name: cut-release on: push: tags: - "v*" concurrency: cut-release permissions: read-all jobs: release: permissions: contents: write # needed to write releases id-token: write # needed for keyless signing packages: write # needed for pushing the images to ghcr.io runs-on: ubuntu-latest outputs: hashes: ${{ steps.hash.outputs.hashes }} tag_name: ${{ steps.tag.outputs.tag_name }} steps: - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 with: go-version-file: './go.mod' check-latest: true - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8 - uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6 - name: Set LDFLAGS id: ldflags run: | source ./release/ldflags.sh goflags=$(ldflags) echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV" - name: Run GoReleaser id: run-goreleaser uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 with: version: latest args: release --clean env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} LDFLAGS: ${{ env.GO_FLAGS }} - name: Generate subject id: hash env: ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" run: | set -euo pipefail checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" - name: Set tag output id: tag run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" provenance: needs: [release] permissions: actions: read # To read the workflow path. id-token: write # To sign the provenance. contents: write # To add assets to a release. uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 with: base64-subjects: "${{ needs.release.outputs.hashes }}" upload-assets: true upload-tag-name: "${{ needs.release.outputs.tag_name }}" # Upload to tag rather than generate a new release draft-release: true