diff options
Diffstat (limited to '.github/workflows/release.yml')
-rw-r--r-- | .github/workflows/release.yml | 78 |
1 files changed, 78 insertions, 0 deletions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..abdaad3 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,78 @@ +name: goreleaser + +on: + push: + tags: ['*'] + +jobs: + goreleaser: + runs-on: ubuntu-latest + outputs: + hashes: ${{ steps.hash.outputs.hashes }} + steps: + - uses: actions/checkout@v3 + - name: Unshallow + run: git fetch --prune --unshallow + - uses: actions/setup-go@v3 + with: + go-version: 1.18 + check-latest: true + - uses: goreleaser/goreleaser-action@v4.2.0 + id: run-goreleaser + with: + version: latest + args: release --rm-dist + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + - name: Generate subject + id: hash + env: + ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" + run: | + set -euo pipefail + + checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') + echo "::set-output name=hashes::$(cat $checksum_file | base64 -w0)" + + provenance: + needs: [goreleaser] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0 + with: + base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" + upload-assets: true # upload to a new release + + verification: + needs: [goreleaser, provenance] + runs-on: ubuntu-latest + permissions: read-all + steps: + # Note: this will be replaced with the GHA in the future. + # See https://github.com/slsa-framework/slsa-verifier/issues/95 + - name: Install SLSA verifier + uses: slsa-framework/slsa-verifier/actions/installer@v2.0.1 + - name: Download assets + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -euo pipefail + gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz" + gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "multiple.intoto.jsonl" + - name: Verify assets + env: + CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }} + PROVENANCE: "${{ needs.provenance.outputs.attestation-name }}" + run: | + set -euo pipefail + checksums=$(echo "$CHECKSUMS" | base64 -d) + while read -r line; do + fn=$(echo $line | cut -d ' ' -f2) + echo "Verifying $fn" + ./slsa-verifier-linux-amd64 -artifact-path "$fn" \ + -provenance "$PROVENANCE" \ + -source "github.com/$GITHUB_REPOSITORY" \ + -tag "$GITHUB_REF_NAME" + done <<<"$checksums" |