ci: create SLSA Provenance and sign checksum files by Cosign

suzuki-shunsuke · Jan 15, 2023 · fc155f8 · fc155f8
1 parent 011edc9
commit fc155f8
Show file tree

Hide file tree

Showing 6 changed files with 92 additions and 112 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,18 @@
+---
+name: Release
+on:
+  push:
+    tags: [v*]
+permissions: {}
+jobs:
+  release:
+    uses: suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml@8e0d6d2a7171206b9d95b3b59fe74f8333b1be1b # v0.1.0
+    with:
+      homebrew: true
+    secrets:
+      gh_app_id: ${{ secrets.APP_ID }}
+      gh_app_private_key: ${{ secrets.APP_PRIVATE_KEY }}
+    permissions:
+      contents: write
+      id-token: write
+      actions: read
diff --git a/.github/workflows/test-release.yaml b/.github/workflows/test-release.yaml
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -3,46 +3,13 @@ name: test
 on:
   push:
     branches: [main]
-    tags: [v*]
   pull_request:
     branches: [main]
+permissions: {}
 jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3
-    - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3
-      with:
-        go-version: '1.18.1'
-
-    - uses: aquaproj/aqua-installer@a39f721a15ed34ccbc85706e6e8ae8572c9ca9c6 # v1.2.0
-      with:
-        aqua_version: v1.31.0
-    - uses: suzuki-shunsuke/github-action-golangci-lint@4b6bb7682772359cf0e7959932803ca2ff998895 # v0.1.4
-
-    - run: go test -v ./... -race -covermode=atomic
-
-    - name: Generate token
-      id: generate_token
-      if: startsWith(github.ref, 'refs/tags/')
-      uses: tibdex/github-app-token@021a2405c7f990db57f5eae5397423dcc554159c # v1
-      with:
-        app_id: ${{ secrets.APP_ID }}
-        private_key: ${{ secrets.APP_PRIVATE_KEY }}
-
-    - name: remove changes
-      # Sometimes it is failed to release by goreleaser due to changes of go.sum
-      run: git checkout -- .
-    - name: fetch tags to release
-      run: git fetch --tags
-    - name: Unshallow
-      run: git fetch --prune --unshallow
-    - name: Run GoReleaser
-      uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # v3
-      if: startsWith(github.ref, 'refs/tags/')
-      with:
-        version: latest
-        args: release --rm-dist
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+  test:
+    uses: suzuki-shunsuke/go-test-workflow/.github/workflows/test.yaml@fc631d6d1b9b19730fc20dcde15966497469d7fe # v0.1.1
+    with:
+      aqua_policy_config: aqua-policy.yaml
+    permissions:
+      pull-requests: write
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -1,53 +1,71 @@
 ---
 project_name: renovate-issue-action
 archives:
-- name_template: "{{.ProjectName}}_{{.Os}}_{{.Arch}}"
+  - name_template: "{{.ProjectName}}_{{.Os}}_{{.Arch}}"
 builds:
-- binary: renovate-issue-action
-  main: cmd/renovate-issue-action/main.go
-  env:
-  - CGO_ENABLED=0
-  goos:
-  - darwin
-  - linux
-  goarch:
-  - amd64
-  - arm64
+  - binary: renovate-issue-action
+    main: cmd/renovate-issue-action/main.go
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - darwin
+      - linux
+    goarch:
+      - amd64
+      - arm64
 release:
   prerelease: true
   header: |
     [Pull Requests](https://github.com/suzuki-shunsuke/renovate-issue-action/pulls?q=is%3Apr+milestone%3A{{.Tag}}) | [Issues](https://github.com/suzuki-shunsuke/renovate-issue-action/issues?q=is%3Aissue+milestone%3A{{.Tag}}) | https://github.com/suzuki-shunsuke/renovate-issue-action/compare/{{.PreviousTag}}...{{.Tag}}
 brews:
--
-  # NOTE: make sure the url_template, the token and given repo (github or gitlab) owner and name are from the
-  # same kind. We will probably unify this in the next major version like it is done with scoop.
+  -
+    # NOTE: make sure the url_template, the token and given repo (github or gitlab) owner and name are from the
+    # same kind. We will probably unify this in the next major version like it is done with scoop.
 
