[feature] support creating a draft release

[ianlewis]

The Go builder and generic generator use softprops/action-gh-release to create releases. We should support setting the draft flag so that users can create draft releases.

Related: sigstore/helm-sigstore#111

[haydentherapper]

We ran into this in https://github.com/sigstore/timestamp-authority.

See the release GHA - https://github.com/sigstore/timestamp-authority/blob/main/.github/workflows/release.yaml

The GHA first creates a draft release with the binary assets, and then runs the provenance generator. The generator will create a release (not a draft) using the tag. The issues are:

1. This doesn't detect the existing draft release, instead creating a new release
2. This creates a new release that we have to delete after manually moving the intoto attestation to the draft release

Ideally the GHA generator would either detect an existing draft release and append the attestation or I could provide flags to the generator to control this behavior.

cc @asraa @laurentsimon

[asraa]

I think as a mitigation (suggested by Hayden!) users could use upload-assets: false, and manually upload the asset (which will be named according to the inputs: https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#workflow-inputs)

[ianlewis]

I think as a mitigation (suggested by Hayden!) users could use upload-assets: false, and manually upload the asset (which will be named according to the inputs: https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#workflow-inputs)

Yes, setting upload-assets: false and uploading them yourself (and downloading/uploading the provenance) is the workaround.
Example: https://github.com/sigstore/helm-sigstore/pull/111/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R61-R90

[haydentherapper]

Thanks, doing that here! sigstore/timestamp-authority#215

[haydentherapper]

Thank you @ianlewis for the code pointer, a test release worked as expected!

[ianlewis]

/cc @developer-guy BTW would love PR(s) for this if you have some time to take a look.

[developer-guy]

While working on the osv-scanner project, I realized that they mark their release as a draft for some reason. In that case, if we set the upload-assets parameter of the Generic SLSA 3 Generator as true, we see two different releases with the same tag, one is marked as draft the other is marked as latest. Then I dag into the problem a bit, and noticed that the Generic SLSA 3 Generator uses soft-props/action-gh-release to upload the provenance file, here and here. There is a draft option available in the parameters of the action-gh-release GitHub Action.

So, maybe we can add a new parameter to these generators for people who might want to mark their release as a draft, if so, they can pass that parameter to the action-gh-release to avoid having duplicate releases as said by @ianlewis up above.

[developer-guy]

What I have thought is that;

• Add a draft option to the workflow inputs
• Use the draft option to fulfill the draft option of soft-props/action-gh-release that we used to upload provenance

does that sound good @ianlewis, if so, please assign it to me. PTAL @ianlewis

[ianlewis]

What I have thought is that;

• Add a draft option to the workflow inputs
• Use the draft option to fulfill the draft option of soft-props/action-gh-release that we used to upload provenance

does that sound good @ianlewis, if so, please assign it to me. PTAL @ianlewis

Yep, that's the gist of it I think.

[laurentsimon]

We need end-to-end test before closing this issue. Test for prerelease flags are in https://github.com/search?q=repo%3Aslsa-framework%2Fexample-package%20prerelease&type=code

[ianlewis]

Reopen for e2e test.

[developer-guy]

Here is the PR for e2e tests: slsa-framework/example-package#167