Update docs; generate provenance in CI

egibs · egibs · commit 3d52e55e9a4e · 2025-06-18T14:58:14.000-05:00
Signed-off-by: egibs &lt;20933572+egibs@users.noreply.github.com&gt;
diff --git a/.github/workflows/wolfi-presubmit.yaml b/.github/workflows/wolfi-presubmit.yaml
@@ -122,7 +122,7 @@ jobs:
         uses: ./melange-src/.github/actions/setup-bubblewrap
       - if: matrix.runner == 'bubblewrap'
         run: |
-          make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="bubblewrap" package/${{ matrix.package }}
+          make SHELL="/bin/bash" MELANGE="sudo melange" MELANGE_RUNNER="bubblewrap" MELANGE_EXTRA_OPTS="--generate-provenance" package/${{ matrix.package }}
 
       - name: Download kernel for VMs
         if: matrix.runner == 'qemu'
@@ -153,9 +153,18 @@ jobs:
             QEMU_KERNEL_IMAGE=/tmp/kernel/boot/vmlinuz-virt \
             QEMU_KERNEL_MODULES=/tmp/kernel/lib/modules/ \
             MELANGE="/usr/bin/melange" \
-            MELANGE_EXTRA_OPTS="--runner qemu" \
+            MELANGE_EXTRA_OPTS="--runner qemu --generate-provenance" \
             package/${{ matrix.package }}
 
+      - name: Output SLSA provenance
+        run: |
+          for pkg in packages/x86_64/*.apk; do
+            dir="$(basename ${pkg} .apk)"
+            mkdir -p packages/x86_64/"${dir}"
+            sudo tar --xattrs --xattrs-include='*.*' -xf "${pkg}" -C packages/x86_64/"${dir}"
+            jq . packages/x86_64/"${dir}"/.PROVENANCE
+          done
+
       - name: Run tests to verify xattrs with bubblewrap runner
         if: matrix.runner == 'bubblewrap' && matrix.package == 'fping'
         run: |
diff --git a/docs/md/melange_build.md b/docs/md/melange_build.md
@@ -45,6 +45,7 @@ melange build [flags]
       --empty-workspace                                         whether the build workspace should be empty
       --env-file string                                         file to use for preloaded environment variables
       --generate-index                                          whether to generate APKINDEX.tar.gz (default true)
+      --generate-provenance                                     generate SLSA provenance for builds (included as a .PROVENANCE file in the final APK)
       --git-commit string                                       commit hash of the git repository containing the build config file (defaults to detecting HEAD)
       --git-repo-url string                                     URL of the git repository containing the build config file (defaults to detecting from configured git remotes)
   -h, --help                                                    help for build
