Create go-ossf-slsa3-publish.yml

[MrPanda85]

We want to ensure high quality of the packages. Make sure that you've checked the boxes below before sending a pull request.

• I have read the Contribution Guidelines
• I have read the Maintainers Note
• I have read the Quality Standards

Not every repository (project) will require every option, but most projects should. Check the Contribution Guidelines for details.

• The repo documentation has a pkg.go.dev link.
• The repo documentation has a coverage service link.
• The repo documentation has a goreportcard link.
• The repo has a version-numbered release and a go.mod file.
• The repo has a continuous integration process that automatically runs tests that must pass before new pull requests are merged.
• Continuous integration is used to attempt to catch issues prior to releasing this package to end-users.

Please provide some links to your package to ease the review

• forge link (github.com, gitlab.com, etc):
• pkg.go.dev:
• goreportcard.com:
• coverage service link (codecov, coveralls, etc.):

Pull Request content

• The package has been added to the list in alphabetical order.
• The package has an appropriate description with correct grammar.
• As far as I know, the package has not been listed here before.

Category quality

Note that new categories can be added only when there are 3 packages or more.

Packages added a long time ago might not meet the current guidelines anymore. It would be very helpful if you could check 3-5 packages above and below your submission to ensure that they also still meet the Quality Standards.

Please delete one of the following lines:

• The packages around my addition still meet the Quality Standards.
• I removed the following packages around my addition: (please give a short reason for each removal)

Thanks for your PR, you're awesome! 😎

Summary by CodeRabbit

• Chores
  • Implemented automated GitHub Actions workflow for Go releases with SLSA v3 provenance generation, enabling enhanced supply chain security and release verification capabilities.

[coderabbitai]

Walkthrough

A new GitHub Actions workflow is introduced to automate SLSA v3 provenance generation for Go releases. The workflow triggers on manual dispatch or release creation, establishes necessary permissions, and delegates the build process to the external slsa-github-generator builder action.

Changes

Cohort / File(s)	Summary
SLSA Go Release Workflow \.github/workflows/go-ossf-slsa3-publish.yml``	New workflow file for SLSA v3 Go release signing; triggers on workflow_dispatch or release creation; configures id-token, contents, and actions permissions; reuses slsa-framework/slsa-github-generator builder_go_slsa3.yml action; targets Go 1.17 with configuration and documentation pointers

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Verify the workflow permissions are appropriate for the intended use case
• Confirm the slsa-github-generator action version/reference is stable and correct
• Review any environment-specific configuration or secrets that may be required to run the workflow

Poem

🐰 A workflow takes flight, with SLSA so bright,
Go releases now signed with provenance in sight,
The builder arrives from the framework's great hall,
Securing each build, from the start to the fall! ✨

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the creation of a new GitHub Actions workflow file, which matches the primary change in the changeset.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Automated Quality Checks (from CONTRIBUTING minimum standards)

• Repo link: missing
• pkg.go.dev: missing
• goreportcard: missing
• coverage: missing

These checks are a best-effort automation and do not replace human review.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 56e2cfa and e923c7d.

📒 Files selected for processing (1)

• .github/workflows/go-ossf-slsa3-publish.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: elymanuba
Repo: avelino/awesome-go PR: 5762
File: README.md:0-0
Timestamp: 2025-08-14T23:46:18.545Z
Learning: When reviewing contributions to the awesome-go repository, maintain a relaxed and less pedantic approach. Users may find overly strict feedback about formatting, alphabetical ordering, or description tone to be unnecessary. Focus on major issues rather than minor stylistic preferences.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: quality
• GitHub Check: quality
• GitHub Check: quality
• GitHub Check: quality
• GitHub Check: Codacy Static Code Analysis

🔇 Additional comments (1)

.github/workflows/go-ossf-slsa3-publish.yml (1)

1-38: Context concern: Workflow file in package-contribution PR—verify repository fit.

This PR introduces a SLSA v3 provenance workflow, but the PR description describes a package contribution checklist. This workflow is infrastructure-focused (CI/CD), not a package addition. Before proceeding, confirm:

1. Is this the intended change for this PR, or was the file accidentally committed?
2. Is a SLSA provenance workflow appropriate for awesome-go? (It's a curated list repository, not a binary-releasing project.)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify the required .slsa-goreleaser.yml configuration file exists.

The workflow references a .slsa-goreleaser.yml file (line 25 comment) as a prerequisite, but this file is not provided or verified in the PR. The workflow will fail at runtime if this configuration is missing from the repository root.

---

🏁 Script executed:

#!/bin/bash
# Description: Verify that .slsa-goreleaser.yml exists in the repository root.

