workflow updates

.github/workflows/build.yml

@@ -4,16 +4,26 @@ on:
  pull_request:
  workflow_dispatch:
 jobs:
- shellcheck:
+ lint:
  runs-on: ubuntu-latest
+ permissions:
+ contents: read
  steps:
  - uses: actions/checkout@v4
 
  - name: Shellcheck
  run: make shellcheck
 
- build:
+ - name: Update README
+ run: make update-readme
+
+ - name: Check if README is up-to date
+ run: git diff --exit-code README.md
+
+ snapshot:
  runs-on: ubuntu-latest
+ permissions:
+ contents: read
  steps:
  - uses: actions/checkout@v4
  with:
@@ -32,13 +42,121 @@ jobs:
  version: latest
  args: release --snapshot --clean
 
- test:
+ build:
+ if: github.event_name != 'pull_request'
  runs-on: ubuntu-latest
+ permissions:
+ actions: read
+ contents: write
+ packages: write
+ id-token: write
+ outputs:
+ manifest-digest: ${{ steps.get-manifest-digest.outputs.digest }}
  steps:
  - uses: actions/checkout@v4
  with:
  fetch-depth: 0
  persist-credentials: false
 
- - name: Build docker image
- run: make docker
+ - name: Set up QEMU
+ uses: docker/setup-qemu-action@v3
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v3
+
+ - name: Install Cosign
+ uses: sigstore/cosign-installer@v3.4.0
+
+ - name: Login to GitHub Container Registry
+ uses: docker/login-action@v3
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: GoReleaser
+ uses: goreleaser/goreleaser-action@v5
+ id: goreleaser
+ with:
+ version: latest
+ args: release --clean --skip validate
+ env:
+ # Overrde to avoid tagging.
+ GORELEASER_CURRENT_TAG: 7.5.1-debug1
+
+ - name: Get Manifest Digest
+ id: get-manifest-digest
+ run: |
+ set -euo pipefail
+ digest=$(jq -r --arg img ghcr.io/tprasadtp/protonwire:${{github.sha}} '.[] | select (.name==$img) | .extra.Digest' ${{steps.goreleaser.outputs.artifacts}}
+ if [[ -z $digest ]]; then
+ echo "failed to get digest"
+ exit 1
+ fi
+ echo "hash=${digest}" >> "$GITHUB_OUTPUT"
+
+ provenance:
+ if: github.event_name != 'pull_request'
+ needs:
+ - build
+ permissions:
+ contents: read
+ actions: read
+ id-token: write
+ packages: write
+ strategy:
+ fail-fast: false
+ matrix:
+ image:
+ - ghcr.io/tprasadtp/protonwire
+ - ghcr.io/tprasadtp/protonvpn
+ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
+ with:
+ registry-username: ${{ github.actor }}
+ digest: ${{ needs.build.outputs.manifest-digest }}
+ image: ${{ matrix.image }}
+ secrets:
+ registry-password: ${{ secrets.GITHUB_TOKEN }}
+
+ verification:
+ if: github.event_name != 'pull_request'
+ needs:
+ - build
+ - provenance
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: read
+ strategy:
+ fail-fast: false
+ matrix:
+ image:
+ - ghcr.io/tprasadtp/protonwire
+ - ghcr.io/tprasadtp/protonvpn
+ steps:
+ - name: Install Cosign
+ uses: sigstore/cosign-installer@v3
+
+ - name: Install SLSA verifier
+ uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1
+
+ - name: Login to GitHub Container Registry
+ uses: docker/login-action@v3
+ with:
+ registry: ghcr.io
+ username: ${{ github.actor }}
+ password: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Verify SLSA Provenance
+ run: |
+ slsa-verifier \
+ --source-uri github.com/${{ github.repository }} \
+ verify-image ${{ matrix.image }}@${{ needs.build.outputs.manifest-digest }}
+
+ - name: Verify Cosign Signature
+ run: |
+ cosign verify ${{ matrix.image }}@${{ needs.build.outputs.manifest-digest }} \
+ --certificate-identity-regexp "^https://github.com/${{ github.repository }}" \
+ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+ --certificate-github-workflow-repository "${{ github.repository }}" \
+ --certificate-github-workflow-sha ${{ github.sha }}

.github/workflows/metadata.yml

@@ -22,6 +22,12 @@ jobs:
  runs-on: ubuntu-latest
  # exclude dependabot from running this workflow.
  if: ${{ github.actor != 'dependabot[bot]' }}
+ permissions:
+ pages: write
+ id-token: write
+ environment:
+ name: github-pages
+ url: ${{ steps.github-pages-deploy.outputs.page_url }}
  steps:
  - name: Checkout project repo
  uses: actions/checkout@v4
@@ -47,17 +53,17 @@ jobs:
  uses: actions/create-github-app-token@v1
  id: bot-token
  with:
- app-id: ${{ vars.METADATA_BOT_APP_ID }}
- repositories: ${{ vars.METADATA_REPO_NAME }}
  owner: ${{ vars.METADATA_REPO_OWNER }}
+ app-id: ${{ vars.METADATA_BOT_APP_ID }}
  private-key: ${{ secrets.METADATA_BOT_APP_PRIVATE_KEY }}
+ repositories: ${{ vars.METADATA_REPO_NAME }}
 
  - name: Checkout metadata repo to protonwire-api-deploy
  uses: actions/checkout@v4
  with:
- repository: ${{ vars.METADATA_REPO }}
  path: protonwire-api-deploy
  token: ${{ steps.bot-token.outputs.token }}
+ repository: ${{ vars.METADATA_REPO }}
  persist-credentials: true
 
  - name: Configure git and remove stale data
@@ -75,10 +81,20 @@ jobs:
  ./metadata/ \
  ${GITHUB_WORKSPACE}/protonwire-api-deploy/
 
+ - name: Upload GitHub Pages artifact
+ uses: actions/upload-pages-artifact@v3
+ with:
+ path: metadata
+
  - name: Push Metadata (if on master)
  working-directory: protonwire-api-deploy
  if: github.ref == 'refs/heads/master'
  run: |
  git add --all
  git commit -m "Updated at - $(date)"
  git push -u origin master
+
+ - name: Deploy to GitHub Pages (if on master)
+ if: github.ref == 'refs/heads/master'
+ id: github-pages-deploy
+ uses: actions/deploy-pages@v4

.github/workflows/release.yml

@@ -5,18 +5,8 @@ on:
  tags:
  - "**"
 jobs:
- shellcheck:
- runs-on: ubuntu-latest
- permissions:
- contents: read
- steps:
- - uses: actions/checkout@v4
- - name: Shellcheck
- run: make shellcheck
  build:
  runs-on: ubuntu-latest
- needs:
- - shellcheck
  permissions:
  contents: write
  packages: write