File: release.yml

package info (click to toggle)
gitsign 0.13.0-4
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 1,052 kB
  • sloc: makefile: 52; sh: 9
file content (70 lines) | stat: -rw-r--r-- 2,352 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
 
name: release

# run only on tags
on:
  push:
    tags:
      - 'v*'

jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write # needed to write releases
      id-token: write # needed for keyless signing
      packages: write # needed for push images
      attestations: write
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          fetch-depth: 0 # this is important, otherwise it won't checkout the full tree (i.e. no previous tags)
          persist-credentials: false

      - uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
        with:
          go-version-file: 'go.mod'
          check-latest: true

      - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4

      - uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1

      - uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0

      - name: Set env
        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> "$GITHUB_ENV"

      - name: Login to GitHub Containers
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6.3.0
        with:
          version: latest
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          KO_DOCKER_REPO: ghcr.io/sigstore/gitsign

      - name: get the digest
        id: digest
        run: |
          digest=$(crane digest ghcr.io/sigstore/gitsign:${RELEASE_VERSION})
          echo "digest=${digest}" >> "$GITHUB_OUTPUT"

      - name: sign image
        run: |
          cosign sign "ghcr.io/sigstore/gitsign@${DIGEST_TO_SIGN}"
        env:
          DIGEST_TO_SIGN: ${{ steps.digest.outputs.digest }}
          COSIGN_YES: true

      - name: Generate build provenance attestation
        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
        with:
          subject-name: ghcr.io/sigstore/gitsign
          subject-digest: ${{ steps.digest.outputs.digest }}
          push-to-registry: true