Releases: toaweme/codereport
Releases · toaweme/codereport
Release list
v0.2.0
codereport generates a repo's code.json code-view and publishes it to code.toawe.me. This is the first cosign-signed release.
Use in CI
Add the codereport action to a workflow. It installs this release, generates the repo's code.json, and OIDC-publishes it to code.toawe.me.
- uses: toaweme/codereport@v0.2.0
with:
publish-url: https://code.toawe.me/ingest?kind=codeThe job needs permissions: id-token: write for the OIDC publish. Private Go deps need a token wired via git insteadOf + GOPRIVATE in an earlier step, since codereport type-checks the source it reads.
Run the binary directly
# linux x64, swap os/arch as needed
wget -qO- https://github.com/toaweme/codereport/releases/download/v0.2.0/codereport_0.2.0_linux_x64.tar.gz | tar xz
./codereport -o code.jsonVerify
checksums.txt is keyless-signed with cosign. Verifying it transitively verifies every archive it lists.
cosign verify-blob \
--bundle checksums.txt.sigstore.json \
--certificate-identity-regexp 'https://github.com/toaweme/docgen/.github/workflows/release.yml@.*' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
checksums.txt