name: SLSA go releaser on: workflow_dispatch: push: tags: - "*" permissions: read-all jobs: # ldflags to embed the commit hash in the binary args: runs-on: ubuntu-latest outputs: ldflags: ${{ steps.ldflags.outputs.value }} steps: - id: checkout uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4 with: fetch-depth: 0 - id: ldflags run: | echo "::set-output name=value::$(./scripts/client-ldflags)" # Trusted builder. build: permissions: id-token: write contents: read needs: args uses: slsa-framework/slsa-github-generator-go/.github/workflows/builder.yml@2b2bf8753ae8ab14332b72217daf3c2c670272b3 with: go-version: 1.17 env: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" # Upload to GitHub release. upload: permissions: contents: write runs-on: ubuntu-latest needs: build steps: - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.go-binary-name }} - uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 with: name: ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl - name: Release uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }} with: files: | ${{ needs.build.outputs.go-binary-name }} ${{ needs.build.outputs.go-binary-name }}.intoto.jsonl