github: add Asset Transparency action for GitHub releases

This adds a GitHub Action to have Helm release inserted into the Asset Transparency log[1]. With these assets in the log it would be great to also recommend users verify their download of helm using the Asset Transparency CLI like this: ``` tl verify https://get.helm.sh/helm-v3.3.1-darwin-amd64.tar.gz helm-v3.3.1-darwin-amd64.tar.gz ``` [1] https://www.transparencylog.com See kubernetes-dev discussion here: https://groups.google.com/g/kubernetes-dev/c/iWr5FiOyU78 Signed-off-by: Brandon Philips <brandon@ifup.org>
4 years ago · 87d40c126d
parent 64d4399f06
commit 87d40c126d
1 changed files with 18 additions and 0 deletions
--- a/.github/workflows/asset-transparency.yaml
+++ b/.github/workflows/asset-transparency.yaml
@ -0,0 +1,18 @@
+name: Publish Release Assets to Asset Transparency Log
+
+on:
+  release:
+    types: [published, created, edited, released]
+
+jobs:
+  github_release_asset_transparency_log_publish_job:
+    runs-on: ubuntu-latest
+    name: Publish GitHub release asset digests to https://beta-asset.transparencylog.net
+    steps:
+    - name: Gather URLs from GitHub release and publish
+      id: asset-transparency
+      uses: transparencylog/github-releases-asset-transparency-verify-action@v10
+    - name: List verified and published URLs
+      run: echo "Verified URLs ${{ steps.asset-transparency.outputs.verified }}"
+    - name: List failed URLs
+      run: echo "Failed URLs ${{ steps.asset-transparency.outputs.failed }}"