From 40933e21a1f81820c810524bc9d1c620ddaf9e98 Mon Sep 17 00:00:00 2001 From: Niels Hofmans Date: Tue, 28 Jan 2025 13:50:23 +0100 Subject: [PATCH] fix: release --- .github/workflows/release.yml | 91 ++++++++++++++++++++++++++--------- 1 file changed, 67 insertions(+), 24 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 335c960..cbaf5a9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,44 +2,66 @@ name: release on: push: - branches: - - master - - main + branches: [main, master] jobs: - - tag: - runs-on: ubuntu-latest - steps: - - - uses: actions/checkout@v4 - - - uses: go-semantic-release/action@v1 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - goreleaser: runs-on: ubuntu-latest - needs: tag + + outputs: + hashes: ${{ steps.hashes.outputs.hashes }} + version: ${{ steps.semrel.outputs.version }} + + permissions: + contents: write + packages: write + steps: - name: Checkout uses: actions/checkout@v4 + with: + fetch-depth: 0 - - name: Unshallow - run: git fetch --prune --unshallow - - - id: versions + id: vars run: | - echo ::set-output name=go::$(grep '^FROM go' .github/go/Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2) - echo "Using Go version ${{ steps.versions.outputs.go }}" + goVersion=$(grep '^FROM go' .github/go/Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2) + echo "go_version=${goVersion}" >> $GITHUB_OUTPUT + echo "Using Go version ${goVersion}" - name: Set up Go uses: actions/setup-go@v5 with: - go-version: ${{ steps.versions.outputs.go }} + go-version: ${{ steps.vars.outputs.go_version }} - - name: Login to GitHub Container Registry + name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots + uses: aquasecurity/trivy-action@master + with: + scan-type: 'fs' + format: 'github' + output: 'dependency-results.sbom.json' + image-ref: '.' + github-pat: ${{ secrets.GH_PRIVATEREPO_TOKEN }} + - + name: Remove SBOM result + run: | + rm dependency-results.sbom.json + - + name: Install syft + run: | + curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + - + name: Create release tag + uses: go-semantic-release/action@v1 + id: semrel + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + - + run: git fetch -a + if: steps.semrel.outputs.version != '' + - + name: Login to GitHub Docker registry + if: steps.semrel.outputs.version != '' uses: docker/login-action@v3 with: registry: ghcr.io @@ -47,9 +69,30 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Release - uses: goreleaser/goreleaser-action@v6 + uses: goreleaser/goreleaser-action@v6.1.0 + if: steps.semrel.outputs.version != '' with: version: latest args: release --config=.github/goreleaser.yml --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - + name: Generate dist hashes + id: hashes + if: steps.semrel.outputs.version != '' + env: + ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" + run: | + checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') + echo "hashes=$(cat $checksum_file | base64 -w0)" >> $GITHUB_OUTPUT + + provenance: + needs: [goreleaser] + if: needs.goreleaser.outputs.hashes != '' + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"