Fix the spellcheck GHA perms (#6868) #525
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: goreleaser | |
| on: | |
| push: | |
| tags: | |
| - "*" | |
| workflow_dispatch: | |
| inputs: | |
| skip-publish: | |
| description: "Skip publishing to releases.mondoo.com?" | |
| type: boolean | |
| required: false | |
| default: false | |
| use-test-cert: | |
| description: "Use test certificate profile (not publicly trusted)" | |
| required: false | |
| default: false | |
| type: boolean | |
| goreleaser-snapshot: | |
| description: "Run goreleaser in snapshot mode, which will not publish and bypass tag checks." | |
| required: false | |
| default: false | |
| type: boolean | |
| upload-artifacts: | |
| description: "Uploading artifacts to workflow" | |
| required: false | |
| default: false | |
| type: boolean | |
| skip-cnspec-bump: | |
| description: "Skip triggering mql version bump in cnspec" | |
| required: false | |
| default: true | |
| type: boolean | |
| make-latest: | |
| description: "Mark GitHub release as 'latest'" | |
| required: false | |
| default: true | |
| type: boolean | |
| env: | |
| REGISTRY: docker.io | |
| permissions: | |
| contents: read | |
| jobs: | |
| goreleaser: | |
| permissions: | |
| # Add "contents" to write release | |
| contents: "write" | |
| # Add "id-token" for google-github-actions/auth | |
| id-token: "write" | |
| runs-on: | |
| group: Default | |
| environment: prod | |
| timeout-minutes: 120 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Dump all inputs | |
| run: | | |
| echo "${{ toJSON(inputs) }}" | |
| echo "github.ref: ${{ github.ref }}" | |
| echo "github.ref_name: ${{ github.ref_name }}" | |
| echo "github.event_name: ${{ github.event_name }}" | |
| - name: Skip Publish for non-release tags | |
| id: skip-publish | |
| if: contains(github.ref, 'alpha') || contains(github.ref, 'beta') || contains(github.ref, 'pre') || contains(github.ref, 'rc') || inputs.skip-publish == true | |
| run: | | |
| echo "Skipping publish for non-release tags" | |
| echo "skip-publish=true" >> $GITHUB_OUTPUT | |
| echo "skip-publish=true" >> $GITHUB_ENV | |
| - name: Import environment variables from file | |
| run: cat ".github/env" >> $GITHUB_ENV | |
| - name: Set up Go | |
| uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version: ">=${{ env.golang-version }}" | |
| cache: false | |
| - name: Install Protoc | |
| uses: arduino/setup-protoc@c65c819552d16ad3c9b72d9dfd5ba5237b9c906b # v3.0.0 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| version: ${{ env.protoc-version }} | |
| - name: "Authenticate to Google Cloud" | |
| uses: "google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093" # v3.0.0 | |
| with: | |
| workload_identity_provider: ${{ secrets.GCP_WIP }} | |
| service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }} | |
| - name: "Write RPM Signing Cert" | |
| run: | | |
| gpgkey="$(mktemp -t gpgkey.XXX)" | |
| base64 -d <<<"$GPG_KEY" > "$gpgkey" | |
| echo "GPG_KEY_PATH=$gpgkey" >> $GITHUB_ENV | |
| env: | |
| GPG_KEY: "${{ secrets.GPG_KEY}}" | |
| # jsign and azure-cli are both requirements for Azure Trusted Signing and these actions to authenticate | |
| # These packages have been installed on the self-hosted runner using ansible from the private repo | |
| - name: Azure login | |
| uses: azure/login@a457da9ea143d694b1b9c7c869ebb04ebe844ef5 # v2.3.0 | |
| with: | |
| client-id: ${{ secrets.TSIGN_AZURE_CLIENT_ID }} | |
| tenant-id: ${{ vars.TSIGN_AZURE_TENANT_ID}} | |
| subscription-id: ${{ vars.TSIGN_AZURE_SUBSCRIPTION_ID }} | |
| - name: Get Azure AD Access Token to trusted signing | |
| id: get_token | |
| run: | | |
| set -e # Stop on first error | |
| TSIGN_ACCESS_TOKEN=$(az account get-access-token --resource https://codesigning.azure.net --query accessToken -o tsv) | |
| if [ -z "$TSIGN_ACCESS_TOKEN" ]; then | |
| echo "Error: Access token is empty" | |
| exit 1 | |
| fi | |
| PREFIX="${TSIGN_ACCESS_TOKEN:0:8}" | |
| echo "Access token prefix: ${PREFIX}..." | |
| echo "TSIGN_ACCESS_TOKEN=$TSIGN_ACCESS_TOKEN" >> $GITHUB_OUTPUT | |
| - name: Install Quill for Mac Signing and Notarization | |
| run: | | |
| # anchore/quill v0.5.1 | |
| curl -sSfL https://raw.githubusercontent.com/anchore/quill/026e6f927f9b7ddfc764f205fd681cdc2be9380e/install.sh | sh -s -- -b /tmp | |
| /tmp/quill help | |
