Merge pull request #2 from sorenisanerd/main #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Build tools tarball" | |
| on: | |
| - push | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - name: Install cosign | |
| uses: sigstore/[email protected] | |
| - name: setup-mkosi | |
| uses: sorenisanerd/mkosi@main | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: dsaltares/fetch-gh-release-asset@master | |
| id: tools-fetch | |
| with: | |
| repo: ${{ github.repository }} | |
| version: latest | |
| file: 'mangos\.tools_.*\.tar\.zst.*' | |
| regex: true | |
| target: 'dl/' | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Verify tools signature | |
| env: | |
| tag: ${{ steps.tools-fetch.outputs.version }} | |
| run: | | |
| cosign verify-blob --bundle dl/mangos.tools_*.tar.zst.sigbundle \ | |
| --certificate-identity "${{ github.server_url }}/${{ github.repository }}/.github/workflows/build.yml@refs/tags/${tag}" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| dl/mangos.tools_*.tar.zst | |
| - name: Decompress and stage tools | |
| run: mkdir mkosi.tools ; tar -x --zstd -f dl/mangos.tools_*.tar.zst -C mkosi.tools | |
| - name: Install syft | |
| run: DOWNLOAD_TAG_INSTALL_SCRIPT=false mkosi sandbox -- sh ./syft-install.sh -v -b . -dd v1.28.0 | |
| - name: Copy cosign into place | |
| run: cp $HOME/.cosign/cosign . | |
| - name: Run mkosi | |
| run: mkosi --debug | |
| - name: Remove symlinks | |
| run: find out/ -type l -delete | |
| - name: Sign artifacts | |
| run: for file in out/* ; do cosign sign-blob -d -y --bundle "${file}.sigbundle" "${file}"; done | |
| - name: Upload build artifact | |
| id: upload | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| path: out/* | |
| compression-level: 0 | |
| name: mangos.tools | |
| - name: Release | |
| if: github.ref_type == 'tag' | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| draft: true | |
| files: out/* |