hishtory/.github/workflows/slsa-releaser.yml

85 lines
2.5 KiB
YAML
Raw Normal View History

2022-04-09 05:59:24 +02:00
name: SLSA go releaser
on:
workflow_dispatch:
push:
tags:
- "*"
2022-04-09 05:59:24 +02:00
permissions: read-all
jobs:
# ldflags to embed the commit hash in the binary
args:
runs-on: ubuntu-latest
outputs:
ldflags: ${{ steps.ldflags.outputs.value }}
steps:
- id: checkout
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
with:
fetch-depth: 0
- id: ldflags
run: |
echo "::set-output name=value::$(./scripts/client-ldflags)"
2022-04-09 05:59:24 +02:00
# Trusted builder.
build:
permissions:
id-token: write
contents: read
needs: args
2022-05-24 03:27:27 +02:00
uses: slsa-framework/slsa-github-generator-go/.github/workflows/builder.yml@2b2bf8753ae8ab14332b72217daf3c2c670272b3
2022-04-09 05:59:24 +02:00
with:
go-version: 1.17
env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
# Sign the binaries (if this is a macos build)
macos_signer:
runs-on: macos-11.0
needs:
- upload
permissions:
contents: write
2022-04-09 05:59:24 +02:00
steps:
- uses: actions/checkout@v2
- name: Download and sign the latest executables
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
2022-05-24 08:25:12 +02:00
export GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}"
2022-05-24 08:31:57 +02:00
pip3 install requests
brew install md5sha1sum
2022-05-24 08:25:12 +02:00
python3 scripts/actions-sign.py
2022-04-09 05:59:24 +02:00
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
2022-04-09 05:59:24 +02:00
with:
# TODO: stop releasing the unsigned files
2022-04-09 05:59:24 +02:00
files: |
2022-05-25 07:26:24 +02:00
hishtory-darwin-arm64
hishtory-darwin-arm64-unsigned
2022-05-25 07:26:24 +02:00
hishtory-darwin-amd64
2022-05-24 08:26:59 +02:00
# Upload to GitHub release.
2022-05-24 08:25:12 +02:00
upload:
permissions:
contents: write
runs-on: ubuntu-latest
needs:
- build
steps:
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: ${{ needs.build.outputs.go-binary-name }}
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
- name: Release
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }}
with:
files: |
${{ needs.build.outputs.go-binary-name }}
${{ needs.build.outputs.go-binary-name }}.intoto.jsonl