Skip to content

Bump actions/create-github-app-token from 1.9.0 to 1.9.1 (#1781) #1

Bump actions/create-github-app-token from 1.9.0 to 1.9.1 (#1781)

Bump actions/create-github-app-token from 1.9.0 to 1.9.1 (#1781) #1

Workflow file for this run

#
# Copyright 2022 The GUAC Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: release
on:
workflow_dispatch: # testing only, trigger manually to test it works
push:
branches:
- main
tags:
- 'v*'
permissions:
actions: read # for detecting the Github Actions environment.
contents: write # To upload assets to release.
packages: write # To publish container images to GHCR
id-token: write # needed for signing the images with GitHub OIDC Token
jobs:
goreleaser:
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
image: ${{ steps.hash.outputs.image }}
digest: ${{ steps.hash.outputs.digest }}
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
fetch-depth: 0
- name: Login to GitHub Container Registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: '1.21'
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # main
- name: Install syft
uses: anchore/sbom-action/download-syft@9fece9e20048ca9590af301449208b2b8861333b # v0.15.9
- name: Run GoReleaser Snapshot
if: ${{ !startsWith(github.ref, 'refs/tags/') }}
id: run-goreleaser-snapshot
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
with:
distribution: goreleaser
version: latest
args: release --clean --snapshot --skip-sign
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: v0.0.0-snapshot-tag
DOCKER_CONTEXT: default
- name: Run GoReleaser Release
if: startsWith(github.ref, 'refs/tags/')
id: run-goreleaser-release
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
with:
distribution: goreleaser
version: latest
# use .goreleaser-nightly.yaml for nightly build; otherwise use the default
args: ${{ contains( github.ref, 'nightly' ) && 'release --clean -f .goreleaser-nightly.yaml' || 'release --clean' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DOCKER_CONTEXT: default
- name: Generate hashes and extract image digest
id: hash
if: startsWith(github.ref, 'refs/tags/')
env:
ARTIFACTS: "${{ steps.run-goreleaser-release.outputs.artifacts }}"
run: |
set -euo pipefail
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
if test "$hashes" = ""; then # goreleaser < v1.13.0
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
hashes=$(cat $checksum_file | base64 -w0)
fi
echo "hashes=$hashes" >> $GITHUB_OUTPUT
image=$(echo $ARTIFACTS | jq --raw-output '.[] | select( .type =="Docker Manifest" ).name | split(":")[0]')
echo "image=$image" >> $GITHUB_OUTPUT
digest=$(echo $ARTIFACTS | jq --raw-output '.[] | select( .type =="Docker Manifest" ).extra.Digest')
echo "digest=$digest" >> $GITHUB_OUTPUT
sbom-container:
# generate sbom for container as goreleaser can't - https://goreleaser.com/customization/sbom/#limitations
name: generate sbom for container
runs-on: ubuntu-latest
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Checkout code
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v3
- name: Login to GitHub Container Registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy in fs mode to generate SBOM
uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # master
with:
scan-type: 'fs'
format: 'spdx-json'
output: 'spdx.sbom.json'
- name: Install cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # main
- name: Sign image and sbom
run: |
#!/usr/bin/env bash
set -euo pipefail
cosign attach sbom --sbom spdx.sbom.json ${IMAGE_URI_DIGEST}
cosign sign -a git_sha=$GITHUB_SHA --attachment sbom ${IMAGE_URI_DIGEST} --yes
shell: bash
env:
IMAGE_URI_DIGEST: ${{ needs.goreleaser.outputs.image }}@${{ needs.goreleaser.outputs.digest }}
provenance-bins:
name: generate provenance for binaries
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # must use semver here
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true
provenance-container:
name: generate provenance for container
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # must use semver here
with:
image: ${{ needs.goreleaser.outputs.image }}
digest: ${{ needs.goreleaser.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
compose-tarball:
runs-on: ubuntu-latest
name: generate compose tarball
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Checkout code
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag=v3
- name: Create and publish compose tarball
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
#!/usr/bin/env bash
set -euo pipefail
mkdir guac-compose
cp .env guac-compose/
cp docker-compose.yml guac-compose/
cp -r container_files guac-compose/
sed -i s/local-organic-guac/ghcr.io\\/${{ github.repository_owner }}\\/guac:${{ github.ref_name }}/ guac-compose/.env
tar -zcvf guac-compose.tar.gz guac-compose/
rm -rf guac-compose/
gh release upload ${{ github.ref_name }} guac-compose.tar.gz
rm guac-compose.tar.gz
shell: bash
- name: Modify and publish demo compose yaml
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
#!/usr/bin/env bash
set -euo pipefail
cp container_files/guac-demo-compose.yaml .
sed -i s/\$GUAC_IMAGE/ghcr.io\\/${{ github.repository_owner }}\\/guac:${{ github.ref_name }}/ guac-demo-compose.yaml
gh release upload ${{ github.ref_name }} guac-demo-compose.yaml
rm guac-demo-compose.yaml
shell: bash