-
Notifications
You must be signed in to change notification settings - Fork 25
134 lines (119 loc) · 5.23 KB
/
e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
on:
schedule:
- cron: "0 2 * * *"
workflow_dispatch:
push:
tags:
- "v[0-9]+.[0-9]+.[0-9]+" # # triggers only if push new tag version, like `v0.8.4` or else
permissions: read-all
concurrency: "e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3"
env:
GH_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }}
ISSUE_REPOSITORY: slsa-framework/slsa-github-generator
DEFAULT_VERSION: v38.0.0
jobs:
release:
runs-on: ubuntu-latest
if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
permissions:
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- id: create
run: ./.github/workflows/scripts/e2e-create-release.sh
shim:
runs-on: ubuntu-latest
if: github.event_name == 'push' && github.ref_type == 'tag'
outputs:
continue: ${{ steps.verify.outputs.continue }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- id: verify
run: ./.github/workflows/scripts/e2e-verify-release.sh
build:
runs-on: ubuntu-latest
permissions:
contents: write # For uploading assets to release
needs: [shim]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Generate version flags
id: args
run: |
set -euo pipefail
THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3)
BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4)
SOURCE_DATE_EPOCH=$(git log --date=iso8601-strict -1 --pretty=%ct)
GIT_TREESTATE=$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi)
echo "version_flags=-X main.gitVersion=v1.2.3 -X main.gitCommit=abcdef -X main.gitBranch=${BRANCH} -X main.gitTreeState=${GIT_TREESTATE} -X main.buildDate=${SOURCE_DATE_EPOCH} -w" >> "${GITHUB_OUTPUT}"
- name: Run GoReleaser
id: run-goreleaser
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
with:
version: latest
args: release --clean
workdir: ./e2e/goreleaser
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VERSION_LDFLAGS: ${{ steps.args.outputs.version_flags }}
- name: Generate subject
id: hash
env:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
working-directory: ./e2e/goreleaser
run: |
set -euo pipefail
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
echo "hashes=$(base64 -w0 <"$checksum_file")" >> "${GITHUB_OUTPUT}"
provenance:
needs: [shim, build]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
permissions:
id-token: write # For signing.
contents: write # For asset uploads.
actions: read # For the entrypoint.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
compile-generator: true
upload-assets: true
verify:
runs-on: ubuntu-latest
needs: [shim, build, provenance]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Download assets
run: gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME"
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"
- env:
CHECKSUMS_B64: ${{ needs.build.outputs.hashes }}
PROVENANCE: ${{ needs.provenance.outputs.provenance-name }}
run: |
set -euo pipefail
checksums=$(echo "${CHECKSUMS_B64}" | base64 -d)
while read -r line; do
fn=$(echo "$line" | awk '{ print $2 }')
echo "Verifying $fn"
BINARY="$fn" ./.github/workflows/scripts/e2e.generic.default.verify.sh
done <<<"$checksums"
if-succeeded:
runs-on: ubuntu-latest
needs: [shim, build, provenance, verify]
if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success'
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-success.sh
if-failed:
runs-on: ubuntu-latest
needs: [shim, build, provenance, verify]
if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure')
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- run: ./.github/workflows/scripts/e2e-report-failure.sh