Skip to content

update

update #1129

Workflow file for this run

name: build
on:
push:
pull_request:
workflow_dispatch:
jobs:
lint:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- name: Shellcheck
run: make shellcheck
- name: Update README
run: make update-readme
- name: Check if README is up-to date
run: git diff --exit-code README.md
snapshot:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: GoReleaser
uses: goreleaser/goreleaser-action@v5
with:
version: latest
args: release --snapshot --clean
build:
if: github.event_name != 'pull_request'
runs-on: ubuntu-latest
permissions:
actions: read
contents: write
packages: write
id-token: write
outputs:
manifest-digest: ${{ steps.get-manifest-digest.outputs.digest }}
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: false
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Install Cosign
uses: sigstore/cosign-installer@v3.4.0
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: GoReleaser
uses: goreleaser/goreleaser-action@v5
id: goreleaser
with:
version: latest
args: release --clean --skip validate
env:
# Overrde to avoid tagging.
GORELEASER_CURRENT_TAG: 7.5.1-debug1
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Get Manifest Digest
id: get-manifest-digest
run: |
set -euo pipefail
digest=$(jq -r --arg img ghcr.io/tprasadtp/protonwire:${{github.sha}} '.[] | select (.name==$img) | .extra.Digest' dist/artifacts.json
if [[ -z $digest ]]; then
echo "failed to get digest"
exit 1
fi
echo "hash=${digest}" >> "$GITHUB_OUTPUT"
provenance:
if: github.event_name != 'pull_request'
needs:
- build
permissions:
contents: read
actions: read
id-token: write
packages: write
strategy:
fail-fast: false
matrix:
image:
- ghcr.io/tprasadtp/protonwire
- ghcr.io/tprasadtp/protonvpn
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
with:
registry-username: ${{ github.actor }}
digest: ${{ needs.build.outputs.manifest-digest }}
image: ${{ matrix.image }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
verification:
if: github.event_name != 'pull_request'
needs:
- build
- provenance
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
strategy:
fail-fast: false
matrix:
image:
- ghcr.io/tprasadtp/protonwire
- ghcr.io/tprasadtp/protonvpn
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Install SLSA verifier
uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Verify SLSA Provenance
run: |
slsa-verifier \
--source-uri github.com/${{ github.repository }} \
verify-image ${{ matrix.image }}@${{ needs.build.outputs.manifest-digest }}
- name: Verify Cosign Signature
run: |
cosign verify ${{ matrix.image }}@${{ needs.build.outputs.manifest-digest }} \
--certificate-identity-regexp "^https://github.com/${{ github.repository }}" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
--certificate-github-workflow-repository "${{ github.repository }}" \
--certificate-github-workflow-sha ${{ github.sha }}