diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 72ea4e24..7a7897ae 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -30,70 +30,6 @@ jobs:
args: release
env:
GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_ACCESS_TOKEN }}
-
- - uses: actions/attest-build-provenance@v4
- with:
- show-summary: false
- subject-checksums: ./dist/trellis_checksums.txt
-
- - uses: actions/attest-sbom@v4
- with:
- show-summary: false
- subject-checksums: ./dist/trellis_checksums.txt
- sbom-path: ./dist/trellis_Darwin_arm64.tar.gz.sbom.json
- - uses: actions/attest-sbom@v4
- with:
- show-summary: false
- subject-checksums: ./dist/trellis_checksums.txt
- sbom-path: ./dist/trellis_Darwin_x86_64.tar.gz.sbom.json
- - uses: actions/attest-sbom@v4
- with:
- show-summary: false
- subject-checksums: ./dist/trellis_checksums.txt
- sbom-path: ./dist/trellis_Linux_arm64.tar.gz.sbom.json
- - uses: actions/attest-sbom@v4
- with:
- show-summary: false
- subject-checksums: ./dist/trellis_checksums.txt
- sbom-path: ./dist/trellis_Linux_i386.tar.gz.sbom.json
- - uses: actions/attest-sbom@v4
+ - uses: actions/attest@v4
with:
- show-summary: false
subject-checksums: ./dist/trellis_checksums.txt
- sbom-path: ./dist/trellis_Linux_x86_64.tar.gz.sbom.json
- - uses: actions/attest-sbom@v4
- with:
- show-summary: false
- subject-checksums: ./dist/trellis_checksums.txt
- sbom-path: ./dist/trellis_Windows_arm64.zip.sbom.json
- - uses: actions/attest-sbom@v4
- with:
- show-summary: false
- subject-checksums: ./dist/trellis_checksums.txt
- sbom-path: ./dist/trellis_Windows_i386.zip.sbom.json
- - uses: actions/attest-sbom@v4
- with:
- show-summary: false
- subject-checksums: ./dist/trellis_checksums.txt
- sbom-path: ./dist/trellis_Windows_x86_64.zip.sbom.json
-
- verify:
- needs: [goreleaser]
- runs-on: ubuntu-latest
- steps:
- - run: gh release download --clobber --dir artifacts -p '*.tar.gz' -p '*.zip' -p '*.sbom.json' --repo $REPO $TAG
- env:
- GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- REPO: ${{ github.repository }}
- TAG: ${{ github.ref_name }}
- - run: tree artifacts
- - run: ls | xargs -I {} gh attestation verify --repo $REPO {}
- working-directory: artifacts
- env:
- GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- REPO: ${{ github.repository }}
- - run: ls *.sbom.json | xargs -I {} gh attestation verify --predicate-type https://spdx.dev/Document/v2.3 --repo $REPO {}
- working-directory: artifacts
- env:
- GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- REPO: ${{ github.repository }}
diff --git a/README.md b/README.md
index 6ce9a0c9..3f1d4b0a 100644
--- a/README.md
+++ b/README.md
@@ -158,6 +158,7 @@ vm:
[](https://github.com/roots/trellis-cli/actions)
+
[](https://twitter.com/rootswp)
[](https://github.com/sponsors/roots)
@@ -173,7 +174,7 @@ Roots is an independent open source org, supported only by developers like you.
### Sponsors
-
+
## Quick Install (macOS and Linux via Homebrew)
@@ -240,33 +241,27 @@ setup after downloading the Windows build:
trellis-cli artifacts can be [cryptographically verified via GitHub CLI](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#verifying-artifact-attestations-with-the-github-cli).
```console
-# The archive with both predicates
$ gh attestation verify --repo roots/trellis-cli /path/to/trellis_Darwin_arm64.tar.gz
-## ...snipped...
-✓ Verification succeeded!
-
-sha256:xxx was attested by:
-REPO PREDICATE_TYPE WORKFLOW
-roots/trellis-cli https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/tags/v9.8.7
-roots/trellis-cli https://spdx.dev/Document/v2.3 .github/workflows/release.yml@refs/tags/v9.8.7
-# The binary
-$ gh attestation verify --repo roots/trellis-cli /path/to/trellis
-## ...snipped...
-✓ Verification succeeded!
+Loaded digest sha256:xxxxxxx for file://path/to/trellis_Darwin_arm64.tar.gz
+Loaded 1 attestation from GitHub API
-sha256:xxx was attested by:
-REPO PREDICATE_TYPE WORKFLOW
-roots/trellis-cli https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/tags/v9.8.7
+The following policy criteria will be enforced:
+- Predicate type must match:................ https://slsa.dev/provenance/v1
+- Source Repository Owner URI must match:... https://github.com/roots
+- Source Repository URI must match:......... https://github.com/roots/trellis-cli
+- Subject Alternative Name must match regex: (?i)^https://github.com/roots/trellis-cli/
+- OIDC Issuer must match:................... https://token.actions.githubusercontent.com
-# The SBOM
-$ gh attestation verify --repo roots/trellis-cli /path/to/trellis_Darwin_arm64.tar.gz.sbom.json
-## ...snipped...
✓ Verification succeeded!
