108 review the new GitHub attestations

.github/workflows/release.yml

@@ -8,6 +8,14 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  id-token: write
+  attestations: write
+  contents: write
+  packages: write
+  pull-requests: read
+  deployments: read
+
 jobs:
   build:
     name: Build on ${{ matrix.target }}
@@ -163,8 +171,8 @@ jobs:
       - name: Build signed installer
         if: runner.os == 'Windows'
         run: |
-          azuresigntool.exe sign --verbose -kvu ${{ secrets.AZURE_KEY_VAULT_URI }} -kvc ${{ secrets.AZURE_KEYVAULT_CERT_NAME }} -kva %AZ_TOKEN% -fd sha256 -tr http://timestamp.digicert.com -v "dist/AxonOps Workbench-%GITHUB_REF_NAME%-win-x64.exe"
-          azuresigntool.exe sign --verbose -kvu ${{ secrets.AZURE_KEY_VAULT_URI }} -kvc ${{ secrets.AZURE_KEYVAULT_CERT_NAME }} -kva %AZ_TOKEN% -fd sha256 -tr http://timestamp.digicert.com -v "dist/AxonOps Workbench-%GITHUB_REF_NAME%-win-x64.msi"
+          azuresigntool.exe sign --verbose -kvu ${{ secrets.AZURE_KEY_VAULT_URI }} -kvc ${{ secrets.AZURE_KEYVAULT_CERT_NAME }} -kva %AZ_TOKEN% -fd sha256 -tr http://timestamp.digicert.com -v "dist/AxonOps.Workbench-%GITHUB_REF_NAME%-win-x64.exe"
+          azuresigntool.exe sign --verbose -kvu ${{ secrets.AZURE_KEY_VAULT_URI }} -kvc ${{ secrets.AZURE_KEYVAULT_CERT_NAME }} -kva %AZ_TOKEN% -fd sha256 -tr http://timestamp.digicert.com -v "dist/AxonOps.Workbench-%GITHUB_REF_NAME%-win-x64.msi"
         shell: cmd
 
       # Ensure this task is right before the Upload
@@ -217,6 +225,20 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Attest Build Provenance for TGZ
+        uses: actions/attest-build-provenance@897ed5eab6ed058a474202017ada7f40bfa52940 # v1.0.0
+        with:
+          subject-path: |
+            dist/*.zip
+            dist/*.pkg
+            dist/*.dmg
+            dist/*.deb
+            dist/*.rpm
+            dist/*.exe
+            dist/*.tar.gz
+            dist/*.nsis
+            dist/*.msi
+
 # Release choco and brew
 
   release-brew:

.github/workflows/trivy.yml

@@ -0,0 +1,28 @@
+name: build
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+jobs:
+  build:
+    name: Run Trivy
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'sarif'
+          output: 'trivy-results.sarif'
+          severity: "MEDIUM,HIGH,CRITICAL"
+          #scanners: "vuln"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'

package.json

@@ -30,14 +30,14 @@
         "provider": "github"
       }
     ],
-    "artifactName": "${productName}-${version}-${os}-${arch}.${ext}",
+    "artifactName": "AxonOps.Workbench-${version}-${os}-${arch}.${ext}",
     "win": {
       "icon": "./renderer/assets/images/axonops-icon-256x256.ico",
       "target": [
         "nsis",
         "msi"
       ],
-      "artifactName": "${productName}-${version}-${os}-${arch}.${ext}"
+      "artifactName": "AxonOps.Workbench-${version}-${os}-${arch}.${ext}"
     },
     "linux": {
       "icon": "./renderer/assets/images/",
@@ -49,7 +49,7 @@
         "Keywords": "cassandra;axonops;development;workbench",
         "Icon": "/usr/share/icons/hicolor/256x256/apps/axonops-workbench.png"
       },
-      "artifactName": "${productName}-${version}-${os}-${arch}.${ext}"
+      "artifactName": "AxonOps.Workbench-${version}-${os}-${arch}.${ext}"
     },
     "mac": {
       "icon": "./renderer/assets/images/axonops-icon-512x512.icns",