Skip to content

fromJSON

fromJSON #32

Workflow file for this run

name: Go Release
on:
push:
tags:
- 'v*'
permissions: {}
jobs:
goreleaser:
runs-on: ubuntu-latest
permissions:
contents: write
outputs:
build-artifact: 'attest-goreleaser'
sbom-attestations: ${{ steps.upload-sbom.outputs.attestations }}
sbom-artifact: ${{ steps.upload-sbom.outputs.artifact }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
- uses: anchore/sbom-action/download-syft@v0
- uses: goreleaser/goreleaser-action@v6
with:
version: '~> v2'
args: release --clean --fail-fast --skip=announce,publish
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# TAP_GITHUB_TOKEN: ${{ secrets.TAP_GITHUB_TOKEN }}
- uses: actions/upload-artifact@v4
id: upload-build
with:
name: 'attest-goreleaser'
if-no-files-found: error
compression-level: 0
path: |
dist/vipdatasync_*/vipdatasync
dist/vipdatasync_*.tar.gz
dist/**/*.sbom.json
- uses: typisttech/tmp-attest-goreleaser-sbom-action@main
id: upload-sbom
attest-build:
runs-on: ubuntu-latest
needs: [goreleaser]
permissions:
id-token: write
attestations: write
steps:
- uses: actions/download-artifact@v4
with:
name: ${{ needs.goreleaser.outputs.build-artifact }}
- uses: actions/attest-build-provenance@v1
with:
subject-path: |
vipdatasync_*.checksums.txt
vipdatasync_*/vipdatasync
vipdatasync_*.tar.gz
**/*.sbom.json
attest-sbom:
runs-on: ubuntu-latest
needs: [goreleaser]
permissions:
id-token: write
attestations: write
strategy:
matrix:
attestation: ${{ fromJSON(needs.goreleaser.outputs.sbom-attestations) }}
steps:
- uses: actions/download-artifact@v4
with:
name: ${{ needs.goreleaser.outputs.sbom-artifact }}
- uses: actions/attest-sbom@v1
with:
subject-path: ${{ matrix.attestation.subject }}
sbom-path: ${{ matrix.attestation.sbom }}