1#
2# Copyright 2021 The Sigstore Authors.
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.
15
16name: CI-Validate-Release-Job
17
18on:
19 push:
20 branches:
21 - main
22 - release-*
23 pull_request:
24
25jobs:
26 check-signature:
27 runs-on: ubuntu-latest
28 container:
29 image: gcr.io/projectsigstore/cosign:v2.2.3-dev@sha256:0d795fa145b03026b7bc2a35e33068cdb75e1c1f974e604c17408bf7bd174967
30
31 steps:
32 - name: Check Signature
33 run: |
34 cosign verify ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405 \
35 --certificate-oidc-issuer https://token.actions.githubusercontent.com \
36 --certificate-identity "https://github.com/gythialy/golang-cross/.github/workflows/release-golang-cross.yml@refs/tags/v1.21.8-0"
37 env:
38 TUF_ROOT: /tmp
39
40 validate-release-job:
41 runs-on: ubuntu-latest
42 needs:
43 - check-signature
44
45 container:
46 image: ghcr.io/gythialy/golang-cross:v1.21.8-0@sha256:9c86fc6c6763cd5cd9a07f25083fc5a87f3525b5f8d7ff886822e2153f0c8405
47
48 permissions: {}
49
50 steps:
51 - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
52
53 # Error: fatal: detected dubious ownership in repository at '/__w/cosign/cosign'
54 # To add an exception for this directory, call:
55 # git config --system --add safe.directory /__w/cosign/cosign
56 # Reason: Recent versions of git require the .git folder to be owned
57 # by the same user (see https://github.blog/2022-04-12-git-security-vulnerability-announced/).
58 # Related
59 # - https://github.com/actions/runner/issues/2033
60 # - https://github.com/actions/checkout/issues/1048
61 # - https://github.com/actions/runner-images/issues/6775
62 - run: git config --system --add safe.directory /__w/cosign/cosign
63
64 # Related to https://github.com/sigstore/cosign/issues/3149
65 - name: free up disk space for the release
66 run: |
67 rm -rf /usr/share/dotnet/
68 rm -rf "$AGENT_TOOLSDIRECTORY"
69 rm -rf "/usr/local/share/boost"
70 rm -rf /opt/ghc
71 docker rmi $(docker image ls -aq) || true
72 swapoff /swapfile || true
73 rm -rf /swapfile /usr/share/dotnet /usr/local/lib/android /opt/ghc || true
74 apt purge aria2 ansible hhvm mono-devel azure-cli shellcheck rpm xorriso zsync \
75 clang-6.0 lldb-6.0 lld-6.0 clang-format-6.0 clang-8 lldb-8 lld-8 clang-format-8 \
76 clang-9 lldb-9 lld-9 clangd-9 clang-format-9 dotnet-sdk-3.0 dotnet-sdk-3.1=3.1.101-1 \
77 esl-erlang firefox g++-8 g++-9 gfortran-8 gfortran-9 google-chrome-stable \
78 google-cloud-sdk ghc-8.0.2 ghc-8.2.2 ghc-8.4.4 ghc-8.6.2 ghc-8.6.3 ghc-8.6.4 \
79 ghc-8.6.5 ghc-8.8.1 ghc-8.8.2 ghc-8.8.3 ghc-8.10.1 cabal-install-2.0 cabal-install-2.2 \
80 cabal-install-2.4 cabal-install-3.0 cabal-install-3.2 heroku imagemagick \
81 libmagickcore-dev libmagickwand-dev libmagic-dev ant ant-optional kubectl \
82 mercurial apt-transport-https mono-complete mysql-client libmysqlclient-dev \
83 mysql-server mssql-tools unixodbc-dev yarn bazel chrpath libssl-dev libxft-dev \
84 libfreetype6 libfreetype6-dev libfontconfig1 libfontconfig1-dev php7.1 php7.1-bcmath \
85 php7.1-bz2 php7.1-cgi php7.1-cli php7.1-common php7.1-curl php7.1-dba php7.1-dev \
86 php7.1-enchant php7.1-fpm php7.1-gd php7.1-gmp php7.1-imap php7.1-interbase php7.1-intl \
87 php7.1-json php7.1-ldap php7.1-mbstring php7.1-mcrypt php7.1-mysql php7.1-odbc \
88 php7.1-opcache php7.1-pgsql php7.1-phpdbg php7.1-pspell php7.1-readline php7.1-recode \
89 php7.1-snmp php7.1-soap php7.1-sqlite3 php7.1-sybase php7.1-tidy php7.1-xml \
90 php7.1-xmlrpc php7.1-xsl php7.1-zip php7.2 php7.2-bcmath php7.2-bz2 php7.2-cgi \
91 php7.2-cli php7.2-common php7.2-curl php7.2-dba php7.2-dev php7.2-enchant php7.2-fpm \
92 php7.2-gd php7.2-gmp php7.2-imap php7.2-interbase php7.2-intl php7.2-json php7.2-ldap \
93 php7.2-mbstring php7.2-mysql php7.2-odbc php7.2-opcache php7.2-pgsql php7.2-phpdbg \
94 php7.2-pspell php7.2-readline php7.2-recode php7.2-snmp php7.2-soap php7.2-sqlite3 \
95 php7.2-sybase php7.2-tidy php7.2-xml php7.2-xmlrpc php7.2-xsl php7.2-zip php7.3 \
96 php7.3-bcmath php7.3-bz2 php7.3-cgi php7.3-cli php7.3-common php7.3-curl php7.3-dba \
97 php7.3-dev php7.3-enchant php7.3-fpm php7.3-gd php7.3-gmp php7.3-imap php7.3-interbase \
98 php7.3-intl php7.3-json php7.3-ldap php7.3-mbstring php7.3-mysql php7.3-odbc \
99 php7.3-opcache php7.3-pgsql php7.3-phpdbg php7.3-pspell php7.3-readline php7.3-recode \
100 php7.3-snmp php7.3-soap php7.3-sqlite3 php7.3-sybase php7.3-tidy php7.3-xml \
101 php7.3-xmlrpc php7.3-xsl php7.3-zip php7.4 php7.4-bcmath php7.4-bz2 php7.4-cgi \
102 php7.4-cli php7.4-common php7.4-curl php7.4-dba php7.4-dev php7.4-enchant php7.4-fpm \
103 php7.4-gd php7.4-gmp php7.4-imap php7.4-interbase php7.4-intl php7.4-json php7.4-ldap \
104 php7.4-mbstring php7.4-mysql php7.4-odbc php7.4-opcache php7.4-pgsql php7.4-phpdbg \
105 php7.4-pspell php7.4-readline php7.4-snmp php7.4-soap php7.4-sqlite3 php7.4-sybase \
106 php7.4-tidy php7.4-xml php7.4-xmlrpc php7.4-xsl php7.4-zip php-amqp php-apcu \
107 php-igbinary php-memcache php-memcached php-mongodb php-redis php-xdebug \
108 php-zmq snmp pollinate libpq-dev postgresql-client powershell ruby-full \
109 sphinxsearch subversion mongodb-org -yq >/dev/null 2>&1 || true
110 apt-get remove -y 'php.*' || true
111 apt-get autoremove -y >/dev/null 2>&1 || true
112 apt-get autoclean -y >/dev/null 2>&1 || true
113 - name: check disk space
114 run: df -h
115
116 - name: goreleaser snapshot
117 run: make snapshot
118 env:
119 PROJECT_ID: honk-fake-project
120 RUNTIME_IMAGE: gcr.io/distroless/static-debian12:nonroot
121
122 - name: check binaries
123 run: |
124 ./dist/cosign-linux-amd64 version
View as plain text