2022-04-09 05:59:24 +02:00
|
|
|
name: SLSA go releaser
|
|
|
|
on:
|
|
|
|
workflow_dispatch:
|
2022-04-09 06:52:22 +02:00
|
|
|
push:
|
|
|
|
tags:
|
|
|
|
- "*"
|
2022-04-09 05:59:24 +02:00
|
|
|
|
|
|
|
permissions: read-all
|
|
|
|
|
|
|
|
jobs:
|
|
|
|
# ldflags to embed the commit hash in the binary
|
|
|
|
args:
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
outputs:
|
|
|
|
ldflags: ${{ steps.ldflags.outputs.value }}
|
|
|
|
steps:
|
|
|
|
- id: checkout
|
|
|
|
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
|
|
|
|
with:
|
|
|
|
fetch-depth: 0
|
|
|
|
- id: ldflags
|
|
|
|
run: |
|
2022-04-09 07:56:44 +02:00
|
|
|
echo "::set-output name=value::$(./scripts/client-ldflags)"
|
2022-04-09 06:42:19 +02:00
|
|
|
|
2022-04-09 05:59:24 +02:00
|
|
|
# Trusted builder.
|
|
|
|
build:
|
|
|
|
permissions:
|
|
|
|
id-token: write
|
|
|
|
contents: read
|
|
|
|
needs: args
|
2022-05-24 03:27:27 +02:00
|
|
|
uses: slsa-framework/slsa-github-generator-go/.github/workflows/builder.yml@2b2bf8753ae8ab14332b72217daf3c2c670272b3
|
2022-04-09 05:59:24 +02:00
|
|
|
with:
|
|
|
|
go-version: 1.17
|
|
|
|
env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
|
2022-05-24 03:22:03 +02:00
|
|
|
|
|
|
|
# Sign the binaries (if this is a macos build)
|
|
|
|
macos_signer:
|
|
|
|
runs-on: macos-11.0
|
2022-04-09 05:59:24 +02:00
|
|
|
steps:
|
2022-05-24 03:22:03 +02:00
|
|
|
- uses: actions/checkout@v2
|
|
|
|
- name: Download and sign the latest executables
|
|
|
|
env:
|
|
|
|
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
|
|
|
|
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
|
|
|
run: |
|
2022-05-24 08:25:12 +02:00
|
|
|
export GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}"
|
2022-05-24 08:31:57 +02:00
|
|
|
pip3 install requests
|
2022-05-24 08:25:12 +02:00
|
|
|
python3 scripts/actions-sign.py
|
2022-05-24 03:22:03 +02:00
|
|
|
echo $GITHUB_REF
|
2022-05-24 08:25:12 +02:00
|
|
|
export VERSION=${GITHUB_REF##*/}
|
2022-04-09 05:59:24 +02:00
|
|
|
- name: Release
|
2022-05-24 03:22:03 +02:00
|
|
|
uses: softprops/action-gh-release@v1
|
|
|
|
if: startsWith(github.ref, 'refs/tags/')
|
2022-04-09 05:59:24 +02:00
|
|
|
with:
|
|
|
|
files: |
|
2022-05-24 03:22:03 +02:00
|
|
|
hishtory-darwin-arm64-signed.json
|
|
|
|
hishtory-darwin-amd64-signed.json
|
|
|
|
|
2022-05-24 08:26:59 +02:00
|
|
|
# Upload to GitHub release.
|
2022-05-24 08:25:12 +02:00
|
|
|
upload:
|
|
|
|
permissions:
|
|
|
|
contents: write
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
needs:
|
|
|
|
- macos_signer
|
|
|
|
- build
|
|
|
|
steps:
|
|
|
|
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
|
|
|
|
with:
|
|
|
|
name: ${{ needs.build.outputs.go-binary-name }}
|
|
|
|
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
|
|
|
|
with:
|
|
|
|
name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
|
|
|
|
- name: Release
|
|
|
|
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
|
|
|
|
if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }}
|
|
|
|
with:
|
|
|
|
files: |
|
|
|
|
${{ needs.build.outputs.go-binary-name }}
|
|
|
|
${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
|