Skip to content

chore: use draft-release for slsa provenance #12

chore: use draft-release for slsa provenance

chore: use draft-release for slsa provenance #12

Workflow file for this run

name: Release
on:
push:
tags:
- "v*"
jobs:
goreleaser:
name: Goreleaser
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-22.04]
go: ["1.22.3"]
permissions:
attestations: write
id-token: write
contents: write
packages: write
steps:
- name: Setup Go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version: ${{ matrix.go }}
- name: Install cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
- name: Install syft
uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11
- name: Install ko
uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
- name: Code checkout
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
fetch-depth: 0
# https://github.com/actions/checkout/issues/290#issuecomment-680260080
- name: Fetch upstream tags
run: git fetch --tags --force
- name: Run Goreleaser
id: run-goreleaser
uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_EXPERIMENTAL: 1
with:
args: release --clean
- name: Generate SLSA metadata
id: slsa
env:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
METADATA: "${{ steps.run-goreleaser.outputs.metadata }}"
run: |
set -euo pipefail
checksum_file=$(echo "${ARTIFACTS}" | jq -r '.[] | select (.type == "Checksum") | .path')
echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
tag_name=$(echo "${METADATA}" | jq -r '.tag')
echo "tag_name=${tag_name}" >> "$GITHUB_OUTPUT"
outputs:
hashes: "${{ steps.slsa.outputs.hashes }}"
tag_name: "${{ steps.slsa.outputs.tag_name }}"
provenance:
name: Provenance
needs:
- goreleaser
permissions:
actions: read
id-token: write
contents: write
# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#referencing-the-slsa-generator
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
provenance-name: "provenance.intoto.jsonl"
upload-assets: true
# Use the existing release created by Goreleaser instead of creating another.
upload-tag-name: "${{ needs.goreleaser.outputs.tag_name }}"
draft-release: true