-sha256:xxx was attested by:
-REPO PREDICATE_TYPE WORKFLOW
-roots/trellis-cli https://slsa.dev/provenance/v1 .github/workflows/release.yml@refs/tags/v9.8.7
+The following 1 attestation matched the policy criteria
+
+- Attestation #1
+ - Build repo:..... roots/trellis-cli
+ - Build workflow:. .github/workflows/release.yml@refs/tags/v0.0.1
+ - Signer repo:.... roots/trellis-cli
+ - Signer workflow: .github/workflows/release.yml@refs/tags/v0.0.1
```
## Shell Integration
@@ -465,4 +460,3 @@ Keep track of development and community news.
- Follow [@rootswp on Twitter](https://twitter.com/rootswp)
- Follow the [Roots Blog](https://roots.io/blog/)
- Subscribe to the [Roots Newsletter](https://roots.io/subscribe/)
-
diff --git a/go.mod b/go.mod
index 87a3c19f..c15b05de 100644
--- a/go.mod
+++ b/go.mod
@@ -3,21 +3,21 @@ module github.com/roots/trellis-cli
go 1.25.0
require (
- github.com/digitalocean/godo v1.184.0
+ github.com/digitalocean/godo v1.186.0
github.com/fatih/color v1.19.0
github.com/google/go-cmp v0.7.0
github.com/hashicorp/cli v1.1.7
github.com/hashicorp/go-version v1.9.0
github.com/hetznercloud/hcloud-go/v2 v2.37.0
github.com/manifoldco/promptui v0.9.0
- github.com/mattn/go-isatty v0.0.20
+ github.com/mattn/go-isatty v0.0.21
github.com/mcuadros/go-version v0.0.0-20190830083331-035f6764e8d2
github.com/mholt/archives v0.1.5
github.com/mitchellh/go-homedir v1.1.0
github.com/posener/complete v1.2.3
github.com/theckman/yacspin v0.13.12
github.com/weppos/publicsuffix-go v0.50.3
- golang.org/x/crypto v0.49.0
+ golang.org/x/crypto v0.50.0
golang.org/x/oauth2 v0.36.0
gopkg.in/alessio/shellescape.v1 v1.0.0-20170105083845-52074bc9df61
gopkg.in/ini.v1 v1.67.1
@@ -74,8 +74,8 @@ require (
go.yaml.in/yaml/v2 v2.4.2 // indirect
go4.org v0.0.0-20230225012048-214862532bf5 // indirect
golang.org/x/net v0.52.0 // indirect
- golang.org/x/sys v0.42.0 // indirect
- golang.org/x/text v0.35.0 // indirect
+ golang.org/x/sys v0.43.0 // indirect
+ golang.org/x/text v0.36.0 // indirect
golang.org/x/time v0.6.0 // indirect
google.golang.org/protobuf v1.36.8 // indirect
)
diff --git a/go.sum b/go.sum
index 63320e2b..b70ed3f4 100644
--- a/go.sum
+++ b/go.sum
@@ -59,8 +59,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/digitalocean/godo v1.184.0 h1:2B2CQhxftlf3xa24Nrzn5CBQlaQjyaWqi3XbbnJlG3w=
-github.com/digitalocean/godo v1.184.0/go.mod h1:xQsWpVCCbkDrWisHA72hPzPlnC+4W5w/McZY5ij9uvU=
+github.com/digitalocean/godo v1.186.0 h1:aEYwSumR47vD1tX5mdPdznHrR72DBfHcmh0v9MxCwCw=
+github.com/digitalocean/godo v1.186.0/go.mod h1:xQsWpVCCbkDrWisHA72hPzPlnC+4W5w/McZY5ij9uvU=
github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707 h1:2tV76y6Q9BB+NEBasnqvs7e49aEBFI8ejC89PSnWH+4=
github.com/dsnet/compress v0.0.2-0.20230904184137-39efe44ab707/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s=
github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
@@ -156,8 +156,8 @@ github.com/manifoldco/promptui v0.9.0 h1:3V4HzJk1TtXW1MTZMP7mdlwbBpIinw3HztaIlYt
github.com/manifoldco/promptui v0.9.0/go.mod h1:ka04sppxSGFAtxX0qhlYQjISsg9mR4GWtQEhdbn6Pgg=
github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.21 h1:xYae+lCNBP7QuW4PUnNG61ffM4hVIfm+zUzDuSzYLGs=
+github.com/mattn/go-isatty v0.0.21/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
github.com/mattn/go-runewidth v0.0.13 h1:lTGmDsbAYt5DmK6OnoV7EuIF1wEIFAcxld6ypU4OSgU=
github.com/mattn/go-runewidth v0.0.13/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
github.com/mcuadros/go-version v0.0.0-20190830083331-035f6764e8d2 h1:YocNLcTBdEdvY3iDK6jfWXvEaM5OCKkjxPKoJRdB3Gg=
@@ -251,8 +251,8 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
-golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
+golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -334,15 +334,14 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
-golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
-golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
+golang.org/x/term v0.42.0 h1:UiKe+zDFmJobeJ5ggPwOshJIVt6/Ft0rcfrXZDLWAWY=
+golang.org/x/term v0.42.0/go.mod h1:Dq/D+snpsbazcBG5+F9Q1n2rXV8Ma+71xEjTRufARgY=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -351,8 +350,8 @@ golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=