name: SLSA go releaser on: workflow_dispatch: push: tags: - "*" permissions: read-all jobs: # ldflags to embed the commit hash in the binary args: runs-on: ubuntu-latest outputs: ldflags: ${{ steps.ldflags.outputs.value }} steps: - id: checkout uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4 with: fetch-depth: 0 - id: ldflags run: | echo "::set-output name=value::$(./scripts/client-ldflags)" # Trusted builder. build: permissions: id-token: write contents: read needs: args uses: slsa-framework/slsa-github-generator-go/.github/workflows/builder.yml@2b2bf8753ae8ab14332b72217daf3c2c670272b3 with: go-version: 1.17 env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" # Sign the binaries (if this is a macos build) macos_signer: runs-on: macos-11.0 needs: - upload steps: - uses: actions/checkout@v2 - name: Download and sign the latest executables env: MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} run: | export GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" pip3 install requests python3 scripts/actions-sign.py echo $GITHUB_REF export VERSION=${GITHUB_REF##*/} - name: Release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: files: | hishtory-darwin-arm64-signed.json hishtory-darwin-amd64-signed.json # Upload to GitHub release. upload: permissions: contents: write runs-on: ubuntu-latest needs: - build steps: - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - name: Release uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }} with: files: | ${{ needs.build.outputs.go-binary-name }} ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl