-
Notifications
You must be signed in to change notification settings - Fork 0
67 lines (64 loc) · 2.02 KB
/
release.yml
File metadata and controls
67 lines (64 loc) · 2.02 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
name: release
on:
push:
tags:
- 'v*.*.*'
permissions:
contents: write
id-token: write
attestations: write
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- uses: goreleaser/goreleaser-action@v6
with:
version: v2.13.3
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
- name: Verify release checksums
run: ./scripts/verify_release_artifacts.sh dist
- uses: anchore/sbom-action@v0
with:
artifact-name: sbom.spdx.json
output-file: sbom.spdx.json
- name: Install grype
uses: anchore/scan-action/download-grype@v4
- name: Vulnerability scan (dist)
run: grype dir:dist --fail-on high || grype dir:dist --fail-on critical
- uses: sigstore/cosign-installer@v3
- name: Sign checksums
run: |
cosign sign-blob --yes --output-signature dist/checksums.txt.sig --output-certificate dist/checksums.txt.pem dist/checksums.txt
- name: Verify signed checksums
run: ./scripts/verify_release_artifacts.sh dist
- name: Upload checksum signature assets to release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release upload "${{ github.ref_name }}" \
dist/checksums.txt.sig \
dist/checksums.txt.pem \
--repo "${{ github.repository }}" \
--clobber
- name: Generate build provenance
uses: actions/attest-build-provenance@v2
with:
subject-path: |
dist/*
- uses: actions/upload-artifact@v4
with:
name: release-security-artifacts
path: |
dist/checksums.txt
dist/checksums.txt.sig
dist/checksums.txt.pem
sbom.spdx.json