# Check for the configuration file
if [ -f .slsa-goreleaser.yml ]; then
  echo "✓ Configuration file exists:"
  head -20 .slsa-goreleaser.yml
else
  echo "✗ Configuration file .slsa-goreleaser.yml not found in repository root"
  exit 1
fi

# Also check if there are any existing GitHub Actions workflows for context
echo ""
echo "Existing workflows in .github/workflows/:"
ls -la .github/workflows/ 2>/dev/null || echo "No workflows directory found"

Length of output: 70

---

I need to gather more context about the codebase and this workflow to understand whether the missing file is indeed a problem or expected behavior.

---

🏁 Script executed:

#!/bin/bash
# Search for references to slsa-goreleaser or related configuration
echo "=== Searching for slsa-goreleaser references ==="
rg -i "slsa-goreleaser" --type-list 2>/dev/null | head -5
rg -i "slsa-goreleaser" -n 2>/dev/null || echo "No references found"

echo ""
echo "=== Checking the workflow file for context ==="
cat .github/workflows/go-ossf-slsa3-publish.yml | head -50

echo ""
echo "=== Looking for any README or documentation about SLSA ==="
find . -maxdepth 2 -type f \( -name "README*" -o -name "*.md" \) -exec rg -l "slsa\|SLSA" {} \;

echo ""
echo "=== Checking if there are template or example config files ==="
fd -e yml -e yaml | grep -E "(example|template|sample|config)" | head -10

Length of output: 2229

---

🏁 Script executed:

#!/bin/bash
# Search for references to slsa-goreleaser or related configuration
echo "=== Searching for slsa-goreleaser references ==="
rg -i "slsa-goreleaser" -n 2>/dev/null || echo "No references found"

echo ""
echo "=== Checking the workflow file for context ==="
cat .github/workflows/go-ossf-slsa3-publish.yml 2>/dev/null | head -60

echo ""
echo "=== Looking for any README or documentation files ==="
find . -maxdepth 2 -type f \( -name "README*" -o -name "*.md" \) 2>/dev/null

echo ""
echo "=== Checking for any example or template YAML files ==="
fd -e yml -e yaml 2>/dev/null | grep -i -E "(example|template|sample)" | head -10

Length of output: 2329

---

Let me check the repository documentation to understand the context better:

---

🏁 Script executed:

#!/bin/bash
# Check README and CONTRIBUTING for SLSA/goreleaser documentation
echo "=== Checking README.md for SLSA content ==="
rg -i "slsa\|goreleaser" ./README.md -n -C 2 2>/dev/null || echo "No SLSA/goreleaser references in README"

echo ""
echo "=== Checking CONTRIBUTING.md for SLSA content ==="
rg -i "slsa\|goreleaser" ./CONTRIBUTING.md -n -C 2 2>/dev/null || echo "No SLSA/goreleaser references in CONTRIBUTING"

echo ""
echo "=== Check all .github files ==="
find .github -type f \( -name "*.md" -o -name "*.txt" \) 2>/dev/null

echo ""
echo "=== Check if workflow is commented or disabled ==="
head -5 .github/workflows/go-ossf-slsa3-publish.yml
tail -10 .github/workflows/go-ossf-slsa3-publish.yml 2>/dev/null || echo "Unable to read end of file"

echo ""
echo "=== Check git status/history of workflow file (if available) ==="
git log --oneline .github/workflows/go-ossf-slsa3-publish.yml 2>/dev/null | head -5 || echo "Git history not available"

Length of output: 1209

---

Add .slsa-goreleaser.yml configuration file or document the setup requirement.

Verification confirms the workflow file is newly added and will fail if triggered without the required .slsa-goreleaser.yml file in the repository root. No template or documentation exists to guide users. Either provide a template configuration file, add setup documentation to the repository, or update the workflow comments to clarify the prerequisite more explicitly.

🤖 Prompt for AI Agents

In .github/workflows/go-ossf-slsa3-publish.yml around lines 24 to 26, the
workflow requires a .slsa-goreleaser.yml in the repo root but no template or
documentation is provided; add either (A) a .slsa-goreleaser.yml example file at
the repository root with the minimal required fields (builder config, artifacts,
and signing/attestation stubs) copied from the slsa-github-generator example, or
(B) update the repository README and the workflow comment to clearly document
the prerequisite and link to the upstream example template and required fields;
ensure the workflow comment points to the exact example URL and briefly lists
the minimum keys so users know what to add.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Go 1.17 is end-of-life; upgrade to a supported version.

Line 34 specifies Go 1.17, which reached end-of-life in August 2024. Current stable releases are 1.23+. This poses security and compatibility risks.

Apply this diff to use a supported Go version:

-      go-version: 1.17
+      go-version: 1.23

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	go-version: 1.17
	go-version: 1.23

🤖 Prompt for AI Agents

.github/workflows/go-ossf-slsa3-publish.yml around line 34: the workflow pins
go-version: 1.17 which is EOL; update the Go version to a supported release
(e.g., 1.23 or the latest stable) by changing the go-version value, and verify
any dependent steps or actions (setup-go/uses, matrix entries, build/test
commands) remain compatible with the newer Go version so the workflow runs
successfully.