From d72536216d07ceca3c26c9b4148a4982092270f5 Mon Sep 17 00:00:00 2001 From: Ian Lewis Date: Wed, 7 Jun 2023 05:35:35 +0000 Subject: [PATCH] Fix actionlint errors Signed-off-by: Ian Lewis --- ...iner-based.schedule.main.default.slsa3.yml | 4 +-- ...edule.main.gcp-workload-identity.slsa3.yml | 31 ++++++++----------- ...ainer-based.schedule.main.matrix.slsa3.yml | 9 +++--- .../e2e.container.push.main.default.slsa3.yml | 10 +++--- ....schedule.main.continue-on-error.slsa3.yml | 12 +++---- ...iner.tag.main.registry-username-secret.yml | 10 +++--- ...ow_dispatch.main.workflow_inputs.slsa3.yml | 10 +++--- .../e2e.generic.push.main.default.slsa3.yml | 4 +-- ...eneric.push.main.upload-tag-name.slsa3.yml | 6 ++-- ...e2e.generic.release.main.default.slsa3.yml | 4 +-- ...c.schedule.main.attestation-name.slsa3.yml | 4 +-- ...2e.generic.schedule.main.default.slsa3.yml | 4 +-- .../e2e.generic.tag.branch1.default.slsa3.yml | 4 +-- ...goreleaser-assets-multi-subjects.slsa3.yml | 10 +++--- ...orkflow_dispatch.branch1.default.slsa3.yml | 4 +-- ...e.main.config-ldflags-assets-tag.slsa3.yml | 12 ++++--- ...ule.main.config-ldflags-main-dir.slsa3.yml | 17 +++++----- ....config-ldflags-assets-draft-tag.slsa3.yml | 13 +++++--- ...ig-ldflags-assets-prerelease-tag.slsa3.yml | 12 ++++--- ..._dispatch.branch1.config-ldflags.slsa3.yml | 20 +++++++----- .../workflows/pre-submit.golangci-lint.yml | 4 +-- 21 files changed, 107 insertions(+), 97 deletions(-) diff --git a/.github/workflows/e2e.container-based.schedule.main.default.slsa3.yml b/.github/workflows/e2e.container-based.schedule.main.default.slsa3.yml index cd26f087b9..fdb2eafd23 100644 --- a/.github/workflows/e2e.container-based.schedule.main.default.slsa3.yml +++ b/.github/workflows/e2e.container-based.schedule.main.default.slsa3.yml @@ -40,8 +40,8 @@ jobs: id: build run: | name=$(find outputs/ -type f | head -1) - cp $name . - echo "name=$(basename $name)" >> "${GITHUB_OUTPUT}" + cp "$name" . + echo "name=$(basename "$name")" >> "${GITHUB_OUTPUT}" - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b with: name: ${{ needs.build.outputs.attestations-download-name }} diff --git a/.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml b/.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml index 8588651abc..329ab599a6 100644 --- a/.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml +++ b/.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml @@ -36,11 +36,6 @@ jobs: contents: read # For reading repository contents. packages: write # For writing container images. id-token: write # For authenticating to Google Cloud Workload Identity - outputs: - image: ${{ steps.image.outputs.image }} - digest: ${{ steps.build.outputs.digest }} - service_account: ${{ steps.image.outputs.service_account }} - provider_name: ${{ steps.image.outputs.provider_name }} steps: - id: auth name: "Authenticate to Google Cloud" @@ -87,8 +82,6 @@ jobs: outputs: image: ${{ steps.image.outputs.image }} digest: ${{ steps.image.outputs.digest }} - service_account: ${{ steps.image.outputs.service_account }} - provider_name: ${{ steps.image.outputs.provider_name }} steps: - id: auth name: "Authenticate to Google Cloud" @@ -110,15 +103,17 @@ jobs: run: | # NOTE: We need to use the image and digest in order to make sure # that the image we attest has not been modified. - image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}" - docker pull "$image_name:main" - repo_digest=$(docker inspect --format='{{index .RepoDigests 0}}' $image_name:main) - echo $repo_digest - - echo "image=$image_name" >> "${GITHUB_OUTPUT}" - echo "digest=${repo_digest#*@}" >> "${GITHUB_OUTPUT}" - echo "service_account=${SERVICE_ACCOUNT}" >> "${GITHUB_OUTPUT}" - echo "provider_name=${PROVIDER_NAME}" >> "${GITHUB_OUTPUT}" + full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}" + docker pull "${full_image_name}:main" + repo_digest=$(docker inspect --format='{{index .RepoDigests 0}}' "${full_image_name}:main") + echo "$repo_digest" + + { + echo "image=$image_name" + echo "digest=${repo_digest#*@}" + echo "service_account=${SERVICE_ACCOUNT}" + echo "provider_name=${PROVIDER_NAME}" + } >> "${GITHUB_OUTPUT}" build: permissions: @@ -147,8 +142,8 @@ jobs: id: build run: | name=$(find outputs/ -type f | head -1) - cp $name . - echo "name=$(basename $name)" >> "${GITHUB_OUTPUT}" + cp "${name}" . + echo "name=$(basename "${name}")" >> "${GITHUB_OUTPUT}" - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b with: name: ${{ needs.build.outputs.attestations-download-name }} diff --git a/.github/workflows/e2e.container-based.schedule.main.matrix.slsa3.yml b/.github/workflows/e2e.container-based.schedule.main.matrix.slsa3.yml index 7d4402309e..4cd7656a41 100644 --- a/.github/workflows/e2e.container-based.schedule.main.matrix.slsa3.yml +++ b/.github/workflows/e2e.container-based.schedule.main.matrix.slsa3.yml @@ -34,8 +34,9 @@ jobs: runs-on: ubuntu-latest needs: [build] steps: - - run: | - echo ${{ needs.build.outputs }} + - env: + OUTPUTS: ${{ toJSON(needs.build.outputs) }} + run: echo "${OUTPUTS}" - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b with: @@ -45,8 +46,8 @@ jobs: id: build run: | name=$(find outputs/ -type f | head -1) - cp $name . - echo "name=$(basename $name)" >> "${GITHUB_OUTPUT}" + cp "$name" . + echo "name=$(basename "$name")" >> "${GITHUB_OUTPUT}" - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b with: name: ${{ needs.build.outputs.attestations-download-name }} diff --git a/.github/workflows/e2e.container.push.main.default.slsa3.yml b/.github/workflows/e2e.container.push.main.default.slsa3.yml index 2c1054400e..0d42f8f3b2 100644 --- a/.github/workflows/e2e.container.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.container.push.main.default.slsa3.yml @@ -81,8 +81,8 @@ jobs: # that the image we attest has not been modified. # NOTE: The digest output from docker/build-push-action is of the # form "sha256:" - image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}" - echo "image=$image_name" >> "${GITHUB_OUTPUT}" + full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}" + echo "image=${full_image_name}" >> "${GITHUB_OUTPUT}" # Generate SLSA provenance for the image # Upload the provenance to ghcr.io @@ -130,10 +130,10 @@ jobs: --type slsaprovenance \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main \ - "${IMAGE_NAME}@${IMAGE_DIGEST}" > ${GITHUB_WORKSPACE}/provenance.json + "${IMAGE_NAME}@${IMAGE_DIGEST}" > "${GITHUB_WORKSPACE}/provenance.json" - echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> $GITHUB_ENV - echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_ENV + echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" + echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: "1.18" diff --git a/.github/workflows/e2e.container.schedule.main.continue-on-error.slsa3.yml b/.github/workflows/e2e.container.schedule.main.continue-on-error.slsa3.yml index 09e6c08b48..cc1e942f66 100644 --- a/.github/workflows/e2e.container.schedule.main.continue-on-error.slsa3.yml +++ b/.github/workflows/e2e.container.schedule.main.continue-on-error.slsa3.yml @@ -65,8 +65,8 @@ jobs: # that the image we attest has not been modified. # NOTE: The digest output from docker/build-push-action is of the # form "sha256:" - image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}" - echo "image=$image_name" >> "${GITHUB_OUTPUT}" + full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}" + echo "image=${full_image_name}" >> "${GITHUB_OUTPUT}" # Generate SLSA provenance for the image # Upload the provenance to ghcr.io @@ -115,10 +115,10 @@ jobs: --type slsaprovenance \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main \ - "${IMAGE_NAME}@${IMAGE_DIGEST}" > ${GITHUB_WORKSPACE}/provenance.json + "${IMAGE_NAME}@${IMAGE_DIGEST}" > "${GITHUB_WORKSPACE}/provenance.json" - echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> $GITHUB_ENV - echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_ENV + echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" + echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: "1.18" @@ -180,7 +180,7 @@ jobs: if-succeeded-continue-on-error: runs-on: ubuntu-latest - needs: [verify-continue-on-error] + needs: [provenance-continue-on-error, verify-continue-on-error] # NOTE: The workflow is allowed to run for other event types but don't post # to issues unless it's a schedule event. if: github.event_name == 'schedule' && needs.provenance-continue-on-error.result == 'success' && needs.verify-continue-on-error.result == 'success' diff --git a/.github/workflows/e2e.container.tag.main.registry-username-secret.yml b/.github/workflows/e2e.container.tag.main.registry-username-secret.yml