name: SLSA go releaser on: workflow_dispatch: push: tags: - "*" permissions: read-all jobs: # ldflags to embed the commit hash in the binary args: runs-on: ubuntu-latest outputs: ldflags: ${{ steps.ldflags.outputs.value }} steps: - id: checkout uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4 with: fetch-depth: 0 - id: ldflags run: | echo "::set-output name=value::$(./scripts/client-ldflags)" # Trusted builder. build: permissions: id-token: write contents: read needs: args uses: slsa-framework/slsa-github-generator-go/.github/workflows/builder.yml@2b2bf8753ae8ab14332b72217daf3c2c670272b3 with: go-version: 1.17 env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" # Sign the binaries (if this is a macos build) macos_signer: runs-on: macos-11.0 steps: - uses: actions/checkout@v2 - name: Download and sign the latest executables env: MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} run: | echo $GITHUB_REF # brew install md5sha1sum # export TAG_NAME=`curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}'| jq -r .tag_name` # if [ $TAG_NAME == "null" ]; then # echo "TAG_NAME is null, this shouldn't happen!" # curl -L https://api.github.com/repos/ddworken/hishtory/releases/latest # exit 1 # fi # echo "Signing binaries for $TAG_NAME" # curl -L -o hishtory-darwin-arm64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-arm64/hishtory-darwin-arm64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' # curl -L -o hishtory-darwin-amd64 https://github.com/ddworken/hishtory/releases/download/$TAG_NAME-darwin-amd64/hishtory-darwin-amd64 --header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' # echo "Signing the binaries:" # file hishtory-* # sha1sum hishtory-* # if [[ `file hishtory-darwin-arm64` == *"ASCII text"* ]]; then # echo "hishtory-darwin-arm64 is ASCII text???" # cat hishtory-darwin-arm64 # exit 1 # fi # if [[ `file hishtory-darwin-amd64` == *"ASCII text"* ]]; then # echo "hishtory-darwin-amd64 is ASCII text???" # cat hishtory-darwin-amd64 # exit 1 # fi # echo $MACOS_CERTIFICATE | base64 -d > certificate.p12 # security create-keychain -p $MACOS_CERTIFICATE_PWD build.keychain # security default-keychain -s build.keychain # security unlock-keychain -p $MACOS_CERTIFICATE_PWD build.keychain # security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign # security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $MACOS_CERTIFICATE_PWD build.keychain # /usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-arm64 -v # /usr/bin/codesign --force -s 6D4E1575A0D40C370E294916A8390797106C8A6E hishtory-darwin-amd64 -v # echo "Signed the binaries:" # sha1sum hishtory-* # # Move them to the released filenames # cp hishtory-darwin-arm64 hishtory-darwin-arm64-signed # cp hishtory-darwin-amd64 hishtory-darwin-amd64-signed - name: Release uses: softprops/action-gh-release@v1 if: startsWith(github.ref, 'refs/tags/') with: files: | hishtory-darwin-arm64-signed.json hishtory-darwin-amd64-signed.json # Upload to GitHub release. # upload: # permissions: # contents: write # runs-on: ubuntu-latest # needs: # - macos_signer # - build # steps: # - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # with: # name: ${{ needs.macos_signer.outputs.go-binary-name }} # - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # with: # name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl # - name: Release # uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }} # with: # files: | # ${{ needs.macos_signer.outputs.go-binary-name }} # ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl