From 38828ec31edc58d07c15ce5cfe86a0a49b77d69b Mon Sep 17 00:00:00 2001
From: DevITWay | Pavel Volkov <devitway@gmail.com>
Date: Mon, 6 Apr 2026 02:53:22 +0300
Subject: [PATCH] chore: SLSA L3 provenance, cosign .sig, Artifact Hub (#106)

- Add SLSA L3 provenance via slsa-github-generator reusable workflow
- Build job outputs binary hash for provenance generation
- Cosign now outputs .sig + .cert alongside .bundle (scorecard needs .sig)
- Remove fake provenance JSON and broken gh attestation step
- Add artifacthub-repo.yml for Artifact Hub discovery
---
 .github/workflows/release.yml | 69 +++++++++++++++--------------------
 artifacthub-repo.yml          |  6 +++
 2 files changed, 36 insertions(+), 39 deletions(-)
 create mode 100644 artifacthub-repo.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4b15c3a..f646da9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,6 +15,8 @@ jobs:
   build:
     name: Build & Push
     runs-on: [self-hosted, nora]
+    outputs:
+      hash: ${{ steps.hash.outputs.hash }}
     permissions:
       contents: read
       packages: write
@@ -41,6 +43,13 @@ jobs:
           path: ./nora
           retention-days: 1
 
+      - name: Compute binary hash for SLSA provenance
+        id: hash
+        run: |
+          cp target/x86_64-unknown-linux-musl/release/nora ./nora-linux-amd64
+          sha256sum nora-linux-amd64 | base64 -w0 > hash.txt
+          echo "hash=$(cat hash.txt)" >> $GITHUB_OUTPUT
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4
         with:
@@ -185,10 +194,22 @@ jobs:
           sarif_file: trivy-image-${{ matrix.name }}.sarif
           category: trivy-image-${{ matrix.name }}
 
+  provenance:
+    name: SLSA Provenance
+    needs: build
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.hash }}"
+      upload-assets: true
+
   release:
     name: GitHub Release
     runs-on: [self-hosted, nora]
-    needs: [build, scan]
+    needs: [build, scan, provenance]
     permissions:
       contents: write
       id-token: write  # Sigstore cosign keyless signing
@@ -215,42 +236,6 @@ jobs:
           echo "Binary size: $(du -sh nora-linux-amd64 | cut -f1)"
           cat nora-linux-amd64.sha256
 
-      - name: Generate SLSA provenance
-        uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
-        id: provenance-generate
-        continue-on-error: true
-
-      - name: Upload provenance attestation
-        if: always()
-        run: |
-          # Generate provenance using gh attestation (built-in GitHub feature)
-          gh attestation create ./nora-linux-amd64             --repo ${{ github.repository }}             --signer-workflow ${{ github.server_url }}/${{ github.repository }}/.github/workflows/release.yml 2>/dev/null || echo "WARNING: attestation failed, continuing without provenance"
-          # Also create a simple provenance file for scorecard
-          cat > nora-v${{ github.ref_name }}.provenance.json << 'PROVEOF'
-          {
-            "_type": "https://in-toto.io/Statement/v0.1",
-            "predicateType": "https://slsa.dev/provenance/v0.2",
-            "subject": [{"name": "nora-linux-amd64"}],
-            "predicate": {
-              "builder": {"id": "${{ github.server_url }}/${{ github.repository }}/.github/workflows/release.yml"},
-              "buildType": "https://github.com/slsa-framework/slsa-github-generator/generic@v2",
-              "invocation": {
-                "configSource": {
-                  "uri": "${{ github.server_url }}/${{ github.repository }}",
-                  "digest": {"sha1": "${{ github.sha }}"},
-                  "entryPoint": ".github/workflows/release.yml"
-                }
-              },
-              "metadata": {
-                "buildInvocationID": "${{ github.run_id }}",
-                "completeness": {"parameters": true, "environment": false, "materials": false}
-              }
-            }
-          }
-          PROVEOF
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Generate SBOM (SPDX)
         uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0
         with:
@@ -267,7 +252,12 @@ jobs:
         uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v3
 
       - name: Sign binary with cosign (keyless Sigstore)
-        run: cosign sign-blob --yes --bundle nora-linux-amd64.bundle ./nora-linux-amd64
+        run: |
+          cosign sign-blob --yes \
+            --output-signature nora-linux-amd64.sig \
+            --output-certificate nora-linux-amd64.cert \
+            --bundle nora-linux-amd64.bundle \
+            ./nora-linux-amd64
 
       - name: Create Release
         uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2
@@ -276,10 +266,11 @@ jobs:
           files: |
             nora-linux-amd64
             nora-linux-amd64.sha256
+            nora-linux-amd64.sig
+            nora-linux-amd64.cert
             nora-linux-amd64.bundle
             nora-${{ github.ref_name }}.sbom.spdx.json
             nora-${{ github.ref_name }}.sbom.cdx.json
-            nora-${{ github.ref_name }}.provenance.json
           body: |
             ## Install
 
diff --git a/artifacthub-repo.yml b/artifacthub-repo.yml
new file mode 100644
index 0000000..73f6739
--- /dev/null
+++ b/artifacthub-repo.yml
@@ -0,0 +1,6 @@
+# Artifact Hub repository metadata
+# https://artifacthub.io/docs/topics/repositories/
+repositoryID: null  # filled by Artifact Hub after registration
+owners:
+  - name: DevITWay
+    email: devitway@gmail.com