fix(ci): at attestation for release artifacts

Author: npalm

.github/workflows/release.yml

@@ -6,14 +6,15 @@ on:
       - v1
   workflow_dispatch:
 
-
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
     permissions:
       contents: write
       actions: write
+      id-token: write
+      attestations: write
     steps:
       - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
@@ -34,12 +35,28 @@ jobs:
         run: echo "name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
       - name: Release
         id: release
-        uses: google-github-actions/release-please-action@e4dc86ba9405554aeba3c6bb2d169500e7d3b4ee # v4.1.1
+        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
         with:
           target-branch: ${{ steps.branch.outputs.name }}
           release-type: terraform-module
           token: ${{ steps.token.outputs.token }}
-      - name: Upload Release Asset
+      - name: Attest
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        id: attest
+        uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2.1.0
+        with:
+          subject-path: '${{ github.workspace }}/lambdas/functions/**/*.zip'
+      - name: Update release notes with attestation
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release view ${{ github.event.inputs.version }} --json body -q '.body' > new-release-notes.md
+          echo "## Attestation" >> new-release-notes.md
+          echo "Attestation url: ${{ steps.attest.outputs.attestation-url }}" >> new-release-notes.md
+          echo "Verify the artifacts by running \`gh attest verify <name_of_artifact> --repo ${{ github.repository }}\`" >> new-release-notes.md
+          gh release edit ${{ steps.release.outputs.tag_name }} -F new-release-notes.md -t ${{ steps.release.outputs.tag_name }}
+      - name: Upload release assets
         if: ${{ steps.release.outputs.releases_created == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

SECURITY.md

@@ -1,10 +1,12 @@
-# Security Policy
-
-## Reporting a Vulnerability
-
-If you find a vulnerability, or evidence of one, please report it privately.
-
-Vulnerabilities should be reported using [GitHub's mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the
-[main repository's security tab](https://github.com/github-aws-runners/terraform-aws-github-runner/security), click "Report a vulnerability" to open the advisory form.
-
-A member of the terraform-aws-github-runner team will triage the reported vulnerability and if the vulnerability is accepted a security advisory will be published and all further communication will be done via that security advisory.
+# Security Policy
+
+<!-- --8<-- [start:mkdocsrunners] -->
+## Reporting a Vulnerability
+
+If you find a vulnerability, or evidence of one, please report it privately.
+
+Vulnerabilities should be reported using [GitHub's mechanism for privately reporting a vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability#privately-reporting-a-security-vulnerability). Under the
+[main repository's security tab](https://github.com/github-aws-runners/terraform-aws-github-runner/security), click "Report a vulnerability" to open the advisory form.
+
+A member of the terraform-aws-github-runner team will triage the reported vulnerability and if the vulnerability is accepted a security advisory will be published and all further communication will be done via that security advisory.
+<!-- --8<-- [end:mkdocsrunners] -->

docs/security.md

@@ -1,10 +1,19 @@
 
 # Security
 
-This module creates resources in your AWS infrastructure, and EC2 instances for hosting the self-hosted runners on-demand. IAM permissions are set to a minimal level, and could be further limited by using permission boundaries. Instances permissions are limited to retrieve and delete the registration token, access the instance's own tags, and terminate the instance itself. By nature instances are short-lived, we strongly suggest to use ephemeral runners to ensure a safe build environment for each workflow job execution.
+This module is not certified by any security organization. The module is build with the best practices in mind, but it is your responsibility to ensure the security of your environment. We welcome any feedback to improve the security of the module.
 
-Ephemeral runners are using the JIT configuration, confguration that only can be used once to activate a runner. For non-ephemeral runners this option is not provided by GitHub. For non-ephemeeral runners a registration token is passed via SSM. After using the token, the token is deleted. But the token remains valid and is potential available in memory on the runner. For ephemeral runners this problem is avoid by using just in time tokens.
+## Guidelines and directions
 
-The examples are using standard AMI's for different operation systems. Instances are not hardened, and sudo operation are not blocked. To provide an out of the box working experience by default the module installs and configures the runner. However secrets are not hard coded, they finally end up in the memory of the instances. You can harden the instance by providing your own AMI and overwriting the cloud-init script.
+This module creates resources in your AWS infrastructure, and EC2 instances for hosting the self-hosted runners on-demand. IAM permissions are set to a minimal level, and could be further limited by using permission boundaries. Instances permissions are limited to retrieve and delete the registration token, access the instance's own tags, and terminate the instance itself. By nature instances are short-lived, we strongly suggest to use *ephemeral runners* to ensure a safe build environment for each workflow job execution.
 
-We welcome any improvement to the standard module to make the default as secure as possible, in the end it remains your responsibility to keep your environment secure.
+Ephemeral runners are using the *JIT configuration*, configuration that only can be used once to activate a runner. For non-ephemeral runners this option is not provided by GitHub. For non-ephemeral runners a registration token is passed via SSM. After using the token, the token is deleted. But the token remains valid and is potential available in memory on the runner. For ephemeral runners this problem is avoid by using just in time tokens.
+
+The examples are using standard AMI's for different operation systems. Instances are not hardened, and sudo operation are not blocked. To provide an out of the box working experience by default the module installs and configures the runner. However secrets are not hard coded, they finally end up in the memory of the instances. We advise to build and harden your own AMIs, you can use the packer images as an example.
+
+
+## Attestation
+
+The module is released using GitHub actions and the lambda artifacts are attached to the release as attachment. During the release attestation are created. The attestation are created by the release pipeline. You find a link to the attestation in the GitHub release. The attestation only provides provenance information about the release. The attestation are not a security guarantee. We recommend you to verify the attestation after downloading the the lambda artifacts.
+
+--8<-- "SECURITY.md:mkdocsrunners"