Skip to content

Backport GHSA-vfp6-jrw2-99g9 #7480

Backport GHSA-vfp6-jrw2-99g9

Backport GHSA-vfp6-jrw2-99g9 #7480

Workflow file for this run

on:
push:
paths:
- '**'
- '!**.md'
- '!doc/**'
- '!**.txt'
- '!images/**'
- '!LICENSE'
- 'test/**'
branches:
- main
- release-*
- 1.0-fork
pull_request:
permissions: read-all
name: Cross
jobs:
build:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [macos-latest, ubuntu-latest, windows-latest]
include:
- os: macos-latest
COSIGN_TARGET: cosign-darwin-amd64
SGET_TARGET: sget-darwin-amd64
COSIGN_PASSWORD: COSIGN_PASSWORD
- os: ubuntu-latest
COSIGN_TARGET: cosign-linux-amd64
SGET_TARGET: sget-linux-amd64
COSIGN_PASSWORD: COSIGN_PASSWORD
- os: windows-latest
COSIGN_TARGET: cosign-windows-amd64.exe
SGET_TARGET: sget-windows-amd64.exe
COSIGN_PASSWORD: COSIGN_PASSWORD
steps:
- name: Install Go
uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # v2.2.0
with:
go-version: '1.19'
check-latest: true
- name: Checkout code
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v2.4.0
- name: build cosign
run: |
make cosign && mv ./cosign ./${{matrix.COSIGN_TARGET}}
make sget && mv ./sget ./${{matrix.SGET_TARGET}}
- name: Create checksum file
shell: pwsh
run: |
$hash=Get-FileHash -Path ./${{matrix.COSIGN_TARGET}}
Write-Output $($hash.Hash + " " + $(([io.fileinfo]$hash.path).basename)) | Tee-Object -Path ${{matrix.COSIGN_TARGET}}.sha256
$hash=Get-FileHash -Path ./${{matrix.SGET_TARGET}}
Write-Output $($hash.Hash + " " + $(([io.fileinfo]$hash.path).basename)) | Tee-Object -Path ${{matrix.SGET_TARGET}}.sha256
- name: sign
shell: bash
env:
COSIGN_PASSWORD: ${{secrets[matrix.COSIGN_PASSWORD]}}
if: github.event_name != 'pull_request'
run: |
./${{matrix.COSIGN_TARGET}} sign-blob --key ./.github/workflows/cosign-test.key ./${{matrix.COSIGN_TARGET}} > ${{matrix.COSIGN_TARGET}}.sig
./${{matrix.COSIGN_TARGET}} sign-blob --key ./.github/workflows/cosign-test.key ./${{matrix.SGET_TARGET}} > ${{matrix.SGET_TARGET}}.sig
- name: verify
if: github.event_name != 'pull_request'
run: |
./${{matrix.COSIGN_TARGET}} verify-blob --key ./.github/workflows/cosign-test.pub --signature ${{matrix.COSIGN_TARGET}}.sig ./${{matrix.COSIGN_TARGET}}
./${{matrix.COSIGN_TARGET}} verify-blob --key ./.github/workflows/cosign-test.pub --signature ${{matrix.SGET_TARGET}}.sig ./${{matrix.SGET_TARGET}}
- name: Upload artifacts
if: github.event_name != 'pull_request'
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v2.3.1
with:
name: artifacts
path: |
cosign-*
cosign.-*sha256
cosign-*.sig
sget-*
sget.-*sha256
sget-*.sig