Update README.md #204
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: binaries | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: [ "main", "release/**" ] | |
| tags: [ "v*" ] | |
| jobs: | |
| build: | |
| name: Build go-flare with SLSA | |
| uses: ./.github/workflows/build-go-slsa3.yaml | |
| with: | |
| go_version: "1.23.12" | |
| ubuntu_version: "24.04" | |
| build_artifact_name: "avalanchego" | |
| build-verification: | |
| if: github.ref_type == 'tag' | |
| name: Go Verification Build | |
| uses: ./.github/workflows/build-go-verification.yaml | |
| with: | |
| go_version: "1.23.12" | |
| ubuntu_version: "24.04" | |
| build_artifact_name: "avalanchego-verification" | |
| release: | |
| name: Release | |
| runs-on: "ubuntu-24.04" | |
| needs: [build, build-verification] | |
| if: github.ref_type == 'tag' | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - name: Install diffoscope | |
| run: sudo apt-get update -y && sudo apt-get install -y diffoscope-minimal | |
| - name: Install slsa-verifier | |
| uses: slsa-framework/slsa-verifier/actions/installer@ea584f4502babc6f60d9bc799dbbb13c1caa9ee6 # v2.7.1 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3 | |
| - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3 | |
| - name: Download artifacts | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 | |
| with: | |
| path: artifacts | |
| - name: Extract artifacts | |
| run: | | |
| mkdir -p release/ | |
| tar -xzf artifacts/avalanchego/folder.tgz -C artifacts/avalanchego/ | |
| mv artifacts/avalanchego/binaries/avalanchego release/ | |
| tar -xzf artifacts/avalanchego-attestations/folder.tgz -C artifacts/avalanchego-attestations/ | |
| mv artifacts/avalanchego-attestations/*-slsa-attestations/avalanchego-binaries.build.slsa artifacts/avalanchego.build.slsa | |
| echo "AVALANCHEGO_BINARY=release/avalanchego" >> $GITHUB_ENV | |
| echo "AVALANCHEGO_VERIFICATION_BINARY=artifacts/avalanchego-verification/avalanchego" >> $GITHUB_ENV | |
| echo "SLSA_PROVENANCE=artifacts/avalanchego.build.slsa" >> $GITHUB_ENV | |
| - name: Verify reproducible build | |
| run: | | |
| HASH_MAIN=$(sha256sum ${{ env.AVALANCHEGO_BINARY }} | awk '{print $1}') | |
| HASH_VERIFY=$(sha256sum ${{ env.AVALANCHEGO_VERIFICATION_BINARY }} | awk '{print $1}') | |
| if [ "$HASH_MAIN" = "$HASH_VERIFY" ]; then | |
| echo "Hashes match" | |
| else | |
| echo "Hashes don't match" | |
| diffoscope ${{ env.AVALANCHEGO_BINARY }} ${{ env.AVALANCHEGO_VERIFICATION_BINARY }} || true | |
| exit 1 | |
| fi | |
| - name: Verify SLSA provenance | |
| run: | | |
| if [[ "${{ github.ref_name }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| slsa-verifier verify-artifact \ | |
| ${{ env.AVALANCHEGO_BINARY }} \ | |
| --provenance-path ${{ env.SLSA_PROVENANCE }} \ | |
| --source-uri github.com/${{ github.repository }} \ | |
| --builder-id https://github.com/${{ github.repository }}/.github/workflows/build-go-slsa3.yaml@refs/tags/${{ github.ref_name }} | |
| else | |
| echo "Skipping SLSA verification for non-release tag: ${{ github.ref_name }}" | |
| fi | |
| - name: Package release | |
| run: | | |
| RELEASE_TAG="${{ github.ref_name }}" | |
| ARTIFACT_NAME="go-flare-${RELEASE_TAG}-linux-amd64.zip" | |
| cd release | |
| zip -r ../$ARTIFACT_NAME . | |
| mv ../${{ env.SLSA_PROVENANCE }} ../$ARTIFACT_NAME.build.slsa | |
| echo "ARTIFACT_NAME=$ARTIFACT_NAME" >> $GITHUB_ENV | |
| - name: Sign release binary | |
| shell: bash | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 | |
| run: | | |
| cosign sign-blob --yes \ | |
| --output-signature ${{ env.ARTIFACT_NAME }}.sig \ | |
| --output-certificate ${{ env.ARTIFACT_NAME }}.pem \ | |
| ${{ env.ARTIFACT_NAME }} | |
| - name: Verify release binary signature | |
| shell: bash | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 | |
| run: | | |
| cosign verify-blob \ | |
| --certificate ${{ env.ARTIFACT_NAME }}.pem \ | |
| --certificate-identity=https://github.com/${{ github.repository }}/.github/workflows/build-binary.yaml@${{ github.ref }} \ | |
| --certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | |
| --signature ${{ env.ARTIFACT_NAME }}.sig \ | |
| ${{ env.ARTIFACT_NAME }} | |
| - name: Release | |
| uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 | |
| with: | |
| body: "TODO" | |
| files: ${{ env.ARTIFACT_NAME }}* | |
| - name: Archive production artifacts | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: dist-bin | |
| path: | | |
| ${{ env.ARTIFACT_NAME }} |