{% raw %} # # Copyright 2022 The GUAC Authors. # Copyright 2024 The Skootrs Authors. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. name: release on: workflow_dispatch: # testing only, trigger manually to test it works push: branches: - main tags: - "v*" permissions: actions: read # for detecting the Github Actions environment. contents: read jobs: goreleaser: permissions: contents: write # To upload assets to release. packages: write # To publish container images to GHCR id-token: write # needed for signing the images with GitHub OIDC Token runs-on: ubuntu-latest outputs: hashes: ${{ steps.hash.outputs.hashes }} image: ${{ steps.hash.outputs.image }} digest: ${{ steps.hash.outputs.digest }} steps: - name: Checkout uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 with: fetch-depth: 0 - name: Login to GitHub Container Registry uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set up Go uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version: "1.21" - name: Install cosign uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # main - name: Install trivy run: | curl -LO https://github.com/aquasecurity/trivy/releases/download/v0.50.1/trivy_0.50.1_Linux-64bit.deb sudo dpkg -i trivy_0.50.1_Linux-64bit.deb rm trivy_0.50.1_Linux-64bit.deb - name: Run GoReleaser Snapshot if: ${{ !startsWith(github.ref, 'refs/tags/') }} id: run-goreleaser-snapshot uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: distribution: goreleaser version: latest args: release --clean --snapshot --skip=sign env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GORELEASER_CURRENT_TAG: v0.0.0-snapshot-tag DOCKER_CONTEXT: default - name: Run GoReleaser Release if: startsWith(github.ref, 'refs/tags/') id: run-goreleaser-release uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: distribution: goreleaser version: latest # use .goreleaser-nightly.yaml for nightly build; otherwise use the default args: ${{ contains( github.ref, 'nightly' ) && 'release --clean -f .goreleaser-nightly.yaml' || 'release --clean' }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} DOCKER_CONTEXT: default - name: Generate hashes and extract image digest id: hash if: startsWith(github.ref, 'refs/tags/') env: ARTIFACTS: "${{ steps.run-goreleaser-release.outputs.artifacts }}" run: | set -euo pipefail hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0) if test "$hashes" = ""; then # goreleaser < v1.13.0 checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') hashes=$(cat $checksum_file | base64 -w0) fi echo "hashes=$hashes" >> $GITHUB_OUTPUT image=$(echo $ARTIFACTS | jq --raw-output '.[] | select( .type =="Docker Manifest" ).name | split(":")[0]') echo "image=$image" >> $GITHUB_OUTPUT digest=$(echo $ARTIFACTS | jq --raw-output '.[] | select( .type =="Docker Manifest" ).extra.Digest') echo "digest=$digest" >> $GITHUB_OUTPUT sbom-container: # generate sbom for container as goreleaser can't - https://goreleaser.com/customization/sbom/#limitations permissions: id-token: write packages: write name: generate sbom for container runs-on: ubuntu-latest needs: [goreleaser] if: startsWith(github.ref, 'refs/tags/') steps: - name: Checkout code uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v3 - name: Login to GitHub Container Registry uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Run Trivy in fs mode to generate SBOM uses: aquasecurity/trivy-action@207cd40078971bb7a078f8504c2061f908569449 # master with: scan-type: "fs" format: "spdx-json" output: "spdx.sbom.json" - name: Install cosign uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # main - name: Sign image and sbom run: | #!/usr/bin/env bash set -euo pipefail cosign attest --predicate spdx.sbom.json ${IMAGE_URI_DIGEST} --yes shell: bash env: IMAGE_URI_DIGEST: ${{ needs.goreleaser.outputs.image }}@${{ needs.goreleaser.outputs.digest }} provenance-bins: permissions: id-token: write actions: read contents: write packages: write name: generate provenance for binaries needs: [goreleaser] if: startsWith(github.ref, 'refs/tags/') uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 # must use semver here with: base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" upload-assets: true provenance-container: name: generate provenance for container permissions: id-token: write actions: read contents: write packages: write needs: [goreleaser] if: startsWith(github.ref, 'refs/tags/') uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0 # must use semver here with: image: ${{ needs.goreleaser.outputs.image }} digest: ${{ needs.goreleaser.outputs.digest }} registry-username: ${{ github.actor }} secrets: registry-password: ${{ secrets.GITHUB_TOKEN }} {% endraw %}