-  # GitHub/GitLab repository to push the formula to
-  tap:
-    owner: suzuki-shunsuke
-    name: homebrew-renovate-issue-action
-    token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
-  # The project name and current git tag are used in the format string.
-  commit_msg_template: "Brew formula update for {{ .ProjectName }} version {{ .Tag }}"
-  # Your app's homepage.
-  # Default is empty.
-  homepage: https://github.com/suzuki-shunsuke/renovate-issue-action
+    # GitHub/GitLab repository to push the formula to
+    tap:
+      owner: suzuki-shunsuke
+      name: homebrew-renovate-issue-action
+      token: "{{ .Env.HOMEBREW_TAP_GITHUB_TOKEN }}"
+    # The project name and current git tag are used in the format string.
+    commit_msg_template: "Brew formula update for {{ .ProjectName }} version {{ .Tag }}"
+    # Your app's homepage.
+    # Default is empty.
+    homepage: https://github.com/suzuki-shunsuke/renovate-issue-action
 
-  # Template of your app's description.
-  # Default is empty.
-  description: |
-    Create, update, and close GitHub Issues with GitHub Actions according to Renovate Pull Requests
-  license: MIT
+    # Template of your app's description.
+    # Default is empty.
+    description: |
+      Create, update, and close GitHub Issues with GitHub Actions according to Renovate Pull Requests
+    license: MIT
 
-  # Setting this will prevent goreleaser to actually try to commit the updated
-  # formula - instead, the formula file will be stored on the dist folder only,
-  # leaving the responsibility of publishing it to the user.
-  # If set to auto, the release will not be uploaded to the homebrew tap
-  # in case there is an indicator for prerelease in the tag e.g. v1.0.0-rc1
-  # Default is false.
-  skip_upload: auto
+    # Setting this will prevent goreleaser to actually try to commit the updated
+    # formula - instead, the formula file will be stored on the dist folder only,
+    # leaving the responsibility of publishing it to the user.
+    # If set to auto, the release will not be uploaded to the homebrew tap
+    # in case there is an indicator for prerelease in the tag e.g. v1.0.0-rc1
+    # Default is false.
+    skip_upload: auto
 
-  # So you can `brew test` your formula.
-  # Default is empty.
-  test: |
-    system "#{bin}/renovate-issue-action --version"
+    # So you can `brew test` your formula.
+    # Default is empty.
+    test: |
+      system "#{bin}/renovate-issue-action --version"
+
+signs:
+  - cmd: cosign
+    artifacts: checksum
+    signature: ${artifact}.sig
+    certificate: ${artifact}.pem
+    output: true
+    env:
+      - COSIGN_EXPERIMENTAL=1
+    args:
+      - sign-blob
+      - --output-signature
+      - ${signature}
+      - --output-certificate
+      - ${certificate}
+      - --oidc-provider
+      - github
+      - ${artifact}
diff --git a/aqua-policy.yaml b/aqua-policy.yaml
@@ -0,0 +1,8 @@
+---
+# aqua Policy
+# https://aquaproj.github.io/docs/tutorial-extras/policy-as-code
+registries:
+- type: standard
+  ref: semver(">= 3.0.0")
+packages:
+- registry: standard
diff --git a/aqua.yaml b/aqua.yaml
@@ -8,3 +8,4 @@ packages:
 - name: rhysd/actionlint@v1.6.22
 - name: golangci/golangci-lint@v1.45.2
 - name: reviewdog/reviewdog@v0.14.1
+- name: sigstore/cosign@v1.13.1