github.com/yogeshkumararora/slsa-github-generator/releases/new). The tag _MUST_ be a "canonical" [semantic version](https://semver.org/) without metadata (`$BUILDER_TAG`). Shorter versions are not accepted by the builder's 496 and verifier's code. 497 498 1. Set the title to `$BUILDER_TAG` 499 2. Add the following description. 500 501 ```text 502 **This is an un-finalized release.** 503 504 See the [CHANGELOG](./CHANGELOG.md) for details. 505 ``` 506 507 3. Tick the `This is a pre-release` option. 508 4. Click `Publish release`. 509 510 This will trigger the [release workflow](https://github.com/yogeshkumararora/slsa-github-generator/actions/workflows/release.yml). Cancel this in the [UI](https://github.com/yogeshkumararora/slsa-github-generator/actions/workflows/release.yml). 511 512 ### Verify final version references 513 514 Update version references with the following command: 515 516 ```shell 517 find .github/workflows/ .github/actions/ actions/ internal/builders/ -name '*.yaml' -o -name '*.yml' -type f | xargs sed -i "s/uses: slsa-framework\/slsa-github-generator\/\(.*\)@\(main\|v[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc\.[0-9]\+\)\?\)/uses: slsa-framework\/slsa-github-generator\/\1@$BUILDER_TAG/" 518 # NOTE: The gradle builder does not need this update. 519 find actions/maven/ internal/builders/maven/ -name '*.yaml' -o -name '*.yml' -type f | xargs sed -i "s/\(ref:[ ]*\)\(main\|v[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc\.[0-9]\+\)\?\)/\1$BUILDER_TAG/" 520 ``` 521 522 Likewise, update documentation with the following command: 523 524 ```shell 525 find . -name "*.md" -type f -exec sed -i "s~\(uses: .*/slsa-github-generator/.*@\)v[0-9]\+\.[0-9]\+\.[0-9]\+\(-rc\.[0-9]\+\)\?~\1$BUILDER_TAG~g" {} + 526 ``` 527 528 Send a PR with this update and add the following to the PR description. 529 530 ```text 531 #label:release ${BUILDER_TAG} 532 ``` 533 534 Once the PR is merged, immediately update the tag to point to HEAD. 535 536 ```shell 537 git tag $BUILDER_TAG -f 538 git push origin $BUILDER_TAG -f 539 ``` 540 541 This will trigger the [release workflow](https://github.com/yogeshkumararora/slsa-github-generator/actions/workflows/release.yml). Ensure this workflow succeeds and that the release assets are updated. 542 543 ### Final adversarial tests 544 545 Re-run the [adversarial builder tests](#adversarial-builder-tests) using the final `$BUILDER_TAG` for the release. If any tests fail you will need to delete the release and address the issues. 546 547 ### Reference Actions at main 548 549 Send a PR to reference the Actions at `@main`. You can use: 550 551 ```shell 552 find .github/workflows/ .github/actions/ actions/ internal/builders/ -name '*.yaml' -o -name '*.yml' -type f | xargs sed -i "s/uses: slsa-framework\/slsa-github-generator\/\(.*\)@${BUILDER_TAG}/uses: slsa-framework\/slsa-github-generator\/\1@main/" 553 find actions/maven/ internal/builders/maven/ -name '*.yaml' -o -name '*.yml' -type f | xargs sed -i "s/\(ref:[ ]*\)$BUILDER_TAG/\1main/" 554 ``` 555 556 ### Update verifier 557 558 The next step is to update the verifier's GitHub Actions e2e tests. There are GitHub actions Go and generic actions. 559 560 <!-- TODO(github.com/yogeshkumararora/slsa-github-generator/issues/1110): Describe GHA generic container e2e tests. --> 561 562 For the BYOB (a.k.a delegator) workflows, you will need to update the tag of the [slsa-framework/example-trw](https://github.com/slsa-framework/example-trw/) repository: 563 564 1. Update the references to the tag and send a PR: 565 566 ```bash 567 bash update-main-to-tag.sh "${BUILDER_TAG}" 568 ``` 569 570 2. Cut a release with tag `${BUILDER_TAG}`. 