fix(pkg/driver): fixed tests. #35

Workflow file for this run

.github/workflows/release.yaml at 38ea1a3

	name: Release

	on:
	push:
	tags:
	- 'v*'

	jobs:
	goreleaser:
	runs-on: ubuntu-22.04
	permissions:
	contents: write # To add assets to a release.
	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}
	steps:
	- name: Checkout
	uses: actions/checkout@1d96c772d19495a3b5c517cd2bc0cb401ea0529f # v4.1.3
	with:
	fetch-depth: 0

	- name: Fetch all tags
	run: git fetch --force --tags

	- name: Setup Go
	uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
	with:
	go-version: '1.21'
	check-latest: true

	- name: Run GoReleaser
	id: run-goreleaser
	uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
	with:
	distribution: goreleaser
	version: latest
	args: release --clean
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Generate subject
	id: hash
	env:
	ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
	run: \|
	set -euo pipefail

	checksum_file=$(echo "$ARTIFACTS" \| jq -r '.[] \| select (.type=="Checksum") \| .path')
	echo "hashes=$(cat $checksum_file \| base64 -w0)" >> "$GITHUB_OUTPUT"

	provenance-for-binaries:
	needs: [goreleaser]
	permissions:
	actions: read # To read the workflow path.
	id-token: write # To sign the provenance.
	contents: write # To add assets to a release.
	uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
	with:
	base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
	upload-assets: true # upload to a new release

	verification:
	needs: [goreleaser, provenance-for-binaries]
	runs-on: ubuntu-latest
	permissions: read-all
	steps:
	- name: Install the verifier
	uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1

	- name: Download assets
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	PROVENANCE: "${{ needs.provenance-for-binaries.outputs.provenance-name }}"
	run: \|
	set -euo pipefail
	gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
	gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.zip"
	gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"

	- name: Verify assets
	env:
	CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
	PROVENANCE: "${{ needs.provenance-for-binaries.outputs.provenance-name }}"
	run: \|
	set -euo pipefail
	checksums=$(echo "$CHECKSUMS" \| base64 -d)
	while read -r line; do
	fn=$(echo $line \| cut -d ' ' -f2)
	echo "Verifying $fn"
	slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
	--source-uri "github.com/$GITHUB_REPOSITORY" \
	--source-tag "$GITHUB_REF_NAME" \
	"$fn"
	done <<<"$checksums"

	docker-configure:
	runs-on: ubuntu-22.04
	outputs:
	release: ${{ steps.vars.outputs.release }}
	commit: ${{ steps.vars.outputs.commit }}
	build_date: ${{ steps.vars.outputs.build_date }}
	steps:
	- name: Set version fields
	id: vars
	run: \|
	echo "release=$(echo $GITHUB_REF \| cut -d / -f 3 \| sed 's/^v//')" >> $GITHUB_OUTPUT
	echo "commit=${{ github.sha }}" >> $GITHUB_OUTPUT
	echo "build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT

	docker-image:
	needs: docker-configure
	uses: ./.github/workflows/docker-image.yaml
	secrets: inherit
	permissions:
	contents: read
	packages: write
	id-token: write # needed for signing the images with GitHub OIDC Token
	with:
	release: ${{ needs.docker-configure.outputs.release }}
	commit: ${{ needs.docker-configure.outputs.commit }}
	build_date: ${{ needs.docker-configure.outputs.build_date }}
	sign: true

	provenance-for-images-docker:
	needs: [docker-configure, docker-image]
	permissions:
	actions: read # for detecting the Github Actions environment.
	id-token: write # for creating OIDC tokens for signing.
	packages: write # for uploading attestations.
	uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
	with:
	image: docker.io/falcosecurity/falcoctl
	# The image digest is used to prevent TOCTOU issues.
	# This is an output of the docker/build-push-action
	# See: https://github.com/slsa-framework/slsa-verifier#toctou-attacks
	digest: ${{ needs.docker-image.outputs.digest }}
	secrets:
	registry-username: ${{ secrets.DOCKERHUB_USER }}
	registry-password: ${{ secrets.DOCKERHUB_SECRET }}

	login-to-amazon-ecr:
	runs-on: ubuntu-22.04
	permissions:
	contents: read
	id-token: write
	steps:
	- name: Configure AWS credentials
	uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
	with:
	role-to-assume: arn:aws:iam::292999226676:role/github_actions-falcoctl-ecr
	aws-region: us-east-1

	- name: Login to Amazon ECR
	id: login-ecr-public
	uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
	with:
	registry-type: public
	mask-password: 'false'
	outputs:
	registry: ${{ steps.login-ecr-public.outputs.registry }}
	docker_username: ${{ steps.login-ecr-public.outputs.docker_username_public_ecr_aws }}
	docker_password: ${{ steps.login-ecr-public.outputs.docker_password_public_ecr_aws }}

	provenance-for-images-aws-ecr:
	needs: [docker-configure, docker-image, login-to-amazon-ecr]
	permissions:
	actions: read # for detecting the Github Actions environment.
	id-token: write # for creating OIDC tokens for signing.
	packages: write # for uploading attestations.
	uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
	with:
	image: public.ecr.aws/falcosecurity/falcoctl
	# The image digest is used to prevent TOCTOU issues.
	# This is an output of the docker/build-push-action
	# See: https://github.com/slsa-framework/slsa-verifier#toctou-attacks
	digest: ${{ needs.docker-image.outputs.digest }}
	secrets:
	registry-username: ${{ needs.login-to-amazon-ecr.outputs.docker_username }}
	registry-password: ${{ needs.login-to-amazon-ecr.outputs.docker_password }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(pkg/driver): fixed tests. #35

Workflow file

fix(pkg/driver): fixed tests. #35

Jobs

Run details

Workflow file for this run