Merge branch 'main' into feat/enterprise-ip-allow-list

Author: ErikElkins

.github/workflows/ci.yaml

@@ -27,9 +27,9 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Set-up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version-file: go.mod
           cache: true

.github/workflows/codeql.yaml

@@ -39,17 +39,17 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set-up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         if: matrix.language == 'go'
         with:
           go-version-file: go.mod
           cache: true
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/init@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
         with:
           languages: ${{ matrix.language }}
           build-mode: ${{ matrix.build-mode }}
@@ -60,29 +60,6 @@ jobs:
         run: go build ./...
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
+        uses: github/codeql-action/analyze@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
         with:
           category: "/language:${{matrix.language}}"
-
-  check:
-    name: Check CodeQL Analysis
-    if: always() && github.event_name == 'pull_request'
-    needs:
-      - analyze
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        shell: bash
-    steps:
-      - name: Check
-        env:
-          INPUT_RESULTS: ${{ join(needs.*.result, ' ') }}
-        run: |
-          set -euo pipefail
-          read -a results <<< "${INPUT_RESULTS}"
-          for result in "${results[@]}"; do
-            if [[ "${result}" == "failure" ]] || [[ "${result}" == "cancelled" ]]; then
-              echo "::error::Workflow failed!"
-              exit 1
-            fi
-          done

.github/workflows/dotcom-acceptance-tests.yaml

@@ -41,7 +41,7 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Check secrets
         if: github.event_name == 'pull_request_target'
@@ -73,7 +73,7 @@ jobs:
           echo "token=${GH_TEST_TOKEN}" >> "${GITHUB_OUTPUT}"
 
       - name: Set-up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version-file: go.mod
           cache: true

.github/workflows/ghes-acceptance-tests.yaml

@@ -31,7 +31,7 @@ jobs:
         shell: bash
     steps:
       - name: Checkout
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Check secrets
         if: github.event_name == 'pull_request_target'
@@ -85,7 +85,7 @@ jobs:
           echo "token=${TEST_USER_TOKEN}" >> "${GITHUB_OUTPUT}"
 
       - name: Set-up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version-file: go.mod
           cache: true

.github/workflows/release.yaml

@@ -29,19 +29,19 @@ jobs:
       run:
         shell: bash
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           # Allow goreleaser to access older tag information.
           fetch-depth: 0
 
       - name: Set-up Go
-        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+        uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version-file: go.mod
           cache: true
 
       - name: Install Syft
-        uses: anchore/sbom-action/download-syft@0b82b0b1a22399a1c542d4d656f70cd903571b5c # v0.21.1
+        uses: anchore/sbom-action/download-syft@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1
 
       - name: Install Cosign
         uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
@@ -64,6 +64,6 @@ jobs:
           args: release --clean
 
       - name: Attest artifacts
-        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
         with:
           subject-checksums: ./dist/${{ github.event.repository.name }}_${{ fromJSON(steps.goreleaser.outputs.metadata).version }}_SHA256SUMS

.golangci.yml

@@ -19,6 +19,7 @@ linters:
     - misspell
     - modernize
     - nilerr
+    - nilnesserr # https://golangci-lint.run/docs/linters/configuration/#nilnesserr
     - predeclared
     - staticcheck
     - unconvert

