External/mediamtx
1
0
Fork 1
mirror of https://github.com/bluenviron/mediamtx.git synced 2025-12-20 02:00:05 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

add attestation system to protect binaries (#4012) (#4629)
Some checks are pending
code_lint / golangci_lint (push) Waiting to run
Details
code_lint / mod_tidy (push) Waiting to run
Details
code_lint / api_docs (push) Waiting to run
Details
code_test / test_64 (push) Waiting to run
Details
code_test / test_32 (push) Waiting to run
Details
code_test / test_e2e (push) Waiting to run
Details

Browse source 
this allows to prove that binaries were produced by GitHub Actions.
This commit is contained in:
Alessandro Ros 2025-06-08 16:51:19 +02:00 committed by GitHub
parent 7a7c9c4a6a
commit b3d3fd9b4c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 33 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/nightly_binaries.yml vendored
View file

@ -14,8 +14,6 @@ jobs:
- run: make binaries - run: make binaries
- run: cd binaries; for f in *; do sha256sum $f > $f.sha256sum; done
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v4
with: with:
name: binaries name: binaries

48
.github/workflows/release.yml vendored
View file

@ -5,6 +5,10 @@ on:
tags: tags:
- 'v*' - 'v*'
permissions:
id-token: write
attestations: write
jobs: jobs:
binaries: binaries:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
@ -14,7 +18,11 @@ jobs:
- run: make binaries - run: make binaries
- run: cd binaries; for f in *; do sha256sum $f > $f.sha256sum; done - run: cd binaries && sha256sum -b * > checksums.sha256
- uses: actions/attest-build-provenance@v2
with:
subject-path: '${{ github.workspace }}/binaries/*'
- uses: actions/upload-artifact@v4 - uses: actions/upload-artifact@v4
with: with:
@ -40,21 +48,31 @@ jobs:
const currentRelease = context.ref.split('/')[2]; const currentRelease = context.ref.split('/')[2];
let body = `## New major features\n\n` let body = `## New major features\n`
+ `TODO\n\n` + `\n`
+ `## Fixes and improvements\n\n` + `TODO\n`
+ `TODO\n\n` + `\n`
+ `## Security\n\n` + `## Fixes and improvements\n`
+ `\n`
+ `TODO\n`
+ `\n`
+ `## Security\n`
+ `\n`
+ `Binaries have been produced by the [Release workflow](https://github.com/${owner}/${repo}/actions/workflows/release.yml)` + `Binaries have been produced by the [Release workflow](https://github.com/${owner}/${repo}/actions/workflows/release.yml)`
+ ` without human intervention.\n\n` + ` without human intervention.\n`
+ `SHA256 checksums:\n\n`; + `\n`
+ 'You can verify that binaries have been produced by the workflow by using [GitHub Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds):\n'
for (const name of await fs.readdir('./binaries/')) { + `\n`
if (name.endsWith('.sha256sum')) { + '```\n'
const parts = (await fs.readFile(`./binaries/${name}`, 'utf-8')).slice(0, -1).split(' '); + `ls mediamtx_* | xargs -L1 gh attestation verify --repo bluenviron/mediamtx\n`
body += `* ${parts[2]} ${parts[0]}\n`; + '```\n'
} + `\n`
} + 'You can verify the binaries checksum by downloading `checksums.sha256` and running:\n'
+ `\n`
+ '```\n'
+ `cat checksums.sha256 | grep "$(ls mediamtx_*)" | sha256sum --check\n`
+ '```\n'
+ `\n`;
const res = await github.rest.repos.createRelease({ const res = await github.rest.repos.createRelease({
owner, owner,