-
Notifications
You must be signed in to change notification settings - Fork 50
119 lines (107 loc) · 3.97 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
name: Verifier releaser
on:
# For manual tests.
workflow_dispatch:
push:
tags:
- "*" # triggers only if push new tag version, like `0.8.4`.
# Run daily as a dry-run/test.
schedule:
- cron: "0 1 * * *"
permissions: read-all
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-verifier
# In case daily runs fail, the label for filing the issue
HEADER: release
jobs:
# Generate ldflags dynamically.
args:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.ldflags.outputs.version }}
steps:
- id: checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- id: ldflags
run: |
echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> "$GITHUB_OUTPUT"
builder:
name: builder-${{matrix.os}}-${{matrix.arch}}
needs: [args]
strategy:
matrix:
os:
- linux
- windows
- darwin
arch:
- amd64
- arm64
permissions:
actions: read # For the detection of GitHub Actions environment.
id-token: write # For signing.
contents: write # For asset uploads.
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v2.0.0 # always use a tag @X.Y.Z for for slsa builders, not SHA!
with:
go-version-file: "go.mod"
config-file: .slsa-goreleaser/${{matrix.os}}-${{matrix.arch}}.yml
compile-builder: true
evaluated-envs: "VERSION:${{needs.args.outputs.version}}"
verification:
needs: [builder]
runs-on: ubuntu-latest
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/installer@3714a2a4684014deb874a0e737dffa0ee02dd647 # v2.6.0
- name: Download assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ATT_FILE_NAME: "${{ needs.builder.outputs.go-binary-name }}.intoto.jsonl"
ARTIFACT: ${{ needs.builder.outputs.go-binary-name }}
run: |
set -euo pipefail
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p $ARTIFACT
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
- name: Verify assets
env:
ARTIFACT: ${{ needs.builder.outputs.go-binary-name }}
ATT_FILE_NAME: "${{ needs.builder.outputs.go-binary-name }}.intoto.jsonl"
run: |
set -euo pipefail
echo "Verifying $ARTIFACT using $ATT_FILE_NAME"
slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME" \
"$ARTIFACT"
if-succeed:
needs: [args, builder]
runs-on: ubuntu-latest
# We use `== 'failure'` instead of ` != 'success'` because we want to ignore skipped jobs, if there are any.
if: github.event_name == 'schedule' && needs.args.result != 'failure' && needs.builder.result != 'failure'
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: slsa-framework/example-package
ref: main
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
needs: [args, builder]
runs-on: ubuntu-latest
if: always() && github.event_name == 'schedule' && (needs.args.result == 'failure' || needs.builder.result == 'failure')
permissions:
contents: read
issues: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
repository: slsa-framework/example-package
ref: main
- run: ./.github/workflows/scripts/e2e-report-failure.sh