Support SLSA Provenance (#118)

* fix: Docker image runs as root 

* chore: remove scorecard.yml

* feat: support publish provenance

* feat: add SLSA badge

Author: shenxianpeng

.github/workflows/main.yml

@@ -99,7 +99,7 @@ jobs:
             name: "commit-check_docs"
             path: ${{ github.workspace }}/docs/_build/html
 
-        - name: Upload to github pages
+        - name: Upload docs to github pages
           # only publish doc changes from main branch
           if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main'
           uses: peaceiris/actions-gh-pages@v3

.github/workflows/publish-package.yml

@@ -4,10 +4,13 @@ on:
   release:
     branches: [main]
     types: [published]
+  workflow_dispatch:
 
 jobs:
   publish:
     runs-on: ubuntu-latest
+    outputs:
+      hash: ${{ steps.hash.outputs.hash }}
     steps:
     - uses: actions/checkout@v4
       # use fetch --all for setuptools_scm to work
@@ -27,6 +30,17 @@ jobs:
         # Check distribution
         twine check dist/commit_check*
 
+    # Generate hashes used for provenance.
+    - name: Generate hash
+      id: hash
+      run: |
+        cd dist
+        HASHES=$(sha256sum * | base64 -w0)
+        echo "hashes=$HASHES" >> "$GITHUB_OUTPUT"
+    - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce
+      with:
+        path: ./dist
+
     - name: Publish package to TestPyPI
       if: github.event_name == 'workflow_dispatch' && github.repository == 'commit-check/commit-check'
       env:
@@ -41,3 +55,16 @@ jobs:
         TWINE_USERNAME: __token__
         TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
       run: twine upload dist/commit_check*
+
+  provenance:
+    needs: ['publish']
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    # Can't pin with hash due to how this workflow works.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    with:
+      base64-subjects: ${{ needs.build.outputs.hash }}
+      upload-assets: true # Optional: Upload to a new release
+      continue-on-error: true

.github/workflows/scorecard.yml

@@ -1,6 +1,6 @@
 FROM python:3.12-slim
 
-ARG VERSION==""
+ARG VERSION
 
 LABEL com.github.actions.name="Commit Check"
 LABEL com.github.actions.description="Check commit message formatting, branch naming, commit author, email, and more."
@@ -10,10 +10,12 @@ LABEL com.github.actions.color="gray-dark"
 LABEL repository="https://github.com/commit-check/commit-check"
 LABEL maintainer="shenxianpeng <20297606+shenxianpeng@users.noreply.github.com>"
 
-RUN if [ -z "${VERSION}" ]; then \
+RUN if [ -z "$VERSION" ]; then \
         pip3 install commit-check; \
     else \
         pip3 install commit-check==$VERSION; \
     fi
 
+USER nobody
+
 ENTRYPOINT [ "commit-check" ]

Dockerfile

@@ -21,6 +21,10 @@ Commit Check
     :target: https://github.com/commit-check/commit-check
     :alt: commit-check
 
+.. image:: https://slsa.dev/images/gh-badge-level3.svg
+    :target: https://slsa.dev
+    :alt: SLSA
+
 Overview
 --------