From ff37570d742f8388a3bb4c09ea8c799f10d54017 Mon Sep 17 00:00:00 2001 From: David Dworken Date: Fri, 8 Apr 2022 20:59:24 -0700 Subject: [PATCH] Added SLSA builder --- .github/workflows/slsa-goreleaser.yml | 53 +++++++++++++++++++++++++++ .slsa-goreleaser.yml | 12 ++++++ 2 files changed, 65 insertions(+) create mode 100644 .github/workflows/slsa-goreleaser.yml create mode 100644 .slsa-goreleaser.yml diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml new file mode 100644 index 0000000..c1cd8f3 --- /dev/null +++ b/.github/workflows/slsa-goreleaser.yml @@ -0,0 +1,53 @@ +name: SLSA go releaser +on: + workflow_dispatch: + push: + tags: + - "*" + +permissions: read-all + +jobs: + # ldflags to embed the commit hash in the binary + args: + runs-on: ubuntu-latest + outputs: + ldflags: ${{ steps.ldflags.outputs.value }} + steps: + - id: checkout + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4 + with: + fetch-depth: 0 + - id: ldflags + run: | + echo "::set-output name=value::$(./scripts/version-ldflags)" + # Trusted builder. + build: + permissions: + id-token: write + contents: read + needs: args + uses: slsa-framework/slsa-github-generator-go/.github/workflows/builder.yml@main # TODO: use hash upon release. + with: + go-version: 1.17 + env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" + # Upload to GitHub release. + upload: + permissions: + contents: write + runs-on: ubuntu-latest + needs: build + steps: + - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 + with: + name: ${{ needs.build.outputs.go-binary-name }} + - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 + with: + name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl + - name: Release + uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 + if: startsWith(github.ref, 'refs/tags/') + with: + files: | + ${{ needs.build.outputs.go-binary-name }} + ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl diff --git a/.slsa-goreleaser.yml b/.slsa-goreleaser.yml new file mode 100644 index 0000000..298d0e8 --- /dev/null +++ b/.slsa-goreleaser.yml @@ -0,0 +1,12 @@ +version: 1 + +flags: + - -trimpath + +goos: linux +goarch: amd64 + +binary: hishtory-{{ .OS }}-{{ .Arch }} + +ldflags: + - '{{ .Env.VERSION_LDFLAGS }}'