hishtory/.github/workflows/slsa-releaser.yml
2022-10-01 15:14:51 -07:00

132 lines
4.4 KiB
YAML

name: SLSA go releaser
on:
workflow_dispatch:
push:
tags:
- "*"
permissions: read-all
jobs:
# ldflags to embed the commit hash in the binary
args:
runs-on: ubuntu-latest
outputs:
ldflags: ${{ steps.ldflags.outputs.value }}
steps:
- id: checkout
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4
with:
fetch-depth: 0
- id: ldflags
run: |
echo "::set-output name=value::$(./scripts/client-ldflags)"
# Trusted builders
build-linux-amd64:
permissions:
id-token: write
contents: write
needs: args
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0
with:
config-file: .slsa-goreleaser-linux-amd64.yml
go-version: 1.18
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942
build-darwin-amd64:
permissions:
id-token: write
contents: write
needs:
- args
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0
with:
config-file: .slsa-goreleaser-darwin-amd64.yml
go-version: 1.18
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942
build-darwin-arm64:
permissions:
id-token: write
contents: write
needs:
- args
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0
with:
config-file: .slsa-goreleaser-darwin-arm64.yml
go-version: 1.18
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942
# Sign the binaries and upload the signed binaries
macos_signer:
runs-on: macos-11.0
needs:
- upload
permissions:
contents: write
steps:
- uses: actions/checkout@v2
- name: Download and sign the latest executables
env:
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }}
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }}
run: |
export GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}"
pip3 install requests
brew install md5sha1sum
python3 scripts/actions-sign.py
- name: Release
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: |
hishtory-darwin-arm64
hishtory-darwin-arm64-unsigned
hishtory-darwin-amd64
hishtory-darwin-amd64-unsigned
- name: Trigger the backend API service so it knows a release is finished
run: |
curl https://api.hishtory.dev/api/v1/trigger-cron
# Upload to GitHub release.
upload:
permissions:
contents: write
runs-on: ubuntu-latest
needs:
- build-linux-amd64
- build-darwin-amd64
- build-darwin-arm64
steps:
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-linux-amd64
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-linux-amd64.intoto.jsonl
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-darwin-amd64
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-darwin-amd64.intoto.jsonl
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-darwin-arm64
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741
with:
name: hishtory-darwin-arm64.intoto.jsonl
- name: Release
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
if: ${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, '-') }}
with:
files: |
hishtory-linux-amd64
hishtory-linux-amd64.intoto.jsonl
hishtory-darwin-amd64
hishtory-darwin-amd64.intoto.jsonl
hishtory-darwin-arm64
hishtory-darwin-arm64.intoto.jsonl