index 0e9b5ebcbd..0892d5fa9e 100644 --- a/.github/workflows/e2e.container.tag.main.registry-username-secret.yml +++ b/.github/workflows/e2e.container.tag.main.registry-username-secret.yml @@ -95,8 +95,8 @@ jobs: # that the image we attest has not been modified. # NOTE: The digest output from docker/build-push-action is of the # form "sha256:" - image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}" - echo "image=$image_name" >> "${GITHUB_OUTPUT}" + full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}" + echo "image=${full_image_name}" >> "${GITHUB_OUTPUT}" # Generate SLSA provenance for the image # Upload the provenance to ghcr.io @@ -145,10 +145,10 @@ jobs: --type slsaprovenance \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main \ - "${IMAGE_NAME}@${IMAGE_DIGEST}" > ${GITHUB_WORKSPACE}/provenance.json + "${IMAGE_NAME}@${IMAGE_DIGEST}" > "${GITHUB_WORKSPACE}/provenance.json" - echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> $GITHUB_ENV - echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_ENV + echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" + echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: "1.18" diff --git a/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml b/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml index d9e994a590..866699f5fe 100644 --- a/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml +++ b/.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml @@ -85,8 +85,8 @@ jobs: # that the image we attest has not been modified. # NOTE: The digest output from docker/build-push-action is of the # form "sha256:" - image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}" - echo "image=$image_name" >> "${GITHUB_OUTPUT}" + full_image_name="${IMAGE_REGISTRY}/${IMAGE_NAME}" + echo "image=$full_image_name" >> "${GITHUB_OUTPUT}" # Generate SLSA provenance for the image # Upload the provenance to ghcr.io @@ -134,10 +134,10 @@ jobs: --type slsaprovenance \ --certificate-oidc-issuer https://token.actions.githubusercontent.com \ --certificate-identity https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/heads/main \ - "${IMAGE_NAME}@${IMAGE_DIGEST}" > ${GITHUB_WORKSPACE}/provenance.json + "${IMAGE_NAME}@${IMAGE_DIGEST}" > "${GITHUB_WORKSPACE}/provenance.json" - echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> $GITHUB_ENV - echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> $GITHUB_ENV + echo "provenance_file=${GITHUB_WORKSPACE}/provenance.json" >> "$GITHUB_ENV" + echo "container=${IMAGE_NAME}@${IMAGE_DIGEST}" >> "$GITHUB_ENV" - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 with: go-version: "1.18" diff --git a/.github/workflows/e2e.generic.push.main.default.slsa3.yml b/.github/workflows/e2e.generic.push.main.default.slsa3.yml index 36f3960a80..273c2be1e2 100644 --- a/.github/workflows/e2e.generic.push.main.default.slsa3.yml +++ b/.github/workflows/e2e.generic.push.main.default.slsa3.yml @@ -40,7 +40,7 @@ jobs: run: | bazelisk build //:hello cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root - echo "::set-output name=binary-name::hello" + echo "binary-name=hello" >>"${GITHUB_OUTPUT}" - name: Upload binary uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: @@ -55,7 +55,7 @@ jobs: BINARY_NAME: ${{ steps.build.outputs.binary-name }} run: | set -euo pipefail - echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> "${GITHUB_OUTPUT}" + echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}" provenance: if: github.event_name == 'push' && github.event.head_commit.message == github.workflow diff --git a/.github/workflows/e2e.generic.push.main.upload-tag-name.slsa3.yml b/.github/workflows/e2e.generic.push.main.upload-tag-name.slsa3.yml index 4a20e1c92d..a0c6c58655 100644 --- a/.github/workflows/e2e.generic.push.main.upload-tag-name.slsa3.yml +++ b/.github/workflows/e2e.generic.push.main.upload-tag-name.slsa3.yml @@ -48,7 +48,7 @@ jobs: run: | bazelisk build //:hello cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root - echo "binary-name=hello" >> ""${GITHUB_OUTPUT}"" + echo "binary-name=hello" >> "${GITHUB_OUTPUT}" - name: Upload binary uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: @@ -64,11 +64,11 @@ jobs: run: | set -euo pipefail source "./.github/workflows/scripts/e2e-utils.sh" - echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> ""${GITHUB_OUTPUT}"" + echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}" filename="$(e2e_this_file)" filename="${filename%.