ci: Run this workflow on tag push again. #852
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| # Test that this workflow works on every pull_request or merge group; | |
| # goreleaser is put into snapshot mode when not on a tag | |
| pull_request: | |
| merge_group: | |
| # Run when a tag is pushed. | |
| push: | |
| tags: | |
| - v* | |
| # Run when a ref is created, i.e. after the tag-release workflow. | |
| # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#create | |
| create: | |
| env: | |
| REGISTRY: ghcr.io | |
| jobs: | |
| goreleaser: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # goreleaser uploads artifacts to the releases api | |
| contents: write | |
| # goreleaser uploads images to container registry | |
| packages: write | |
| env: | |
| flags: "" | |
| outputs: | |
| binary_hashes: ${{ steps.binary.outputs.hashes }} | |
| image_subjects: ${{ steps.image.outputs.subjects }} | |
| steps: | |
| - if: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| run: echo "flags=--snapshot" >> $GITHUB_ENV | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - run: git fetch --force --tags | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - uses: docker/login-action@v3.2.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: goreleaser/goreleaser-action@v5 | |
| id: goreleaser | |
| with: | |
| version: latest | |
| args: release --clean ${{ env.flags }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: generate hashes for binary artifacts | |
| id: binary | |
| env: | |
| ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" | |
| run: | | |
| set -exuo pipefail | |
| checksum_file=$(echo "${ARTIFACTS}" | jq -r '.[] | select (.type=="Checksum") | .path') | |
| echo "hashes=$(cat ${checksum_file} | base64 -w0)" >> "${GITHUB_OUTPUT}" | |
| - name: generate digest for container image | |
| id: image | |
| env: | |
| ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" | |
| run: | | |
| set -exuo pipefail | |
| image_list=$(echo -e "${ARTIFACTS}" | jq -r '.[] | select(.type=="Docker Manifest") | {"image": (.name | sub("^.*?/"; "") | sub(":(.*)"; "")), "digest": .extra.Digest}') | |
| echo "subjects=$(echo $image_list | jq -c -s 'unique_by(.digest) | {"include": .}')" >> "$GITHUB_OUTPUT" | |
| binary-provenance: | |
| needs: [goreleaser] | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| permissions: | |
| actions: read # To read the workflow path. | |
| id-token: write # To sign the provenance. | |
| contents: write # To add assets to a release. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 | |
| with: | |
| base64-subjects: "${{ needs.goreleaser.outputs.binary_hashes }}" | |
| upload-assets: true # upload to a new release | |
| binary-verify: | |
| needs: [goreleaser, binary-provenance] | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1 | |
| - name: download assets | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| set -exuo pipefail | |
| gh release download "${GITHUB_REF_NAME}" --repo "${GITHUB_REPOSITORY}" | |
| - name: verify assets | |
| env: | |
| CHECKSUMS: ${{ needs.goreleaser.outputs.binary_hashes }} | |
| PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}" | |
| run: | | |
| set -exuo pipefail | |
| echo "$CHECKSUMS" | base64 -d | while read -r line; do | |
| fn=$(echo $line | cut -d ' ' -f2) | |
| echo "Verifying $fn" | |
| slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \ | |
| --source-uri "github.com/$GITHUB_REPOSITORY" \ | |
| --source-tag "$GITHUB_REF_NAME" \ | |
| "$fn" | |
| done | |
| image-provenance: | |
| needs: [goreleaser] | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| permissions: | |
| actions: read | |
| id-token: write | |
| packages: write | |
| strategy: | |
| matrix: ${{ fromJSON(needs.goreleaser.outputs.image_subjects) }} | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 | |
| with: | |
| image: ghcr.io/${{ matrix.image }} | |
| digest: ${{ matrix.digest }} | |
| registry-username: ${{ github.actor }} | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| image-verify: | |
| needs: [goreleaser, image-provenance] | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| strategy: | |
| matrix: ${{ fromJSON(needs.goreleaser.outputs.image_subjects) }} | |
| steps: | |
| - uses: docker/login-action@v3.2.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: sigstore/cosign-installer@v3.5.0 | |
| - name: verify image | |
| env: | |
| IMAGE: ${{ matrix.image }} | |
| DIGEST: ${{ matrix.digest }} | |
| run: | | |
| cosign verify-attestation \ | |
| --type slsaprovenance \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \ | |
| ${REGISTRY}/${IMAGE}@${DIGEST} |