Merge pull request #1724 from felixfontein/release-3-9-3 #12

Workflow file for this run

.github/workflows/release.yml at 3721355

	name: Release

	on:
	push:
	tags: [ 'v*' ]

	permissions:
	contents: read

	jobs:
	release:
	runs-on: ubuntu-latest

	permissions:
	contents: write # For creating the GitHub release.
	id-token: write # For creating OIDC tokens for signing.
	packages: write # For pushing and signing container images.

	outputs:
	version: "${{ steps.release-metadata.outputs.version }}"
	artifact-subjects: "${{ steps.artifact-hashes.outputs.subjects }}"
	package-subjects: "${{ steps.package-hashes.outputs.subjects }}"
	sbom-subjects: "${{ steps.sbom-hashes.outputs.subjects }}"
	container-subjects: "${{ steps.container-metadata.outputs.subjects }}"

	steps:
	- name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0
	persist-credentials: false

	- name: Setup Go
	uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v4.0.1
	with:
	go-version-file: go.mod
	cache: false

	- name: Setup Syft
	uses: anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9

	- name: Setup Cosign
	uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

	- name: Setup QEMU
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

	- name: Setup Docker Buildx
	uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0

	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Login to Quay.io
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_BOT_USERNAME }}
	password: ${{ secrets.QUAY_BOT_TOKEN }}

	- name: Run GoReleaser
	id: goreleaser
	uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
	with:
	# Note that the following is the version of goreleaser, and NOT a Go version!
	# When bumping it, make sure to check out goreleaser's changelog first!
	# (https://github.com/goreleaser/goreleaser/releases)
	version: 1.21.x
	args: release --clean --timeout 1h
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Extract release metadata
	id: release-metadata
	env:
	METADATA: "${{ steps.goreleaser.outputs.metadata }}"
	run: \|
	set -euo pipefail
	echo "version=$(echo -E $METADATA \| jq -r '.version')" >> "$GITHUB_OUTPUT"

	- name: Extract artifact subjects
	id: artifact-hashes
	env:
	ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
	run: \|
	set -euo pipefail
	sum_file=$(echo -E $ARTIFACTS \| jq -r '.[] \| {name, "digest": (.extra.Digest // .extra.Checksum)} \| select(.digest) \| {digest} + {name} \| join(" ") \| sub("^(.*?):";"")')
	echo "subjects=$(echo "$sum_file" \| base64 -w0)" >> "$GITHUB_OUTPUT"

	- name: Extract package subjects
	id: package-hashes
	env:
	ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
	run: \|
	set -euo pipefail

	sum_file="$(mktemp)"

	mapfile -t file_paths < <(echo -E "$ARTIFACTS" \| jq -r '.[] \| select(.type=="Linux Package") \| .path')
	for f in "${file_paths[@]}"; do
	file_name=$(basename "$f")
	file_sum=$(sha256sum "$f" \| awk '{print $1}')
	echo "$file_sum $file_name" >> "$sum_file"
	done

	echo "subjects=$(base64 -w0 < "$sum_file")" >> "$GITHUB_OUTPUT"

	- name: Extract SBOM subjects
	id: sbom-hashes
	env:
	ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
	run: \|
	set -euo pipefail

	sum_file="$(mktemp)"

	mapfile -t file_paths < <(echo -E "$ARTIFACTS" \| jq -r '.[] \| select(.type=="SBOM") \| .path')
	for f in "${file_paths[@]}"; do
	file_name=$(basename "$f")
	file_sum=$(sha256sum "$f" \| awk '{print $1}')
	echo "$file_sum $file_name" >> "$sum_file"
	done

	echo "subjects=$(base64 -w0 < "$sum_file")" >> "$GITHUB_OUTPUT"

	- name: Extract container image subjects
	id: container-metadata
	env:
	ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
	run: \|
	image_list=$(echo -e "$ARTIFACTS" \| jq -r '.[] \| select(.type=="Docker Manifest") \| {"image": (.name \| sub("^.?/"; "") \| sub(":(.)"; "")), "digest": .extra.Digest}')
	echo "subjects=$(echo $image_list \| jq -c -s 'unique_by(.digest) \| {"include": .}')" >> "$GITHUB_OUTPUT"

	combine-subjects:
	runs-on: ubuntu-latest

	needs: [ release ]

	outputs:
	all-subjects: "${{ steps.combine-subjects.outputs.subjects }}"

	steps:
	- name: Combine subjects
	id: combine-subjects
	env:
	ARTIFACT_SUBJECTS: "${{ needs.release.outputs.artifact-subjects }}"
	PACKAGE_SUBJECTS: "${{ needs.release.outputs.package-subjects }}"
	SBOM_SUBJECTS: "${{ needs.release.outputs.sbom-subjects }}"
	run: \|
	set -euo pipefail

	artifact_subjects=$(echo "$ARTIFACT_SUBJECTS" \| base64 -d)
	package_subjects=$(echo "$PACKAGE_SUBJECTS" \| base64 -d)
	sbom_subjects=$(echo "$SBOM_SUBJECTS" \| base64 -d)

	all_subjects=$(echo -e "${artifact_subjects}\n${package_subjects}\n${sbom_subjects}\n" \| sed '/^$/d')

	echo "subjects=$(echo "$all_subjects" \| base64 -w0)" >> "$GITHUB_OUTPUT"

	assets-provenance:
	needs: [ release, combine-subjects ]

	permissions:
	actions: read # For detecting the GitHub Actions environment.
	id-token: write # For creating OIDC tokens for signing.
	contents: write # For adding assets to a release.

	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	base64-subjects: "${{ needs.combine-subjects.outputs.all-subjects }}"
	upload-assets: true
	provenance-name: "sops-v${{ needs.release.outputs.version }}.intoto.jsonl"

	ghcr-container-provenance:
	needs: [ release ]

	permissions:
	actions: read # For detecting the Github Actions environment.
	id-token: write # For creating OIDC tokens for signing.
	packages: write # For uploading attestations.

	strategy:
	matrix: ${{ fromJSON(needs.release.outputs.container-subjects) }}

	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	image: ghcr.io/${{ matrix.image }}
	digest: ${{ matrix.digest }}
	registry-username: ${{ github.actor }}
	secrets:
	registry-password: ${{ secrets.GITHUB_TOKEN }}

	quay-container-provenance:
	needs: [ release ]

	permissions:
	actions: read # For detecting the Github Actions environment.
	id-token: write # For creating OIDC tokens for signing.
	packages: write # For uploading attestations.

	strategy:
	matrix: ${{ fromJSON(needs.release.outputs.container-subjects) }}

	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	image: quay.io/${{ matrix.image }}
	digest: ${{ matrix.digest }}
	secrets:
	registry-username: ${{ secrets.QUAY_BOT_USERNAME }}
	registry-password: ${{ secrets.QUAY_BOT_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #1724 from felixfontein/release-3-9-3 #12

Workflow file

Merge pull request #1724 from felixfontein/release-3-9-3 #12

Jobs

Run details

Workflow file for this run