-
-
Notifications
You must be signed in to change notification settings - Fork 0
118 lines (111 loc) · 3.71 KB
/
go-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
name: Release
on:
push:
tags:
- 'v*'
permissions: {}
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
outputs:
build-provenance-artifact-name: build-provenance
build-provenance-artifact-id: ${{ steps.upload-build-provenance.outputs.artifact-id }}
sbom-artifact-name: sbom-artifact
sbom-artifact-id: ${{ steps.upload-sbom.outputs.artifact-id }}
sbom-attestations: ${{ steps.upload-sbom.outputs.attestations }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
- uses: anchore/sbom-action/download-syft@v0
- uses: goreleaser/goreleaser-action@v6
with:
version: '~> v2'
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAP_GITHUB_TOKEN: ${{ secrets.TAP_GITHUB_TOKEN }}
- uses: actions/upload-artifact@v4
id: upload-build-provenance
with:
name: build-provenance
path: |
dist/vipdatasync_*/vipdatasync
dist/vipdatasync_*.tar.gz
dist/**/*.sbom.json
- uses: typisttech/upload-goreleaser-sboms-action@v0
id: upload-sbom
with:
artifact: sbom-artifact
attest-build-provenance:
needs: [release]
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
steps:
- uses: actions/download-artifact@v4
with:
path: dist
name: ${{ needs.release.outputs.build-provenance-artifact-name }}
- uses: actions/attest-build-provenance@v1
with:
subject-path: |
dist/vipdatasync_*/vipdatasync
dist/vipdatasync_*.tar.gz
dist/**/*.sbom.json
attest-sbom:
needs: [release]
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
strategy:
matrix:
attestation: ${{ fromJSON(needs.release.outputs.sbom-attestations) }}
steps:
- uses: actions/download-artifact@v4
with:
name: ${{ needs.release.outputs.sbom-artifact-name }}
- uses: actions/attest-sbom@v1
with:
subject-path: ${{ matrix.attestation.subject }}
sbom-path: ${{ matrix.attestation.sbom }}
verify-attestation:
needs: [release, attest-build-provenance, attest-sbom]
runs-on: ubuntu-latest
steps:
- run: gh release download --clobber --dir artifacts --repo $REPO --pattern $PATTERN $TAG
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
PATTERN: '*'
TAG: ${{ github.ref_name }}
- run: ls | xargs -I {} gh attestation verify --repo $REPO {}
working-directory: artifacts
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
cleanup-artifact:
needs: [release, verify-attestation]
runs-on: ubuntu-latest
permissions:
actions: write
steps:
- run: >
gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/$REPO/actions/artifacts/$ARTIFACT_ID
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
ARTIFACT_ID: ${{ needs.release.outputs.build-provenance-artifact-id }}
- run: >
gh api --method DELETE -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/$REPO/actions/artifacts/$ARTIFACT_ID
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
REPO: ${{ github.repository }}
ARTIFACT_ID: ${{ needs.release.outputs.sbom-artifact-id }}