ci: generate provenance and sbom for release binaries

Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>

hack/release

@@ -2,27 +2,56 @@
 
 set -eu -o pipefail
 
+: "${GITHUB_ACTIONS=}"
+: "${GITHUB_REPOSITORY=}"
+: "${GITHUB_RUN_ID=}"
+
 : "${BUILDX_CMD=docker buildx}"
 : "${DESTDIR=./bin/release}"
 : "${CACHE_FROM=}"
 : "${CACHE_TO=}"
+: "${PLATFORMS=}"
 
 if [ -n "$CACHE_FROM" ]; then
   for cfrom in $CACHE_FROM; do
-    cacheFlags+=(--set "*.cache-from=$cfrom")
+    setFlags+=(--set "*.cache-from=$cfrom")
   done
 fi
 if [ -n "$CACHE_TO" ]; then
   for cto in $CACHE_TO; do
-    cacheFlags+=(--set "*.cache-to=$cto")
+    setFlags+=(--set "*.cache-to=$cto")
   done
 fi
+if [ -n "$PLATFORMS" ]; then
+  setFlags+=(--set "*.platform=$PLATFORMS")
+fi
+if ${BUILDX_CMD} build --help 2>&1 | grep -- '--attest' >/dev/null; then
+  prvattrs="mode=max"
+  if [ "$GITHUB_ACTIONS" = "true" ]; then
+    prvattrs="$prvattrs,builder-id=https://github.com/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}"
+  fi
+  setFlags+=(--set "*.attest=type=sbom")
+  setFlags+=(--set "*.attest=type=provenance,$prvattrs")
+fi
 
-# release
-(set -x ; ${BUILDX_CMD} bake "${cacheFlags[@]}" --set "*.output=$DESTDIR" release)
+output=$(mktemp -d -t buildx-output.XXXXXXXXXX)
 
-# wrap binaries
-mv -f ./${DESTDIR}/**/* ./${DESTDIR}/
-find ./${DESTDIR} -type d -empty -delete
+(
+  set -x
+  ${BUILDX_CMD} bake "${setFlags[@]}" --set "*.args.BUILDKIT_MULTI_PLATFORM=true" --set "*.output=$output" release
+)
 
-source ./hack/hash-files
+for pdir in "${output}"/*/; do
+  (
+    cd "$pdir"
+    binname=$(find . -name 'buildx-*')
+    filename=$(basename "${binname%.exe}")
+    mv "provenance.json" "${filename}.provenance.json"
+    mv "sbom-binaries.spdx.json" "${filename}.sbom.json"
+    find . -name 'sbom*.json' -exec rm {} \;
+  )
+done
+
+mkdir -p "$DESTDIR"
+mv "$output"/**/* "$DESTDIR/"
+rm -rf "$output"