update #1130
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| push: | |
| pull_request: | |
| workflow_dispatch: | |
| jobs: | |
| # lint: | |
| # runs-on: ubuntu-latest | |
| # permissions: | |
| # contents: read | |
| # steps: | |
| # - uses: actions/checkout@v4 | |
| # - name: Shellcheck | |
| # run: make shellcheck | |
| # - name: Update README | |
| # run: make update-readme | |
| # - name: Check if README is up-to date | |
| # run: git diff --exit-code README.md | |
| # snapshot: | |
| # runs-on: ubuntu-latest | |
| # permissions: | |
| # contents: read | |
| # steps: | |
| # - uses: actions/checkout@v4 | |
| # with: | |
| # fetch-depth: 0 | |
| # persist-credentials: false | |
| # - name: Set up QEMU | |
| # uses: docker/setup-qemu-action@v3 | |
| # - name: Set up Docker Buildx | |
| # uses: docker/setup-buildx-action@v3 | |
| # - name: GoReleaser | |
| # uses: goreleaser/goreleaser-action@v5 | |
| # with: | |
| # version: latest | |
| # args: release --snapshot --clean | |
| build: | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: write | |
| packages: write | |
| id-token: write | |
| outputs: | |
| manifest-digest: ${{ steps.get-manifest-digest.outputs.digest }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3.4.0 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: GoReleaser | |
| uses: goreleaser/goreleaser-action@v5 | |
| id: goreleaser | |
| with: | |
| version: latest | |
| args: release --clean --skip validate | |
| env: | |
| # Overrde to avoid tagging. | |
| GORELEASER_CURRENT_TAG: 7.5.1-debug1 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Get Manifest Digest | |
| id: get-manifest-digest | |
| run: | | |
| set -euo pipefail | |
| digest=$(jq -r --arg img ghcr.io/tprasadtp/protonwire:${{github.sha}} '.[] | select (.name==$img) | .extra.Digest' dist/artifacts.json | |
| if [[ -z $digest ]]; then | |
| echo "failed to get digest" | |
| exit 1 | |
| fi | |
| echo "hash=${digest}" >> "$GITHUB_OUTPUT" | |
| provenance: | |
| if: github.event_name != 'pull_request' | |
| needs: | |
| - build | |
| permissions: | |
| contents: read | |
| actions: read | |
| id-token: write | |
| packages: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| - ghcr.io/tprasadtp/protonwire | |
| - ghcr.io/tprasadtp/protonvpn | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0 | |
| with: | |
| registry-username: ${{ github.actor }} | |
| digest: ${{ needs.build.outputs.manifest-digest }} | |
| image: ${{ matrix.image }} | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| verification: | |
| if: github.event_name != 'pull_request' | |
| needs: | |
| - build | |
| - provenance | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| - ghcr.io/tprasadtp/protonwire | |
| - ghcr.io/tprasadtp/protonvpn | |
| steps: | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Install SLSA verifier | |
| uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Verify SLSA Provenance | |
| run: | | |
| slsa-verifier \ | |
| --source-uri github.com/${{ github.repository }} \ | |
| verify-image ${{ matrix.image }}@${{ needs.build.outputs.manifest-digest }} | |
| - name: Verify Cosign Signature | |
| run: | | |
| cosign verify ${{ matrix.image }}@${{ needs.build.outputs.manifest-digest }} \ | |
| --certificate-identity-regexp "^https://github.com/${{ github.repository }}" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| --certificate-github-workflow-repository "${{ github.repository }}" \ | |
| --certificate-github-workflow-sha ${{ github.sha }} |