Text file src/github.com/google/go-containerregistry/.github/workflows/release.yml

Documentation: github.com/google/go-containerregistry/.github/workflows

     1name: goreleaser
     2
     3on:
     4  push:
     5    tags: ['*']
     6
     7jobs:
     8  goreleaser:
     9    runs-on: ubuntu-latest
    10    outputs:
    11      hashes: ${{ steps.hash.outputs.hashes }}
    12    steps:
    13      - uses: actions/checkout@v3
    14      - name: Unshallow
    15        run: git fetch --prune --unshallow
    16      - uses: actions/setup-go@v4
    17        with:
    18          go-version: 1.21
    19          check-latest: true
    20      - uses: goreleaser/goreleaser-action@v4.2.0
    21        id: run-goreleaser
    22        with:
    23          version: "~> v1.19"
    24          args: release --rm-dist
    25        env:
    26          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    27      - name: Generate subject
    28        id: hash
    29        env:
    30          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
    31        run: |
    32          set -euo pipefail
    33
    34          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
    35          echo "hashes=$(cat $checksum_file | base64 -w0)" >> $GITHUB_OUTPUT
    36
    37  provenance:
    38    needs: [goreleaser]
    39    permissions:
    40      actions: read # To read the workflow path.
    41      id-token: write # To sign the provenance.
    42      contents: write # To add assets to a release.
    43    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
    44    with:
    45      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
    46      upload-assets: true # upload to a new release
    47
    48  verification:
    49    needs: [goreleaser, provenance]
    50    runs-on: ubuntu-latest
    51    permissions: read-all
    52    steps:
    53      - name: Install SLSA verifier
    54        uses: slsa-framework/slsa-verifier/actions/installer@v2.2.0
    55      - name: Download assets
    56        env:
    57          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    58          PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
    59        run: |
    60          set -euo pipefail
    61          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
    62          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p $PROVENANCE
    63      - name: Verify assets
    64        env:
    65          CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
    66          PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
    67        run: |
    68          set -euo pipefail
    69          checksums=$(echo "$CHECKSUMS" | base64 -d)
    70          while read -r line; do
    71              fn=$(echo $line | cut -d ' ' -f2)
    72              echo "Verifying $fn"
    73              slsa-verifier verify-artifact "$fn" \
    74                            --provenance-path "$PROVENANCE" \
    75                            --source-uri "github.com/$GITHUB_REPOSITORY" \
    76                            --source-tag "$GITHUB_REF_NAME"
    77          done <<<"$checksums"

View as plain text