fix sign workflow #1143
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: build | |
| on: | |
| push: | |
| pull_request: | |
| workflow_dispatch: | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: stable | |
| - name: Install Task | |
| run: go install github.com/go-task/task/v3/cmd/task@latest | |
| - name: Shellcheck | |
| run: task --verbose shellcheck | |
| - name: Update README | |
| run: task --verbose update-readme | |
| - name: Check if README is up-to date | |
| run: git diff --exit-code README.md | |
| # build-pull: | |
| # runs-on: ubuntu-latest | |
| # permissions: | |
| # contents: read | |
| # steps: | |
| # - uses: actions/checkout@v4 | |
| # with: | |
| # fetch-depth: 0 | |
| # persist-credentials: false | |
| # - name: Set up QEMU | |
| # uses: docker/setup-qemu-action@v3 | |
| # - name: Set up Docker Buildx | |
| # uses: docker/setup-buildx-action@v3 | |
| # - name: GoReleaser | |
| # uses: goreleaser/goreleaser-action@v5 | |
| # with: | |
| # version: latest | |
| # args: release --snapshot --clean | |
| build: | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| outputs: | |
| manifest-digest: ${{ steps.get-manifest-digest.outputs.digest }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Setup Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: stable | |
| - name: Install Task | |
| run: go install github.com/go-task/task/v3/cmd/task@latest | |
| - name: Build Images | |
| run: task --verbose build-images | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Push Images | |
| run: task --verbose push-images | |
| - name: Push Manifests | |
| run: task --verbose push-manifests | |
| - name: Get Manifest Digest | |
| id: get-manifest-digest | |
| run: | | |
| set -euo pipefail | |
| digest=$(go run internal/tasks/main.go digest ghcr.io/tprasadtp/protonwire:${{github.sha}}) | |
| if [[ -z $digest ]]; then | |
| echo "failed to get digest" | |
| exit 1 | |
| fi | |
| echo "digest=${digest}" >> "$GITHUB_OUTPUT" | |
| sign: | |
| if: github.event_name != 'pull_request' | |
| runs-on: ubuntu-latest | |
| needs: | |
| - lint | |
| - build | |
| permissions: | |
| contents: read | |
| actions: read | |
| packages: write | |
| id-token: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| - ghcr.io/tprasadtp/protonwire | |
| - ghcr.io/tprasadtp/protonvpn | |
| steps: | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Sign Images | |
| run: | | |
| cosign sign \ | |
| --yes \ | |
| --recursive \ | |
| --oidc-provider=github-actions \ | |
| ${{ matrix.image }}@${{ needs.build.outputs.manifest-digest }} | |
| provenance: | |
| if: github.event_name != 'pull_request' | |
| needs: | |
| - lint | |
| - build | |
| permissions: | |
| contents: read | |
| actions: read | |
| id-token: write | |
| packages: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| - ghcr.io/tprasadtp/protonwire | |
| - ghcr.io/tprasadtp/protonvpn | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0 | |
| with: | |
| registry-username: ${{ github.actor }} | |
| digest: ${{ needs.build.outputs.manifest-digest }} | |
| image: ${{ matrix.image }} | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| verification: | |
| if: github.event_name != 'pull_request' | |
| needs: | |
| - build | |
| - sign | |
| - provenance | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| image: | |
| - ghcr.io/tprasadtp/protonwire | |
| - ghcr.io/tprasadtp/protonvpn | |
| steps: | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Install SLSA verifier | |
| uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Verify SLSA Provenance | |
| run: | | |
| slsa-verifier \ | |
| --source-uri github.com/${{ github.repository }} \ | |
| verify-image ${{ matrix.image }}@${{ needs.build.outputs.manifest-digest }} | |
| - name: Verify Cosign Signature | |
| run: | | |
| cosign verify ${{ matrix.image }}@${{ needs.build.outputs.manifest-digest }} \ | |
| --certificate-identity-regexp "^https://github.com/${{ github.repository }}" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ | |
| --certificate-github-workflow-repository "${{ github.repository }}" \ | |
| --certificate-github-workflow-sha ${{ github.sha }} |