VERIFY_ATTESTATIONS.md

@@ -0,0 +1,211 @@
+# Using Artifact Attestations to Achieve SLSA v1 Build Level 3
+
+This project started to use GitHub Action to create attestations for the release artifacts. Building software with artifact attestation streamlines supply chain security and helps us achieve [SLSA](https://slsa.dev/) v1.0 Build Level 3 for this project.
+
+> [!NOTE]
+> Not all artifacts may have attestations generated for them. Please check the [repository attestations](https://github.com/integrations/terraform-provider-github/attestations) to see which artifacts have attestations available.
+>
+> Attestations are only available for releases from `v6.9.0`.
+
+## Verifying with GitHub CLI
+
+### Prerequisites
+
+First, install GitHub CLI if you haven't already. See the [installation instructions](https://github.com/cli/cli#installation) for your platform.
+
+### Verifying Attestations
+
+To verify artifact attestations generated during the build process, use the `gh attestation verify` command from the GitHub CLI.
+
+The `gh attestation verify` command requires either `--owner` or `--repo` flags to be used with it.
+
+> [!NOTE]
+> Make sure to replace x.y.z with the actual release tag you want to verify.
+> Replace artifact name with the actual artifact you want to verify.
+
+Download the release artifacts first:
+
+```bash
+version="x.y.z"
+artifact="terraform-provider-github_${version}_darwin_amd64.zip"
+
+gh release download "v${version}" --repo integrations/terraform-provider-github -p "*.zip" --clobber
+```
+
+To verify the artifact attestations for this project, you can run the following command:
+
+```bash
+gh attestation verify --repo integrations/terraform-provider-github --source-ref "refs/tags/v${version}"\
+  --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version} \
+  "$artifact"
+```
+
+### Verifying All Artifacts
+
+Alternatively, you can verify all downloaded artifacts with a loop that provides individual status reporting:
+
+```bash
+for artifact in terraform-provider-github_${version}_*.zip; do
+  echo "Verifying: $artifact"
+  gh attestation verify --repo integrations/terraform-provider-github --source-ref "refs/tags/v${version}" \
+    --signer-workflow integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version} \
+    "$artifact" && echo "✓ Verified" || echo "✗ Failed"
+done
+```
+
+### Using Optional Flags
+
+The `gh attestation verify` command supports additional flags for more specific verification:
+
+Use the `--signer-repo` flag to specify the repository:
+
+```bash
+gh attestation verify --owner integrations --signer-repo \
+  integrations/terraform-provider-github \
+  "$artifact"
+```
+
+If you would like to require an artifact attestation to be signed with a specific workflow, use the `--signer-workflow` flag to indicate the workflow file that should be used.
+
+```bash
+gh attestation verify --owner integrations --signer-workflow \
+  integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version} \
+  "$artifact"
+```
+
+## Verifying with Cosign
+
+> [!NOTE]
+> Not all artifacts may have attestations generated for them. Please check the [repository attestations](https://github.com/integrations/terraform-provider-github/attestations) to see which artifacts have attestations available.
+>
+> Attestations are only available for releases from `v6.9.0`.
+
+In addition to artifact attestations, you can verify release artifacts using [Cosign](https://docs.sigstore.dev/cosign/overview/). Cosign is a tool for signing and verifying software artifacts and container images.
+
+### Prerequisites
+
+First, install Cosign if you haven't already. See the [installation instructions](https://docs.sigstore.dev/cosign/system_config/installation/) for your platform.
+
+### Verify Checksums File
+
+Download the checksums file and its signature bundle:
+
+```bash
+gh release download v${version} --repo integrations/terraform-provider-github \
+  -p "terraform-provider-github_${version}_SHA256SUMS" \
+  -p "terraform-provider-github_${version}_SHA256SUMS.sbom.json.bundle" --clobber
+```
+
+Verify the checksums file signature:
+
+```bash
+cosign verify-blob \
+  --bundle "terraform-provider-github_${version}_SHA256SUMS.sbom.json.bundle" \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  --certificate-identity "https://github.com/integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version}" \
+  "terraform-provider-github_${version}_SHA256SUMS"
+```
+
+### Verify Artifact Checksums
+
+After verifying the checksums file, verify your downloaded artifacts match the checksums:
+
+Download the artifact you want to verify:
+
+```bash
+artifact="terraform-provider-github_${version}_darwin_amd64.zip"
+gh release download v${version} --repo integrations/terraform-provider-github \
+  -p "$artifact" --clobber
+```
+
+Verify the checksum:
+
+```bash
+shasum -a 256 -c terraform-provider-github_${version}_SHA256SUMS --ignore-missing
+```
+
+This will verify that your downloaded artifact matches the signed checksum, confirming its integrity and authenticity.
+
+## Verifying SLSA Provenance Attestations with Cosign
+
+In addition to using the GitHub CLI, you can verify SLSA provenance attestations using Cosign by downloading the attestation and verifying it against your local artifact.
+
+### Prerequisites
+
+1. Install `cosign` for verifying attestations. See the [installation instructions](https://docs.sigstore.dev/cosign/system_config/installation/).
+2. Install `gh` (GitHub CLI) if you haven't already. See the [installation instructions](https://github.com/cli/cli#installation).
+
+### Download and Verify Attestation
+
+> [!NOTE]
+> Make sure to replace x.y.z with the actual release tag you want to verify.
+> Replace artifact name with the actual artifact you want to verify.
+
+> [!NOTE]
+> Not all artifacts may have attestations generated for them. Please check the [repository attestations](https://github.com/integrations/terraform-provider-github/attestations) to see which artifacts have attestations available.
+>
+> Attestations are only available for releases from `v6.9.0`.
+
+First, download the artifact you want to verify:
+
+```bash
+version="x.y.z"
+artifact="terraform-provider-github_${version}_darwin_amd64.zip"
+
+gh release download "v${version}" --repo integrations/terraform-provider-github \
+  -p "$artifact" --clobber
+```
+
+Then, download the attestation associated with the artifact:
+
+```bash
+gh attestation download "$artifact" \
+  --repo integrations/terraform-provider-github
+```
+
+This will create a file named `sha256:[digest].jsonl` in the current directory.
+
+Verify the attestation using Cosign:
+
+```bash
+# Calculate the digest and verify using the specific bundle file
+digest=$(shasum -a 256 "$artifact" | awk '{ print $1 }')
+cosign verify-blob-attestation \
+  --bundle "sha256:${digest}.jsonl" \
+  --new-bundle-format \
+  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  --certificate-identity "https://github.com/integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version}" \
+  "$artifact"
+```
+
+A successful verification will output `Verified OK`, confirming that the artifact was built by the trusted GitHub Actions workflow and its provenance is securely recorded.
+
+### Verifying All Release Artifacts
+
+To verify all release artifacts for a specific version:
+
+```bash
+version="x.y.z"
+
+# Download all release artifacts
+gh release download "v${version}" --repo integrations/terraform-provider-github -p "*.zip" --clobber
+
+# Download attestations for all artifacts
+for artifact in terraform-provider-github_${version}_*.zip; do
+  gh attestation download "$artifact" --repo integrations/terraform-provider-github
+done
+
+# Verify all artifacts using specific digest-based bundle files
+for artifact in terraform-provider-github_${version}_*.zip; do
+  echo "Verifying: $artifact"
+  digest=$(shasum -a 256 "$artifact" | awk '{ print $1 }')
+  cosign verify-blob-attestation \
+    --bundle "sha256:${digest}.jsonl" \
+    --new-bundle-format \
+    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+    --certificate-identity "https://github.com/integrations/terraform-provider-github/.github/workflows/release.yaml@refs/tags/v${version}" \
+    "$artifact" > /dev/null && echo "✓ Verified" || echo "✗ Failed"
+done
+```
+
+This approach calculates the digest for each artifact and uses the corresponding specific bundle file, ensuring each artifact is verified against its own attestation.

