2022-04-09 05:59:24 +02:00
|
|
|
name: SLSA go releaser
|
|
|
|
|
on:
|
|
|
|
|
workflow_dispatch:
|
2022-04-09 06:52:22 +02:00
|
|
|
push:
|
|
|
|
|
tags:
|
|
|
|
|
- "*"
|
2022-04-09 05:59:24 +02:00
|
|
|
|
|
|
|
|
permissions: read-all
|
|
|
|
|
|
|
|
|
|
jobs:
|
|
|
|
|
# ldflags to embed the commit hash in the binary
|
|
|
|
|
args:
|
|
|
|
|
runs-on: ubuntu-latest
|
|
|
|
|
outputs:
|
|
|
|
|
ldflags: ${{ steps.ldflags.outputs.value }}
|
|
|
|
|
steps:
|
|
|
|
|
- id: checkout
|
|
|
|
|
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
|
|
|
|
|
with:
|
|
|
|
|
fetch-depth: 0
|
|
|
|
|
- id: ldflags
|
|
|
|
|
run: |
|
2022-04-09 07:56:44 +02:00
|
|
|
echo "::set-output name=value::$(./scripts/client-ldflags)"
|
2022-04-09 06:42:19 +02:00
|
|
|
|
2022-04-09 05:59:24 +02:00
|
|
|
# Trusted builder.
|
|
|
|
|
build:
|
|
|
|
|
permissions:
|
|
|
|
|
id-token: write
|
|
|
|
|
contents: read
|
|
|
|
|
needs: args
|
2022-05-24 03:27:27 +02:00
|
|
|
uses: slsa-framework/slsa-github-generator-go/.github/workflows/builder.yml@2b2bf8753ae8ab14332b72217daf3c2c670272b3
|
2022-04-09 05:59:24 +02:00
|
|
|
with:
|
|
|
|
|
go-version: 1.17
|
|
|
|
|
env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
|
2022-05-24 03:22:03 +02:00
|
|
|
|
|
|
|
|
# Sign the binaries (if this is a macos build)
|
|
|
|
|
macos_signer:
|
|
|
|
|
runs-on: macos-11.0
|
2022-04-09 05:59:24 +02:00
|
|
|
steps:
|
2022-05-24 03:22:03 +02:00
|
|
|
- uses: actions/checkout@v2
|
|
|
|
|
- name: Download and sign the latest executables
|
|
|
|
|
env:
|
|
|
|
|
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
|
|
|
|
|
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
|
|
|
|
|
run: |
|
|
|
|
|
echo $GITHUB_REF
|
|
|
|
|
|
|
|
|
|
# brew install md5sha1sum
|
|
|
|
|
# export TAG_NAME=`curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'| jq -r .tag_name`
|
|
|
|
|
# if [ $TAG_NAME == "null" ]; then
|
|
|
|
|
# echo "TAG_NAME is null, this shouldn't happen!"
|
|
|
|
|
# curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest
|
|
|
|
|
# exit 1
|
|
|
|
|
# fi
|
|
|
|
|
# echo "Signing binaries for $TAG_NAME"
|
|
|
|
|
# curl -L -o hishtory-darwin-arm64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-arm64/hishtory-darwin-arm64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'
|
|
|
|
|
# curl -L -o hishtory-darwin-amd64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-amd64/hishtory-darwin-amd64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'
|
|
|
|
|
# echo "Signing the binaries:"
|
|
|
|
|
# file hishtory-*
|
|
|
|
|
# sha1sum hishtory-*
|
|
|
|
|
# if [[ `file hishtory-darwin-arm64` == *"ASCII text"* ]]; then
|
|
|
|
|
# echo "hishtory-darwin-arm64 is ASCII text???"
|
|
|
|
|
# cat hishtory-darwin-arm64
|
|
|
|
|
# exit 1
|
|
|
|
|
# fi
|
|
|
|
|
# if [[ `file hishtory-darwin-amd64` == *"ASCII text"* ]]; then
|
|
|
|
|
# echo "hishtory-darwin-amd64 is ASCII text???"
|
|
|
|
|
# cat hishtory-darwin-amd64
|
|
|
|
|
# exit 1
|
|
|
|
|
# fi
|
|
|
|
|
|
|
|
|
|
# echo $MACOS_CERTIFICATE | base64 -d > certificate.p12
|
|
|
|
|
# security create-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
|
|
|
|
|
# security default-keychain -s build.keychain
|
|
|
|
|
# security unlock-keychain -p $MACOS_CERTIFICATE_PWD build.keychain
|
|
|
|
|
# security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
|
|
|
|
|
# security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD build.keychain
|
|
|
|
|
# /usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-arm64 -v
|
|
|
|
|
# /usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-amd64 -v
|
|
|
|
|
# echo "Signed the binaries:"
|
|
|
|
|
# sha1sum hishtory-*
|
|
|
|
|
# # Move them to the released filenames
|
|
|
|
|
# cp hishtory-darwin-arm64 hishtory-darwin-arm64-signed
|
|
|
|
|
# cp hishtory-darwin-amd64 hishtory-darwin-amd64-signed
|
2022-04-09 05:59:24 +02:00
|
|
|
- name: Release
|
2022-05-24 03:22:03 +02:00
|
|
|
uses: softprops/action-gh-release@v1
|
|
|
|
|
if: startsWith(github.ref, 'refs/tags/')
|
2022-04-09 05:59:24 +02:00
|
|
|
with:
|
|
|
|
|
files: |
|
2022-05-24 03:22:03 +02:00
|
|
|
hishtory-darwin-arm64-signed.json
|
|
|
|
|
hishtory-darwin-amd64-signed.json
|
|
|
|
|
|
|
|
|
|
# Upload to GitHub release.
|
|
|
|
|
# upload:
|
|
|
|
|
# permissions:
|
|
|
|
|
# contents: write
|
|
|
|
|
# runs-on: ubuntu-latest
|
|
|
|
|
# needs:
|
|
|
|
|
# - macos_signer
|
|
|
|
|
# - build
|
|
|
|
|
# steps:
|
|
|
|
|
# - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
|
|
|
|
|
# with:
|
|
|
|
|
# name: ${{ needs.macos_signer.outputs.go-binary-name }}
|
|
|
|
|
# - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
|
|
|
|
|
# with:
|
|
|
|
|
# name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
|
|
|
|
|
# - name: Release
|
|
|
|
|
# uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
|
|
|
|
|
# if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }}
|
|
|
|
|
# with:
|
|
|
|
|
# files: |
|
|
|
|
|
# ${{ needs.macos_signer.outputs.go-binary-name }}
|
|
|
|
|
# ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl
|
