Skip to content

ci: Don't run lint on tags as releases are too late for that. #45

ci: Don't run lint on tags as releases are too late for that.

ci: Don't run lint on tags as releases are too late for that. #45

Workflow file for this run

name: release
on:
# Test that this workflow works on every pull_request or merge group;
# goreleaser is put into snapshot mode when not on a tag
pull_request:
merge_group:
push: # testing, unless there's a tag (steps.0.if below)
env:
REGISTRY: ghcr.io
jobs:
goreleaser:
runs-on: ubuntu-latest
permissions:
# goreleaser uploads artifacts to the releases api
contents: write
# goreleaser uploads images to container registry
packages: write
env:
flags: ""
outputs:
binary_hashes: ${{ steps.binary.outputs.hashes }}
image_subjects: ${{ steps.image.outputs.subjects }}
steps:
- name: print github context
env:
GITHUB_CONTEXT: ${{ toJSON(github) }}
run: echo $GITHUB_CONTEXT
- if: ${{ !startsWith(github.ref, 'refs/tags/') }}
run: echo "flags=--snapshot" >> $GITHUB_ENV
- uses: actions/checkout@v4
with:
fetch-depth: 0
- run: git fetch --force --tags
- uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
cache: true
- uses: docker/login-action@v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: goreleaser/goreleaser-action@v6
id: goreleaser
with:
version: latest
args: release --clean ${{ env.flags }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: generate hashes for binary artifacts
id: binary
env:
ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
run: |
set -exuo pipefail
checksum_file=$(echo "${ARTIFACTS}" | jq -r '.[] | select (.type=="Checksum") | .path')
echo "hashes=$(cat ${checksum_file} | base64 -w0)" >> "${GITHUB_OUTPUT}"
- name: generate digest for container image
id: image
env:
ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
run: |
set -exuo pipefail
image_list=$(echo -e "${ARTIFACTS}" | jq -r '.[] | select(.type=="Docker Manifest") | {"image": (.name | sub("^.*?/"; "") | sub(":(.*)"; "")), "digest": .extra.Digest}')
echo "subjects=$(echo $image_list | jq -c -s 'unique_by(.digest) | {"include": .}')" >> "$GITHUB_OUTPUT"
binary-provenance:
needs: [goreleaser]
if: ${{ startsWith(github.ref, 'refs/tags/') }}
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
with:
base64-subjects: "${{ needs.goreleaser.outputs.binary_hashes }}"
upload-assets: true # upload to a new release
binary-verify:
needs: [goreleaser, binary-provenance]
if: ${{ startsWith(github.ref, 'refs/tags/') }}
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: slsa-framework/slsa-verifier/actions/installer@v2.6.0
- name: download assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -exuo pipefail
gh release download "${GITHUB_REF_NAME}" --repo "${GITHUB_REPOSITORY}"
- name: verify assets
env:
CHECKSUMS: ${{ needs.goreleaser.outputs.binary_hashes }}
PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
run: |
set -exuo pipefail
echo "$CHECKSUMS" | base64 -d | while read -r line; do
fn=$(echo $line | cut -d ' ' -f2)
echo "Verifying $fn"
slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME" \
"$fn"
done
image-provenance:
needs: [goreleaser]
if: ${{ startsWith(github.ref, 'refs/tags/') }}
permissions:
actions: read
id-token: write
packages: write
strategy:
matrix: ${{ fromJSON(needs.goreleaser.outputs.image_subjects) }}
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
with:
image: ghcr.io/${{ matrix.image }}
digest: ${{ matrix.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
image-verify:
needs: [goreleaser, image-provenance]
if: ${{ startsWith(github.ref, 'refs/tags/') }}
runs-on: ubuntu-latest
permissions:
contents: read
strategy:
matrix: ${{ fromJSON(needs.goreleaser.outputs.image_subjects) }}
steps:
- uses: docker/login-action@v3.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: sigstore/cosign-installer@v3.7.0
- name: verify image
env:
IMAGE: ${{ matrix.image }}
DIGEST: ${{ matrix.digest }}
run: |
cosign verify-attestation \
--type slsaprovenance \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
${REGISTRY}/${IMAGE}@${DIGEST}