Skip to content

build: declare FURY_TOKEN #2

build: declare FURY_TOKEN

build: declare FURY_TOKEN #2

Workflow file for this run

---
jobs:
goreleaser:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
image: ${{ steps.digest.outputs.name }}
digest: ${{ steps.digest.outputs.digest }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
with:
fetch-depth: 0
- run: git fetch --force --tags
- uses: actions/setup-go@v5.0.0
with:
cache: true
go-version: ">=1.20.2"
- uses: sigstore/cosign-installer@v3.4.0
- uses: anchore/sbom-action/download-syft@v0.15.9
- id: import_gpg
uses: crazy-max/ghaction-import-gpg@v6.1.0
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
- uses: docker/login-action@v3.0.0
with:
password: ${{ secrets.GH_PAT }}
registry: ghcr.io
username: mcornick
- run: |
sudo apt-get update
sudo apt-get install -y nix-bin
sudo systemctl enable --now nix-daemon
sudo chmod -R 777 /nix/var/nix/daemon-socket
- env:
AUR_KEY: ${{ secrets.AUR_KEY }}
FURY_TOKEN: ${{ secrets.FURY_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GH_PAT }}
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
MASTODON_ACCESS_TOKEN: ${{ secrets.MASTODON_ACCESS_TOKEN }}
MASTODON_CLIENT_ID: ${{ secrets.MASTODON_CLIENT_ID }}
MASTODON_CLIENT_SECRET: ${{ secrets.MASTODON_CLIENT_SECRET }}
id: goreleaser
uses: goreleaser/goreleaser-action@v5.0.0
with:
args: release --clean
version: latest
- env:
ARTIFACTS: ${{ steps.goreleaser.outputs.artifacts }}
id: hash
run: |
set -euo pipefail
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
- env:
ARTIFACTS: ${{ steps.goreleaser.outputs.artifacts }}
id: digest
run: |
set -euo pipefail
image_and_digest=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Docker Manifest") | .path')
image=$(echo "${image_and_digest}" | cut -d'@' -f1 | cut -d':' -f1)
digest=$(echo "${image_and_digest}" | cut -d'@' -f2)
echo "name=$image" >> "$GITHUB_OUTPUT"
echo "digest=$digest" >> "$GITHUB_OUTPUT"
binary-provenance:
needs:
- goreleaser
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true
image-provenance:
needs:
- goreleaser
permissions:
actions: read
id-token: write
packages: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.9.0
with:
image: ${{ needs.goreleaser.outputs.image }}
digest: ${{ needs.goreleaser.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GH_PAT }}
name: goreleaser
"on":
push:
tags:
- "*"
permissions:
contents: write
id-token: write
issues: write
packages: write