Add support for SLSA provenance generation

[Dentrax]

🎉 FUN FACT: THIS IS 1000th!

---

Signed-off-by: Furkan [email protected]
Signed-off-by: Batuhan [email protected]

Fixes #896

This PR is an initial attempt to include SLSA Provenance support in ko. Based on https://slsa.dev/provenance/v0.2.

Highlights:

• Pass --provenance flag to enable (enabled by default)
• Output provenance for multi-architecture builds
• SLSA v0.2

See the example output:

slsa.json

{
  "_type": "https://in-toto.io/Statement/v0.1",
  "predicateType": "https://slsa.dev/provenance/v0.2",
  "subject": [
    {
      "name": "ko",
      "digest": {
        "sha256": "e01c29046797c49d1e53847c781c9ba953e0d10000c21ebc56786f6cdbab003c"
      }
    }
  ],
  "predicate": {
    "builder": {
      "id": "https://github.com/ko-build/ko@(devel)"
    },
    "buildType": "",
    "invocation": {
      "configSource": {
        "uri": "git+https://github.com:Dentrax/ko.git/refs/tags/@v0.11.2",
        "digest": {
          "sha256": "ad9b799547b2d5702b161673f0145a9057c953810f3bb0de0560e45d7c084f4f"
        },
        "entryPoint": ".ko.yaml"
      },
      "parameters": [
        "--bare=false",
        "--base-import-paths=false",
        "--disable-optimizations=false",
        "--image-label=[]",
        "--image-refs=",
        "--insecure-registry=false",
        "--jobs=0",
        "--local=false",
        "--oci-layout-path=",
        "--platform=[]",
        "--preserve-import-paths=false",
        "--provenance=true",
        "--push=true",
        "--sbom=spdx",
        "--sbom-dir=",
        "--tag-only=false",
        "--tags=[latest]",
        "--tarball="
      ],
      "environment": [
        "KO_DOCKER_REPO=furkanturkal"
      ]
    },
    "buildConfig": {
      "steps": [
        {
          "workingDir": ".",
          "command": [
            ".",
            "build",
            "-trimpath",
            "-ldflags=-s",
            "-o",
            "/var/folders/nq/vxjjn3311fg4q263qsxrghpcpzgp66/T/ko2825734319/out",
            "github.com/google/ko"
          ],
          "info": [
            "-buildmode=exe",
            "-compiler=gc",
            "-trimpath=true",
            "CGO_ENABLED=0",
            "GOARCH=arm64",
            "GOOS=linux",
            "vcs=git",
            "vcs.revision=fcce6a5df590e5603942cd41d927c69783779cb2",
            "vcs.time=2023-03-30T21:11:49Z",
            "vcs.modified=true"
          ]
        }
      ],
      "version": 0
    },
    "metadata": {
      "buildStartedOn": "2023-04-01T00:21:02+03:00",
      "buildFinishedOn": "2023-04-01T00:21:17+03:00",
      "completeness": {
        "parameters": true,
        "environment": true,
        "materials": false
      },
      "reproducible": false
    },
    "materials": [
      {
        "uri": "git+https://github.com:Dentrax/ko.git/refs/tags/@v0.11.2",
        "digest": {
          "sha1": "fcce6a5df590e5603942cd41d927c69783779cb2"
        }
      }
    ]
  }
}

[developer-guy]

There are lots of things happening on the SLSA side like announcing the newest RC2 version of SLSA which is the last release before releasing the SLSA v1.0. And they started to create issues on projects to adapt them to the v1.0 version of SLSA here.

So, my question is: Should we wait for the v1 release or continue with v0.2 and then adapt to v1 in the future?

PTAL @Dentrax @imjasonh

[developer-guy]

any thoughts on this?

here is the v1.0 spec: https://slsa.dev/provenance/v1

here is a quick guide about the newest features released with v1: https://slsa.dev/spec/v1.0/whats-new

[github-actions]

This Pull Request is stale because it has been open for 90 days with
no activity. It will automatically close after 30 more days of
inactivity. Keep fresh with the 'lifecycle/frozen' label.