on: push: tags: - v2.[0-9]+.[0-9]+ # For testing the workflow before pushing a tag # This will run goreleaser with --snapshot and test the # SLSA generator. workflow_dispatch: permissions: contents: read name: release jobs: goreleaser: outputs: hashes: ${{ steps.hash.outputs.hashes }} runs-on: ubuntu-latest permissions: contents: write steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 with: fetch-depth: 0 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5 with: check-latest: true - name: Generate goreleaser args id: args run: | set -euo pipefail args='release --clean' if [[ "$GITHUB_REF" != refs/tags/* ]]; then args+=' --snapshot' fi echo "args=$args" >> $GITHUB_OUTPUT - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5 id: run-goreleaser with: args: ${{ steps.args.outputs.args }} env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Generate subject id: hash env: ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" run: | set -euo pipefail checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') echo "hashes=$(cat $checksum_file | base64 -w0)" >> $GITHUB_OUTPUT provenance: needs: [goreleaser] permissions: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 with: compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163 base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" upload-assets: ${{ github.event_name == 'push' }} # upload to a new release when pushing via tag