marketplace #48
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: {} | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| outputs: | |
| build-provenance-artifact-name: build-provenance | |
| build-provenance-artifact-id: ${{ steps.upload-build-provenance.outputs.artifact-id }} | |
| sbom-artifact-name: sbom-artifact | |
| sbom-artifact-id: ${{ steps.upload-sbom.outputs.artifact-id }} | |
| sbom-attestations: ${{ steps.upload-sbom.outputs.attestations }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'go.mod' | |
| - uses: anchore/sbom-action/download-syft@v0 | |
| - uses: goreleaser/goreleaser-action@v6 | |
| with: | |
| version: '~> v2' | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAP_GITHUB_TOKEN: ${{ secrets.TAP_GITHUB_TOKEN }} | |
| - uses: actions/upload-artifact@v4 | |
| id: upload-build-provenance | |
| with: | |
| name: build-provenance | |
| path: | | |
| dist/vipdatasync_*/vipdatasync | |
| dist/vipdatasync_*.tar.gz | |
| dist/**/*.sbom.json | |
| - uses: typisttech/upload-goreleaser-sboms-action@v0 | |
| id: upload-sbom | |
| with: | |
| artifact: sbom-artifact | |
| attest-build-provenance: | |
| needs: [release] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| path: dist | |
| name: ${{ needs.release.outputs.build-provenance-artifact-name }} | |
| - uses: actions/attest-build-provenance@v1 | |
| with: | |
| subject-path: | | |
| dist/vipdatasync_*/vipdatasync | |
| dist/vipdatasync_*.tar.gz | |
| dist/**/*.sbom.json | |
| attest-sbom: | |
| needs: [release] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| strategy: | |
| matrix: | |
| attestation: ${{ fromJSON(needs.release.outputs.sbom-attestations) }} | |
| steps: | |
| - uses: actions/download-artifact@v4 | |
| with: | |
| name: ${{ needs.release.outputs.sbom-artifact-name }} | |
| - uses: actions/attest-sbom@v1 | |
| with: | |
| subject-path: ${{ matrix.attestation.subject }} | |
| sbom-path: ${{ matrix.attestation.sbom }} | |
| verify-attestation: | |
| needs: [release, attest-build-provenance, attest-sbom] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - run: gh release download --clobber --dir artifacts --repo $REPO --pattern $PATTERN $TAG | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| REPO: ${{ github.repository }} | |
| PATTERN: '*' | |
| TAG: ${{ github.ref_name }} | |
| - run: ls | xargs -I {} gh attestation verify --repo $REPO {} | |
| working-directory: artifacts | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| REPO: ${{ github.repository }} | |
| cleanup-artifact: | |
| needs: [release, verify-attestation] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: write | |
| steps: | |
| - run: > | |
| gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/$REPO/actions/artifacts/$ARTIFACT_ID | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| REPO: ${{ github.repository }} | |
| ARTIFACT_ID: ${{ needs.release.outputs.build-provenance-artifact-id }} | |
| - run: > | |
| gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/$REPO/actions/artifacts/$ARTIFACT_ID | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| REPO: ${{ github.repository }} | |
| ARTIFACT_ID: ${{ needs.release.outputs.sbom-artifact-id }} |