hishtory/.github/workflows/slsa-releaser.yml

225 lines
8.3 KiB
YAML
Raw Normal View History

name: SLSA Client Releaser
2022-04-09 05:59:24 +02:00
on:
workflow_dispatch:
push:
branches: [ master ]
tags:
- "*"
2022-04-09 05:59:24 +02:00
permissions: read-all
jobs:
# ldflags to embed the commit hash in the binary
args:
runs-on: ubuntu-latest
outputs:
ldflags: ${{ steps.ldflags.outputs.value }}
steps:
- id: checkout
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
with:
fetch-depth: 0
- id: ldflags
run: |
echo "::set-output name=value::$(./scripts/client-ldflags)"
# Trusted builders
build-linux-amd64:
2022-04-09 05:59:24 +02:00
permissions:
id-token: write
2022-05-28 08:30:49 +02:00
contents: write
actions: read
2022-04-09 05:59:24 +02:00
needs: args
2022-10-31 22:19:26 +01:00
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1
2022-04-09 05:59:24 +02:00
with:
config-file: .github/slsa/.slsa-goreleaser-linux-amd64.yml
go-version: 1.21
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942
2022-12-12 05:39:45 +01:00
build-linux-arm64:
permissions:
id-token: write
contents: write
actions: read
needs: args
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1
with:
config-file: .github/slsa/.slsa-goreleaser-linux-arm64.yml
go-version: 1.21
2022-12-12 05:39:45 +01:00
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942
build-linux-arm7:
permissions:
id-token: write
contents: write
actions: read
needs: args
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1
with:
config-file: .github/slsa/.slsa-goreleaser-linux-arm7.yml
go-version: 1.21
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942
build-freebsd-amd64:
permissions:
id-token: write
contents: write
actions: read
needs: args
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1
with:
config-file: .github/slsa/.slsa-goreleaser-freebsd-amd64.yml
go-version: 1.21
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942
2023-09-20 03:54:04 +02:00
build-netbsd-amd64:
permissions:
id-token: write
contents: write
actions: read
needs: args
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1
with:
config-file: .github/slsa/.slsa-goreleaser-netbsd-amd64.yml
go-version: 1.21
2023-09-20 03:54:04 +02:00
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942
build-darwin-amd64:
permissions:
id-token: write
contents: write
actions: read
2022-05-28 18:34:53 +02:00
needs:
- args
2022-10-31 22:04:01 +01:00
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1
with:
config-file: .github/slsa/.slsa-goreleaser-darwin-amd64.yml
go-version: 1.21
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
2022-10-02 00:14:51 +02:00
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942
build-darwin-arm64:
permissions:
id-token: write
contents: write
actions: read
2022-05-28 18:34:53 +02:00
needs:
- args
2022-10-31 22:04:01 +01:00
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1
with:
config-file: .github/slsa/.slsa-goreleaser-darwin-arm64.yml
go-version: 1.21
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
2022-10-02 00:14:51 +02:00
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942
# Sign the binaries and upload the signed binaries
macos_signer:
runs-on: macos-11.0
needs:
- build-darwin-amd64
- build-darwin-arm64
permissions:
contents: write
2022-04-09 05:59:24 +02:00
steps:
- uses: actions/checkout@v2
- name: Download and sign the latest executables
env:
GH_TOKEN: ${{ github.token }}
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
2022-05-24 08:25:12 +02:00
export GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}"
gh run download -n hishtory-darwin-amd64
gh run download -n hishtory-darwin-arm64
brew install md5sha1sum
2022-05-24 08:25:12 +02:00
python3 scripts/actions-sign.py
- name: Upload Artifacts
uses: actions/upload-artifact@v3
with:
name: hishtory-darwin-arm64
path: hishtory-darwin-arm64
- name: Upload Artifacts
uses: actions/upload-artifact@v3
with:
name: hishtory-darwin-amd64
path: hishtory-darwin-amd64
- name: Upload Artifacts
uses: actions/upload-artifact@v3
with:
name: hishtory-darwin-arm64-unsigned
path: hishtory-darwin-arm64-unsigned
- name: Upload Artifacts
uses: actions/upload-artifact@v3
with:
name: hishtory-darwin-amd64-unsigned
path: hishtory-darwin-amd64-unsigned
2022-04-09 05:59:24 +02:00
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
2022-04-09 05:59:24 +02:00
with:
files: |
2022-05-25 07:26:24 +02:00
hishtory-darwin-arm64
hishtory-darwin-arm64-unsigned
2022-05-25 07:26:24 +02:00
hishtory-darwin-amd64
hishtory-darwin-amd64-unsigned
2022-05-28 07:48:13 +02:00
- name: Trigger the backend API service so it knows a release is finished
run: |
curl https://api.hishtory.dev/api/v1/trigger-cron
# Validate the signed binaries
validate:
2022-05-24 08:25:12 +02:00
permissions:
contents: read
runs-on: macos-latest
2022-05-24 08:25:12 +02:00
needs:
- build-linux-amd64
- build-darwin-amd64
- build-darwin-arm64
- macos_signer
2022-05-24 08:25:12 +02:00
steps:
2023-11-04 17:51:58 +01:00
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.21
2022-05-24 08:25:12 +02:00
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-linux-amd64
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-linux-amd64.intoto.jsonl
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-linux-arm64
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-linux-arm64.intoto.jsonl
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-darwin-amd64
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-darwin-amd64.intoto.jsonl
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-darwin-amd64-unsigned
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-darwin-arm64
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-darwin-arm64.intoto.jsonl
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-darwin-arm64-unsigned
- name: Validate Release
run: |
go build; ./hishtory install
2023-11-05 21:42:00 +01:00
# Validate SLSA attestations
./hishtory validate-binary hishtory-linux-amd64 hishtory-linux-amd64.intoto.jsonl
./hishtory validate-binary hishtory-linux-arm64 hishtory-linux-arm64.intoto.jsonl
./hishtory validate-binary hishtory-darwin-amd64 hishtory-darwin-amd64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-amd64-unsigned
./hishtory validate-binary hishtory-darwin-arm64 hishtory-darwin-arm64.intoto.jsonl --is_macos=True --macos_unsigned_binary=hishtory-darwin-arm64-unsigned
2023-11-05 21:42:00 +01:00
# Validate MacOS signatures
python3 scripts/actions-validate-macos-signature.py hishtory-darwin-amd64
python3 scripts/actions-validate-macos-signature.py hishtory-darwin-arm64
# TODO: Run validation using hishtory built at HEAD too