571 572 3. Update the references back to main and send a PR: 573 574 ```bash 575 bash update-tag-to-main.sh "${BUILDER_TAG}" 576 ``` 577 578 Then, for each of the GHA builders, you will need to: 579 580 1. Generate binaries and provenance in 581 [example-package](https://github.com/slsa-framework/example-package) using 582 the GHA action builder. 583 584 These require using the updated builders, so the first step is to update 585 [verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml](https://github.com/slsa-framework/example-package/blob/main/.github/workflows/verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml) 586 to reference actions at `$BUILDER_TAG`. 587 588 For example: 589 590 ```yaml 591 uses: yogeshkumararora/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@<BUILDER_TAG> 592 ``` 593 594 Next run the 595 [verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml](https://github.com/slsa-framework/example-package/actions/workflows/verifier-e2e.all.workflow_dispatch.main.all.slsa3.yml). 596 This will dispatch the workflow and create provenance for the workflow 597 dispatch event, and then trigger subsequent runs on the following fixed 598 release tags. 599 600 - [v14](https://github.com/slsa-framework/example-package/releases/tag/v14) 601 - [v14.2](https://github.com/slsa-framework/example-package/releases/tag/v14.2) 602 - [v13.0.30](https://github.com/slsa-framework/example-package/releases/tag/v13.0.30) 603 604 Wait for the runs to complete 605 606 2. Download the uploaded artifacts of each of the created releases. You can make use of [download-artifacts.sh](https://github.com/slsa-framework/slsa-verifier/blob/main/download-artifacts.sh) (not fully automated). 607 608 3. Move these files to 609 `./cli/slsa-verifier/testdata/gha_$BUILDER_TYPE/$BUILDER_TAG/` in the 610 slsa-verifier repository. You may need to rename the files to match the 611 directory structure. 612 613 4. Determine the digest that was uploaded by the build to the 614 [example-package.verifier-e2e.all.tag.main.default.slsa3](https://github.com/slsa-framework/example-package/pkgs/container/example-package.verifier-e2e.all.tag.main.default.slsa3) 615 package. Create the file `./cli/slsa-verifier/testdata/gha_generic_container/$BUILDER_TAG/container_workflow_dispatch.digest` with the content `sha256:digest` (no new line). 616 617 5. Export the image to the 618 `./cli/slsa-verifier/testdata/gha_generic_container/$BUILDER_TAG/` directory 619 in the slsa-verifier repository. 620 621 Make sure you are authenticated to GitHub's Container registry: 622 623 ```shell 624 gh auth login --scopes=read:packages 625 echo `gh auth token` | docker login ghcr.io -u $GITHUB_USERNAME --password-stdin 626 ``` 627 628 Export the image: 629 630 ```shell 631 cosign save \ 632 --dir ./cli/slsa-verifier/testdata/gha_generic_container/$BUILDER_TAG/container_workflow_dispatch \ 633 ghcr.io/slsa-framework/example-package.verifier-e2e.all.tag.main.default.slsa3@sha256:<digest> 634 ``` 635 636 6. Send a pull request to merge the changes into the verifier's repository. The 637 pre-submits will validate that the verifier is able to verify provenance from 638 the `$BUILDER_TAG` builder. 639 640 ### Finish the release 641 642 1. Remove the "This is an un-finalized release." note from the release description. 643 2. Un-tick the `This is a pre-release` option. 644 3. If it's the latest release, tick the `Set as the latest release` option. 645 646 ### Update SECURITY.md 647 648 Update the `Supported Versions` section in [SECURITY.md](./SECURITY.md). 649 650 ### Update the starter workflows 651 652 Update: 653 654 1. [Go builder's workflow](https://github.com/actions/starter-workflows/blob/main/ci/go-ossf-slsa3-publish.yml) 655 2. [Generic generator's workflow](https://github.com/actions/starter-workflows/blob/main/ci/generator-generic-ossf-slsa3-publish.yml) 656 657 ### Announce 658 659 <!-- TODO(release): Provide details --> 660 661 Announce the release to users.