build: fixing overlap in provenance filenames that causes race condit…

…ion with multiple provenance generation jobs (#429) The `client`, `server`, and `server-redis` provenance generation workflows each create a `{windows,linux,macos}-multile-provenance.intoto.jsonl` file that gets uploaded to the respective tagged releases. However, in an intermediate step, these files are temporarily uploaded to the workflow workspace that's shared between all three release types. Very occasionally, a race condition happens where one release type will overwrite the provenance file for the other release type before it's able to download it and upload it to the appropriate tagged release, which results in a SLSA verification error. This quick fix to prefix the provenance files with the release type should remove this overlap/conflict/race condition.
launchdarkly · Jul 25, 2024 · 3772096 · 3772096
1 parent 4324e66
commit 3772096
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -107,7 +107,7 @@ jobs:
       base64-subjects: "${{ needs.release-client.outputs[format('hashes-{0}', matrix.os)] }}"
       upload-assets: true
       upload-tag-name: ${{ needs.release-please.outputs.package-client-tag }}
-      provenance-name: ${{ format('{0}-multiple-provenance.intoto.jsonl', matrix.os) }}
+      provenance-name: ${{ format('{0}-client-multiple-provenance.intoto.jsonl', matrix.os) }}
 
   release-server-provenance:
     needs: [ 'release-please', 'release-server' ]
@@ -124,7 +124,7 @@ jobs:
       base64-subjects: "${{ needs.release-server.outputs[format('hashes-{0}', matrix.os)] }}"
       upload-assets: true
       upload-tag-name: ${{ needs.release-please.outputs.package-server-tag }}
-      provenance-name: ${{ format('{0}-multiple-provenance.intoto.jsonl', matrix.os) }}
+      provenance-name: ${{ format('{0}-server-multiple-provenance.intoto.jsonl', matrix.os) }}
 
   release-server-redis-provenance:
     needs: [ 'release-please', 'release-server-redis' ]
@@ -141,4 +141,4 @@ jobs:
       base64-subjects: "${{ needs.release-server-redis.outputs[format('hashes-{0}', matrix.os)] }}"
       upload-assets: true
       upload-tag-name: ${{ needs.release-please.outputs.package-server-redis-tag }}
-      provenance-name: ${{ format('{0}-multiple-provenance.intoto.jsonl', matrix.os) }}
+      provenance-name: ${{ format('{0}-server-redis-multiple-provenance.intoto.jsonl', matrix.os) }}
diff --git a/PROVENANCE.md b/PROVENANCE.md
@@ -2,18 +2,18 @@
 
 LaunchDarkly uses the [SLSA framework](https://slsa.dev/spec/v1.0/about) (Supply-chain Levels for Software Artifacts) to help developers make their supply chain more secure by ensuring the authenticity and build integrity of our published SDK packages.
 
-As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds using [GitHub's generic SLSA3 provenance generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#generation-of-slsa3-provenance-for-arbitrary-projects) for distribution alongside our packages. These attestations are available for download from the GitHub release page for the release version under Assets > `OSNAME-multiple-provenance.intoto.jsonl`.
+As part of [SLSA requirements for level 3 compliance](https://slsa.dev/spec/v1.0/requirements), LaunchDarkly publishes provenance about our SDK package builds using [GitHub's generic SLSA3 provenance generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#generation-of-slsa3-provenance-for-arbitrary-projects) for distribution alongside our packages. These attestations are available for download from the GitHub release page for the release version under Assets > `OSNAME-PACKAGE-multiple-provenance.intoto.jsonl`.
 
 To verify SLSA provenance attestations, we recommend using [slsa-verifier](https://github.com/slsa-framework/slsa-verifier). Example usage for verifying SDK packages for Linux is included below:
 
 ```
 # Ensure provenance file is downloaded along with packages for your OS
 $ ls /tmp/launchdarkly-cpp-client-3.4.0
-linux-gcc-x64-dynamic.zip              linux-gcc-x64-static.zip               linux-multiple-provenance.intoto.jsonl
+linux-gcc-x64-dynamic.zip              linux-gcc-x64-static.zip               linux-client-multiple-provenance.intoto.jsonl
 
 # Run slsa-verifier to verify provenance against package artifacts 
 $ slsa-verifier verify-artifact \
---provenance-path linux-multiple-provenance.intoto.jsonl \
+--provenance-path linux-client-multiple-provenance.intoto.jsonl \
 --source-uri github.com/launchdarkly/cpp-sdks \
 linux-gcc-x64-static.zip linux-gcc-x64-dynamic.zip
 Verified signature against tlog entry index 59501683 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77ad75383b2cf5388a2587a27acf06c948205b60999c208ae5fcbe89fae6a6aae70