dragonfly/.github/workflows/release.yml at 571838301b6c44b5da75414b8ed656e44aef1449 · dragonflyoss/dragonfly · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
name: Release

on:
  push:
    tags:
      - v*

permissions:
  contents: read

jobs:
  goreleaser:
    permissions:
      contents: write
    runs-on: oracle-vm-24cpu-96gb-x86-64
    timeout-minutes: 60
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
      tag_name: ${{ steps.tag.outputs.tag_name }}
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
        with:
          fetch-depth: 0
          submodules: recursive

      - name: Setup Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c
        with:
          go-version-file: go.mod

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29
        id: run-goreleaser
        with:
          version: latest
          distribution: goreleaser
          args: release --clean --skip=validate
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Generate subject
        id: hash
        env:
          ARTIFACTS: '${{ steps.run-goreleaser.outputs.artifacts }}'
        run: |
          set -euo pipefail
          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
          if test "$hashes" = ""; then # goreleaser < v1.13.0
            checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
            hashes=$(cat $checksum_file | base64 -w0)
          fi
          echo "hashes=$hashes" >> $GITHUB_OUTPUT

      - name: Set tag output
        id: tag
        run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"

  provenance:
    needs: [goreleaser]
    permissions:
      id-token: write
      contents: write
      actions: read
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: '${{ needs.goreleaser.outputs.hashes }}'

  upload-provenance:
    needs: [goreleaser, provenance]
    permissions:
      contents: write
    runs-on: oracle-vm-24cpu-96gb-x86-64
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
        with:
          fetch-depth: 0
          submodules: recursive

      - name: Download SLSA provenance artifacts
        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: multiple.intoto.jsonl
          path: artifacts

      - name: Upload SLSA Provenance Attestation to Release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAG_NAME: ${{ needs.goreleaser.outputs.tag_name }}
        run: |
          set -euxo pipefail
          ARTIFACT_PATH="artifacts/multiple.intoto.jsonl"
          gh release upload "$TAG_NAME" "$ARTIFACT_PATH" --clobber