| - name: Log in to the Container registry | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| # Run GoReleaser | |
| # This will build the binaries, create the docker images, and publish the release to Git | |
| # we are currently pinned to v2.5.1 because of a bug in v2.6.0 that causes the release to fail | |
| # specifically with the signing of the RPM packages | |
| # if you upgrade then when validating the signatures 'rpm -qpi dist/*.rpm' it will error with | |
| # Header RSA signature: BAD (package tag 268: invalid OpenPGP signature) | |
| # This is because a goreleaser dep was changed to https://github.com/goreleaser/nfpm/releases/tag/v2.41.2 | |
| # created a discussion on the issue here https://github.com/orgs/goreleaser/discussions/5943 | |
| - name: Run GoReleaser and promote latest | |
| if: ${{ inputs.skip-publish != true && steps.skip-publish.outputs.skip-publish != 'true' }} | |
| uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 | |
| with: | |
| distribution: goreleaser | |
| version: v2.5.1 | |
| args: > | |
| release | |
| --config .goreleaser.yml | |
| --clean | |
| --timeout 120m | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }} | |
| NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| QUILL_SIGN_PASSWORD: "" | |
| QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }} | |
| QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} | |
| QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} | |
| QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} | |
| TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }} | |
| TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }} | |
| TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }} | |
| TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }} | |
| MAKE_LATEST: ${{ inputs.make-latest == false && 'false' || 'true' }} | |
| - name: Run GoReleaser without promoting 'latest' | |
| if: ${{ inputs.skip-publish == true || steps.skip-publish.outputs.skip-publish == 'true' }} | |
| uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0 | |
| with: | |
| distribution: goreleaser | |
| version: v2.5.1 | |
| args: > | |
| release | |
| ${{ inputs.goreleaser-snapshot == true && '--snapshot' || '' }} | |
| --config .github/.goreleaser-unstable.yml | |
| --clean | |
| --timeout 120m | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| CERT_PASSWORD: ${{ steps.gcp_secrets.outputs.code_sign_cert_challenge }} | |
| NFPM_DEFAULT_RPM_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }} | |
| QUILL_SIGN_PASSWORD: "" | |
| QUILL_SIGN_P12: ${{ secrets.APPLE_SIGN_P12 }} | |
| QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} | |
| QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} | |
| QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} | |
| TSIGN_AZURE_ENDPOINT: ${{ vars.TSIGN_AZURE_ENDPOINT }} | |
| TSIGN_ACCOUNT_NAME: ${{ vars.TSIGN_ACCOUNT_NAME }} | |
| TSIGN_CERT_PROFILE_NAME: ${{ github.event.inputs.use-test-cert == 'true' && vars.TSIGN_TEST_CERT_PROFILE_NAME || vars.TSIGN_CERT_PROFILE_NAME }} | |
| TSIGN_ACCESS_TOKEN: ${{ steps.get_token.outputs.TSIGN_ACCESS_TOKEN }} | |
| MAKE_LATEST: ${{ inputs.make-latest == false && 'false' || 'true' }} | |
| - name: Check RPMs | |
| run: | | |
| rpm -qpi dist/*.rpm | |
| - name: Output Quill Logs | |
| if: ${{ failure() }} | |
| run: | | |
| for f in $(find /tmp -name 'quill-*.log' 2>/dev/null); do | |
| echo "=== $f ===" | |
| ls -l $f | |
| cat $f | |
| done | |
| - name: Upload artifacts | |
| if: ${{ inputs.upload-artifacts == true }} | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 | |
| with: | |
| name: windows-artifacts | |
| path: dist/*.zip | |
| retention-days: 7 | |
| # At this point we know the docker container is published. | |
| # We can now trigger the mql bump in cnspec, which will also trigger the release of cnspec. | |
| # The docker container is a pre-requisite for cnspec release. | |
| - name: Trigger mql bump in cnspec | |
| if: ${{ inputs.skip-publish != true && inputs.skip-cnspec-bump != true && inputs.make-latest != false }} | |
| uses: peter-evans/repository-dispatch@28959ce8df70de7be546dd1250a005dd32156697 # v4.0.1 | |
| with: | |
| token: ${{ secrets.RELEASR_ACTION_TOKEN }} | |
| repository: "mondoohq/cnspec" | |
| event-type: update-mql | |
| client-payload: '{ | |
| "version": "${{ github.ref_name }}" | |
| }' |