*}" # Remove the file extension. - echo "upload-tag-name=${filename}" >> ""${GITHUB_OUTPUT}"" + echo "upload-tag-name=${filename}" >> "${GITHUB_OUTPUT}" provenance: needs: [build] diff --git a/.github/workflows/e2e.generic.release.main.default.slsa3.yml b/.github/workflows/e2e.generic.release.main.default.slsa3.yml index 1e3c55b833..90d6574d27 100644 --- a/.github/workflows/e2e.generic.release.main.default.slsa3.yml +++ b/.github/workflows/e2e.generic.release.main.default.slsa3.yml @@ -56,7 +56,7 @@ jobs: run: | bazelisk build //:hello cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root - echo "::set-output name=binary-name::hello" + echo "binary-name=hello" >> "${GITHUB_OUTPUT}" - name: Upload binary uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: @@ -71,7 +71,7 @@ jobs: BINARY_NAME: ${{ steps.build.outputs.binary-name }} run: | set -euo pipefail - echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> "${GITHUB_OUTPUT}" + echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}" provenance: needs: [shim, build] diff --git a/.github/workflows/e2e.generic.schedule.main.attestation-name.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.attestation-name.slsa3.yml index e14c765272..0247f918e5 100644 --- a/.github/workflows/e2e.generic.schedule.main.attestation-name.slsa3.yml +++ b/.github/workflows/e2e.generic.schedule.main.attestation-name.slsa3.yml @@ -28,7 +28,7 @@ jobs: run: | bazelisk build //:hello cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root - echo "::set-output name=binary-name::hello" + echo "binary-name=hello" >> "${GITHUB_OUTPUT}" - name: Upload binary uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: @@ -43,7 +43,7 @@ jobs: BINARY_NAME: ${{ steps.build.outputs.binary-name }} run: | set -euo pipefail - echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> "${GITHUB_OUTPUT}" + echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}" provenance: needs: [build] diff --git a/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml b/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml index 0c3353cd82..68331c26a1 100644 --- a/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml +++ b/.github/workflows/e2e.generic.schedule.main.default.slsa3.yml @@ -28,7 +28,7 @@ jobs: run: | bazelisk build //:hello cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root - echo "::set-output name=binary-name::hello" + echo "binary-name=hello" >> "${GITHUB_OUTPUT}" - name: Upload binary uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: @@ -43,7 +43,7 @@ jobs: BINARY_NAME: ${{ steps.build.outputs.binary-name }} run: | set -euo pipefail - echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> "${GITHUB_OUTPUT}" + echo "digest=$(sha256sum "$BINARY_NAME" | base64 -w0)" >> "${GITHUB_OUTPUT}" provenance: needs: [build] diff --git a/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml b/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml index dc8b5baab5..3d89d79669 100644 --- a/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml +++ b/.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml @@ -58,7 +58,7 @@ jobs: run: | bazelisk build //:hello cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root - echo "::set-output name=binary-name::hello" + echo "binary-name=hello" >> "${GITHUB_OUTPUT}" - name: Upload binary uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: @@ -73,7 +73,7 @@ jobs: BINARY_NAME: ${{ steps.build.outputs.binary-name }} run: | set -euo pipefail - echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> "${GITHUB_OUTPUT}" + echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}" provenance: needs: [shim, build] diff --git a/.github/workflows/e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml b/.github/workflows/e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml index dfb6b54a71..f2b202e947 100644 --- a/.github/workflows/e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml +++ b/.github/workflows/e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml @@ -78,7 +78,7 @@ jobs: set -euo pipefail checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') - echo "hashes=$(cat $checksum_file | base64 -w0)" >> ""${GITHUB_OUTPUT}"" + echo "hashes=$(base64 -w0 <"$checksum_file")" >> "${GITHUB_OUTPUT}" provenance: needs: [shim, build] @@ -107,15 +107,15 @@ jobs: with: go-version: "1.18" - env: - CHECKSUMS: ${{ needs.build.outputs.hashes }} + CHECKSUMS_B64: ${{ needs.build.outputs.hashes }} PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} run: | set -euo pipefail - checksums=$(echo "$CHECKSUMS" | base64 -d) + checksums=$(echo "${CHECKSUMS_B64}" | base64 -d) while read -r line; do - fn=$(echo $line | cut -d ' ' -f2) + fn=$(echo "$line" | cut -d ' ' -f2) echo "Verifying $fn" - BINARY=$fn ./.github/workflows/scripts/e2e.generic.default.verify.sh + BINARY="$fn" ./.github/workflows/scripts/e2e.generic.default.verify.sh done <<<"$checksums" if-succeeded: diff --git a/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml b/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml index 78301c516c..51195a4fdd 100644 --- a/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml +++ b/.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml @@ -43,7 +43,7 @@ jobs: run: | bazelisk build //:hello cp bazel-bin/hello_/hello . # Copy binary from Bazel path to root - echo "::set-output name=binary-name::hello" + echo "binary-name=hello" >> "${GITHUB_OUTPUT}" - name: Upload binary uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 with: @@ -58,7 +58,7 @@ jobs: BINARY_NAME: ${{ steps.build.outputs.binary-name }} run: | set -euo pipefail - echo "digest=$(sha256sum $BINARY_NAME | base64 -w0)" >> "${GITHUB_OUTPUT}" + echo "digest=$(sha256sum "${BINARY_NAME}" | base64 -w0)" >> "${GITHUB_OUTPUT}" provenance: if: github.event_name == 'workflow_dispatch' diff --git a/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml b/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml index 212cdd198a..05d4249ecf 100644 --- a/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml +++ b/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml @@ -58,11 +58,13 @@ jobs: run: | set -euo pipefail - THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3) - BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) - echo "version=-X main.gitVersion=v1.2.3" >> "${GITHUB_OUTPUT}" - echo "commit=-X main.gitCommit=abcdef" >> "${GITHUB_OUTPUT}" - echo "branch=-X main.gitBranch=$BRANCH" >> "${GITHUB_OUTPUT}" + this_file=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" | jq -r '.path' | cut -d '/' -f3) + branch=$(echo "${this_file}" | cut -d '.' -f4) + { + echo "version=-X main.gitVersion=v1.2.3" + echo "commit=-X main.gitCommit=abcdef" + echo "branch=-X main.gitBranch=${branch}" + } >> "${GITHUB_OUTPUT}" build: needs: [shim, args] diff --git a/.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml b/.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml index 28e3b22590..97c03768d9 100644 --- a/.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml +++ b/.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml @@ -30,13 +30,16 @@ jobs: run: | set -euo pipefail - THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3) - BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) - echo "version=-X main.gitVersion=v1.2.3" >> "${GITHUB_OUTPUT}" - echo "commit=-X main.gitCommit=abcdef" >> "${GITHUB_OUTPUT}" - echo "branch=-X main.gitBranch=$BRANCH" >> "${GITHUB_OUTPUT}" - # Note: this must be the same path defined in the config file. - echo "main=-X main.gitMain=$GO_MAIN" >> "${GITHUB_OUTPUT}" + this_file=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" | jq -r '.path' | cut -d '/' -f3) + branch=$(echo "${this_file}" | cut -d '.' -f4) + + { + echo "version=-X main.gitVersion=v1.2.3" + echo "commit=-X main.gitCommit=abcdef" + echo "branch=-X main.gitBranch=${branch}" + # Note: this must be the same path defined in the config file. + echo "main=-X main.gitMain=${GO_MAIN}" + } >> "${GITHUB_OUTPUT}" build: needs: [args] diff --git a/.github/workflows/e2e.go.tag.main.config-ldflags-assets-draft-tag.slsa3.yml b/.github/workflows/e2e.go.tag.main.config-ldflags-assets-draft-tag.slsa3.yml index 84deef4cdb..c06e5f0ef5 100644 --- a/.github/workflows/e2e.go.tag.main.config-ldflags-assets-draft-tag.slsa3.yml +++ b/.github/workflows/e2e.go.tag.main.config-ldflags-assets-draft-tag.slsa3.yml @@ -61,11 +61,14 @@ jobs: run: | set -euo pipefail - THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3) - BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) - echo "version=-X main.gitVersion=v1.2.3" >> "${GITHUB_OUTPUT}" - echo "commit=-X main.gitCommit=abcdef" >> "${GITHUB_OUTPUT}" - echo "branch=-X main.gitBranch=$BRANCH" >> "${GITHUB_OUTPUT}" + this_file=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" | jq -r '.path' | cut -d '/' -f3) + branch=$(echo "${this_file}" | cut -d '.' -f4) + + { + echo "version=-X main.gitVersion=v1.2.3" + echo "commit=-X main.gitCommit=abcdef" + echo "branch=-X main.gitBranch=${branch}" + } >> "${GITHUB_OUTPUT}" build: needs: [shim, args] diff --git a/.github/workflows/e2e.go.tag.main.config-ldflags-assets-prerelease-tag.slsa3.yml b/.github/workflows/e2e.go.tag.main.config-ldflags-assets-prerelease-tag.slsa3.yml index 4a8e4029b4..43f9268f6e 100644 --- a/.github/workflows/e2e.go.tag.main.config-ldflags-assets-prerelease-tag.slsa3.yml +++ b/.github/workflows/e2e.go.tag.main.config-ldflags-assets-prerelease-tag.slsa3.yml @@ -59,11 +59,13 @@ jobs: run: | set -euo pipefail - THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3) - BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) - echo "version=-X main.gitVersion=v1.2.3" >> "${GITHUB_OUTPUT}" - echo "commit=-X main.gitCommit=abcdef" >> "${GITHUB_OUTPUT}" - echo "branch=-X main.gitBranch=$BRANCH" >> "${GITHUB_OUTPUT}" + this_file=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" | jq -r '.path' | cut -d '/' -f3) + branch=$(echo "${this_file}" | cut -d '.' -f4) + { + echo "version=-X main.gitVersion=v1.2.3" + echo "commit=-X main.gitCommit=abcdef" + echo "branch=-X main.gitBranch=${branch}" + } >> "${GITHUB_OUTPUT}" build: needs: [shim, args] diff --git a/.github/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml b/.github/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml index bbb436b227..b31e2a2d31 100644 --- a/.github/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml +++ b/.github/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml @@ -31,12 +31,14 @@ jobs: steps: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - id: verify + env: + REF_NAME: ${{ github.ref_name }} run: | set -euo pipefail - THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" /repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID | jq -r '.path' | cut -d '/' -f3) - BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) - if [[ "$BRANCH" == "${{ github.ref_name }}" ]]; then + this_file=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" | jq -r '.path' | cut -d '/' -f3) + branch=$(echo "${this_file}" | cut -d '.' -f4) + if [[ "${branch}" == "${REF_NAME}" ]]; then echo "continue=yes" >> "${GITHUB_OUTPUT}" fi @@ -57,11 +59,13 @@ jobs: run: | set -euo pipefail - THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3) - BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) - echo "version=-X main.gitVersion=v1.2.3" >> "${GITHUB_OUTPUT}" - echo "commit=-X main.gitCommit=abcdef" >> "${GITHUB_OUTPUT}" - echo "branch=-X main.gitBranch=$BRANCH" >> "${GITHUB_OUTPUT}" + this_file=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}" | jq -r '.path' | cut -d '/' -f3) + branch=$(echo "${this_file}" | cut -d '.' -f4) + { + echo "version=-X main.gitVersion=v1.2.3" + echo "commit=-X main.gitCommit=abcdef" + echo "branch=-X main.gitBranch=${branch}" + } >> "${GITHUB_OUTPUT}" build: needs: [shim, args] diff --git a/.github/workflows/pre-submit.golangci-lint.yml b/.github/workflows/pre-submit.golangci-lint.yml index 52c61a4b21..fa7cb27b9f 100644 --- a/.github/workflows/pre-submit.golangci-lint.yml +++ b/.github/workflows/pre-submit.golangci-lint.yml @@ -28,9 +28,9 @@ jobs: curl -sSLo golangci-lint.tar.gz "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" echo "golangci-lint checksum is $(sha256sum golangci-lint.tar.gz | awk '{ print $1 }')" echo "expected checksum is $GOLANGCI_LINT_CHECKSUM" - echo "$GOLANGCI_LINT_CHECKSUM golangci-lint.tar.gz" | sha256sum --strict --check --status || exit -2 + echo "$GOLANGCI_LINT_CHECKSUM golangci-lint.tar.gz" | sha256sum --strict --check --status || exit 1 tar xf golangci-lint.tar.gz - mv golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint /usr/local/bin + mv "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint" /usr/local/bin # Run golangci-lint make golangci-lint