From dcc351be112dfd838c29fc79417efcc0163841d3 Mon Sep 17 00:00:00 2001
From: Matthias Mair <code@mjmair.com>
Date: Fri, 2 Aug 2024 02:54:19 +0200
Subject: [PATCH] Add provenance to releases and publish SBOMs (#7784)

* Add more names

* split build and publish

* add attestation and SBOM

* format file

* Add toplevel permissions

* fix missing path

* move provenance down

* fix release workflow

* simplify steps
---
 .github/workflows/release.yaml | 33 +++++++++++++++++++++++++++++----
 pyproject.toml                 |  2 +-
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 13b9d8abc7..c091b048ba 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,13 +1,16 @@
 # Runs on releases
 
-name: Publish release notes
+name: Publish release
 on:
   release:
     types: [published]
+permissions:
+  contents: read
 
 jobs:
   stable:
     runs-on: ubuntu-latest
+    name: Write release to stable branch
     permissions:
       contents: write
       pull-requests: write
@@ -28,11 +31,13 @@ jobs:
           branch: stable
           force: true
 
-  publish-build:
+  build:
     runs-on: ubuntu-latest
+    name: Build and attest frontend
     permissions:
+      id-token: write
       contents: write
-      pull-requests: write
+      attestations: write
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pin@v4.1.7
       - name: Environment Setup
@@ -43,6 +48,11 @@ jobs:
         run: cd src/frontend && yarn install
       - name: Build frontend
         run: cd src/frontend && npm run compile && npm run build
+      - name: Create SBOM for frontend
+        uses: anchore/sbom-action@v0
+        with:
+          artifact-name: frontend-build.spdx
+          path: src/frontend
       - name: Write version file - SHA
         run: cd src/backend/InvenTree/web/static/web/.vite && echo "$GITHUB_SHA" > sha.txt
       - name: Write version file - TAG
@@ -51,10 +61,25 @@ jobs:
         run: |
           cd src/backend/InvenTree/web/static/web
           zip -r ../frontend-build.zip * .vite
-      - uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # pin@2.9.0
+      - name: Attest Build Provenance
+        id: attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: "${{ github.workspace }}/src/backend/InvenTree/web/static/frontend-build.zip"
+
+      - name: Upload frontend
+        uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # pin@2.9.0
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: src/backend/InvenTree/web/static/frontend-build.zip
           asset_name: frontend-build.zip
           tag: ${{ github.ref }}
           overwrite: true
+      - name: Upload Attestation
+        uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # pin@2.9.0
+        with:
+          repo_token: ${{ secrets.GITHUB_TOKEN }}
+          asset_name: frontend-build.intoto.jsonl
+          file: ${{ steps.attest.outputs.bundle-path}}
+          tag: ${{ github.ref }}
+          overwrite: true
diff --git a/pyproject.toml b/pyproject.toml
index 421a7fe37f..0946691589 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -87,4 +87,4 @@ known_django="django"
 sections=["FUTURE","STDLIB","DJANGO","THIRDPARTY","FIRSTPARTY","LOCALFOLDER"]
 
 [tool.codespell]
-ignore-words-list = ["assertIn","SME"]
+ignore-words-list = ["assertIn","SME","intoto"]