github/acc_test.go

@@ -10,7 +10,7 @@ import (
 	"strings"
 	"testing"
 
-	"github.com/google/go-github/v81/github"
+	"github.com/google/go-github/v82/github"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
@@ -49,6 +49,9 @@ type testAccConfig struct {
 	testPublicRepository              string
 	testPublicRepositoryOwner         string
 	testPublicReleaseId               int
+	testPublicRelaseAssetId           string
+	testPublicRelaseAssetName         string
+	testPublicReleaseAssetContent     string
 	testPublicTemplateRepository      string
 	testPublicTemplateRepositoryOwner string
 	testGHActionsAppInstallationId    int
@@ -105,11 +108,16 @@ func TestMain(m *testing.M) {
 	}
 
 	config := testAccConfig{
-		baseURL:                           baseURL,
-		authMode:                          authMode,
-		testPublicRepository:              "terraform-provider-github",
-		testPublicRepositoryOwner:         "integrations",
-		testPublicReleaseId:               186531906,
+		baseURL:                   baseURL,
+		authMode:                  authMode,
+		testPublicRepository:      "terraform-provider-github",
+		testPublicRepositoryOwner: "integrations",
+		testPublicReleaseId:       186531906,
+		// The terraform-provider-github_6.4.0_manifest.json asset ID from
+		// https://github.com/integrations/terraform-provider-github/releases/tag/v6.4.0
+		testPublicRelaseAssetId:           "207956097",
+		testPublicRelaseAssetName:         "terraform-provider-github_6.4.0_manifest.json",
+		testPublicReleaseAssetContent:     "{\n  \"version\": 1,\n  \"metadata\": {\n    \"protocol_versions\": [\n      \"5.0\"\n    ]\n  }\n}",
 		testPublicTemplateRepository:      "template-repository",
 		testPublicTemplateRepositoryOwner: "template-repository",
 		testGHActionsAppInstallationId:    15368,