feat(ci): add author verification workflow on merge to main (#2925)

migmartri · web-flow · commit d923f28b2749 · 2026-03-23T12:15:13.000+01:00
Signed-off-by: Miguel Martinez Trivino &lt;miguel@chainloop.dev&gt;
diff --git a/.github/workflows/author_verification.yml b/.github/workflows/author_verification.yml
@@ -0,0 +1,49 @@
+name: Author Verification
+
+on:
+  push:
+    branches: ["main"]
+
+permissions: read-all
+
+jobs:
+  verify:
+    name: Verify Author
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # required for SLSA provenance - https://docs.chainloop.dev/guides/slsa/
+    env:
+      CHAINLOOP_WORKFLOW_NAME: "author-verification"
+      CHAINLOOP_PROJECT: "chainloop"
+
+    steps:
+      - name: Install Chainloop
+        run: |
+          curl -sfL https://dl.chainloop.dev/cli/install.sh | bash -s
+
+      - name: Checkout repository
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Initialize Attestation
+        run: |
+          chainloop attestation init --workflow $CHAINLOOP_WORKFLOW_NAME --project $CHAINLOOP_PROJECT
+        env:
+          # Needed for commit signature verification: https://docs.chainloop.dev/concepts/attestations#commit-verification
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Finish and Record Attestation
+        if: ${{ success() }}
+        run: |
+          chainloop attestation status --full
+          chainloop attestation push
+
+      - name: Mark attestation as failed
+        if: ${{ failure() }}
+        run: |
+          chainloop attestation reset
+
+      - name: Mark attestation as cancelled
+        if: ${{ cancelled() }}
+        run: |
+          chainloop attestation reset --trigger cancellation
diff --git a/.github/workflows/contracts/chainloop-vault-author-verification.yaml b/.github/workflows/contracts/chainloop-vault-author-verification.yaml
@@ -0,0 +1,19 @@
+# Contract for author verification workflow
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: chainloop-vault-author-verification
+  description: Contract for author verification on merge to main
+spec:
+  runner:
+    type: GITHUB_ACTION
+  policies:
+    attestation:
+      - ref: source-commit
+        with:
+          check_signature: "yes"
+          check_author_verified: "yes"
+  policyGroups:
+    - ref: slsa-checks
+      with:
+        runner: GITHUB_ACTION
