ci: Split up image and binary verification. #716
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| # Test that it works on pull_request or merge group; | |
| # goreleaser is put into snapshot mode when not on a tag | |
| pull_request: | |
| merge_group: | |
| push: | |
| tags: | |
| - v* | |
| jobs: | |
| goreleaser: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # goreleaser uploads artifacts to the releases api | |
| contents: write | |
| # goreleaser uploads images to container registry | |
| packages: write | |
| env: | |
| flags: "" | |
| outputs: | |
| hashes: ${{ steps.binary.outputs.hashes }} | |
| image: ${{ steps.image.outputs.name }} | |
| digest: ${{ steps.image.outputs.digest }} | |
| steps: | |
| #- if: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| # run: echo "flags=--snapshot" >> $GITHUB_ENV | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - run: git fetch --force --tags | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| - uses: docker/[email protected] | |
| env: | |
| # Use docker.io for Docker Hub if empty | |
| REGISTRY: ghcr.io | |
| # github.repository as <account>/<repo> | |
| IMAGE_NAME: ${{ github.repository }} | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: goreleaser/goreleaser-action@v5 | |
| id: goreleaser | |
| with: | |
| version: latest | |
| args: release --clean ${{ env.flags }} | |
| env: | |
| GORELEASER_PREVIOUS_TAG: v3.0.0-rc56 | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: generate hashes for binary artifacts | |
| id: binary | |
| env: | |
| ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" | |
| run: | | |
| set -exuo pipefail | |
| checksum_file=$(echo "${ARTIFACTS}" | jq -r '.[] | select (.type=="Checksum") | .path') | |
| echo "hashes=$(cat ${checksum_file} | base64 -w0)" >> "${GITHUB_OUTPUT}" | |
| - name: generate digest for container image | |
| id: image | |
| env: | |
| ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" | |
| run: | | |
| set -exuo pipefail | |
| image_and_digest=$(echo "${ARTIFACTS}" | jq -r '.[] | select (.type=="Docker Manifest") | .path' | head -n1) | |
| image=$(echo "${image_and_digest}" | cut -d'@' -f1 | cut -d':' -f1) | |
| digest=$(echo "${image_and_digest}" | cut -d'@' -f2) | |
| echo "name=${image}" >> "${GITHUB_OUTPUT}" | |
| echo "digest=${digest}" >> "${GITHUB_OUTPUT}" | |
| binary-provenance: | |
| needs: [goreleaser] | |
| permissions: | |
| actions: read # To read the workflow path. | |
| id-token: write # To sign the provenance. | |
| contents: write # To add assets to a release. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" | |
| upload-assets: true # upload to a new release | |
| image-provenance: | |
| needs: [goreleaser] | |
| permissions: | |
| actions: read | |
| id-token: write | |
| packages: write | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| image: ${{ needs.goreleaser.outputs.image }} | |
| digest: ${{ needs.goreleaser.outputs.digest }} | |
| registry-username: ${{ github.actor }} | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| binary-verify: | |
| needs: [goreleaser, binary-provenance] | |
| #if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: slsa-framework/slsa-verifier/actions/[email protected] | |
| - name: download assets | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}" | |
| run: | | |
| set -exuo pipefail | |
| gh release download "${GITHUB_REF_NAME}" --repo "${GITHUB_REPOSITORY}" | |
| - name: verify assets | |
| env: | |
| CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }} | |
| PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}" | |
| run: | | |
| set -exuo pipefail | |
| checksums=$(echo "$CHECKSUMS" | base64 -d) | |
| while read -r line; do | |
| fn=$(echo $line | cut -d ' ' -f2) | |
| echo "Verifying $fn" | |
| slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \ | |
| --source-uri "github.com/$GITHUB_REPOSITORY" \ | |
| --source-tag "$GITHUB_REF_NAME" \ | |
| "$fn" | |
| done <<<"$checksums" | |
| image-verify: | |
| needs: [goreleaser, image-provenance] | |
| #if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Login | |
| uses: docker/[email protected] | |
| env: | |
| # Use docker.io for Docker Hub if empty | |
| REGISTRY: ghcr.io | |
| # github.repository as <account>/<repo> | |
| IMAGE_NAME: ${{ github.repository }} | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - name: Verify image | |
| env: | |
| IMAGE: ${{ needs.goreleaser.outputs.image }} | |
| DIGEST: ${{ needs.goreleaser.outputs.digest }} | |
| run: | | |
| cosign verify-attestation \ | |
| --type slsaprovenance \ | |
| --certificate-oidc-issuer https://token.actions.githubusercontent.com \ | |
| --certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \ | |
| $IMAGE@$DIGEST |