mirror of
https://github.com/getsops/sops.git
synced 2026-02-05 12:45:21 +01:00
f13eb67a46
Bumps the ci group with 3 updates: [actions/checkout](https://github.com/actions/checkout), [github/codeql-action](https://github.com/github/codeql-action) and [anchore/sbom-action](https://github.com/anchore/sbom-action). Updates `actions/checkout` from 6.0.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](8e8c483db8...de0fac2e45) Updates `github/codeql-action` from 4.31.10 to 4.31.11 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](cdefb33c0f...19b2f06db2) Updates `anchore/sbom-action` from 0.21.1 to 0.22.0 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](0b82b0b1a2...62ad5284b8) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: github/codeql-action dependency-version: 4.31.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: ci - dependency-name: anchore/sbom-action dependency-version: 0.22.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: ci ... Signed-off-by: dependabot[bot] <support@github.com>
215 lines
7.6 KiB
YAML
215 lines
7.6 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
tags: [ 'v*' ]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
release:
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: write # For creating the GitHub release.
|
|
id-token: write # For creating OIDC tokens for signing.
|
|
packages: write # For pushing and signing container images.
|
|
|
|
outputs:
|
|
version: "${{ steps.release-metadata.outputs.version }}"
|
|
artifact-subjects: "${{ steps.artifact-hashes.outputs.subjects }}"
|
|
package-subjects: "${{ steps.package-hashes.outputs.subjects }}"
|
|
sbom-subjects: "${{ steps.sbom-hashes.outputs.subjects }}"
|
|
container-subjects: "${{ steps.container-metadata.outputs.subjects }}"
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
|
|
- name: Setup Go
|
|
uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
|
|
with:
|
|
go-version: 1.25
|
|
cache: false
|
|
|
|
- name: Setup Syft
|
|
uses: anchore/sbom-action/download-syft@62ad5284b8ced813296287a0b63906cb364b73ee # v0.22.0
|
|
|
|
- name: Setup Cosign
|
|
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
|
|
|
|
- name: Setup QEMU
|
|
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
|
|
|
|
- name: Setup Docker Buildx
|
|
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
|
|
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Login to Quay.io
|
|
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
|
|
with:
|
|
registry: quay.io
|
|
username: ${{ secrets.QUAY_BOT_USERNAME }}
|
|
password: ${{ secrets.QUAY_BOT_TOKEN }}
|
|
|
|
- name: Run GoReleaser
|
|
id: goreleaser
|
|
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
|
|
with:
|
|
# Note that the following is the version of goreleaser, and NOT a Go version!
|
|
# When bumping it, make sure to check out goreleaser's changelog first!
|
|
# (https://github.com/goreleaser/goreleaser/releases)
|
|
version: 1.21.x
|
|
args: release --clean --timeout 1h
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Extract release metadata
|
|
id: release-metadata
|
|
env:
|
|
METADATA: "${{ steps.goreleaser.outputs.metadata }}"
|
|
run: |
|
|
set -euo pipefail
|
|
echo "version=$(echo -E $METADATA | jq -r '.version')" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Extract artifact subjects
|
|
id: artifact-hashes
|
|
env:
|
|
ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
|
|
run: |
|
|
set -euo pipefail
|
|
sum_file=$(echo -E $ARTIFACTS | jq -r '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^(.*?):";"")')
|
|
echo "subjects=$(echo "$sum_file" | base64 -w0)" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Extract package subjects
|
|
id: package-hashes
|
|
env:
|
|
ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
sum_file="$(mktemp)"
|
|
|
|
mapfile -t file_paths < <(echo -E "$ARTIFACTS" | jq -r '.[] | select(.type=="Linux Package") | .path')
|
|
for f in "${file_paths[@]}"; do
|
|
file_name=$(basename "$f")
|
|
file_sum=$(sha256sum "$f" | awk '{print $1}')
|
|
echo "$file_sum $file_name" >> "$sum_file"
|
|
done
|
|
|
|
echo "subjects=$(base64 -w0 < "$sum_file")" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Extract SBOM subjects
|
|
id: sbom-hashes
|
|
env:
|
|
ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
sum_file="$(mktemp)"
|
|
|
|
mapfile -t file_paths < <(echo -E "$ARTIFACTS" | jq -r '.[] | select(.type=="SBOM") | .path')
|
|
for f in "${file_paths[@]}"; do
|
|
file_name=$(basename "$f")
|
|
file_sum=$(sha256sum "$f" | awk '{print $1}')
|
|
echo "$file_sum $file_name" >> "$sum_file"
|
|
done
|
|
|
|
echo "subjects=$(base64 -w0 < "$sum_file")" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Extract container image subjects
|
|
id: container-metadata
|
|
env:
|
|
ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
|
|
run: |
|
|
image_list=$(echo -e "$ARTIFACTS" | jq -r '.[] | select(.type=="Docker Manifest") | {"image": (.name | sub("^.*?/"; "") | sub(":(.*)"; "")), "digest": .extra.Digest}')
|
|
echo "subjects=$(echo $image_list | jq -c -s 'unique_by(.digest) | {"include": .}')" >> "$GITHUB_OUTPUT"
|
|
|
|
combine-subjects:
|
|
runs-on: ubuntu-latest
|
|
|
|
needs: [ release ]
|
|
|
|
outputs:
|
|
all-subjects: "${{ steps.combine-subjects.outputs.subjects }}"
|
|
|
|
steps:
|
|
- name: Combine subjects
|
|
id: combine-subjects
|
|
env:
|
|
ARTIFACT_SUBJECTS: "${{ needs.release.outputs.artifact-subjects }}"
|
|
PACKAGE_SUBJECTS: "${{ needs.release.outputs.package-subjects }}"
|
|
SBOM_SUBJECTS: "${{ needs.release.outputs.sbom-subjects }}"
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
artifact_subjects=$(echo "$ARTIFACT_SUBJECTS" | base64 -d)
|
|
package_subjects=$(echo "$PACKAGE_SUBJECTS" | base64 -d)
|
|
sbom_subjects=$(echo "$SBOM_SUBJECTS" | base64 -d)
|
|
|
|
all_subjects=$(echo -e "${artifact_subjects}\n${package_subjects}\n${sbom_subjects}\n" | sed '/^$/d')
|
|
|
|
echo "subjects=$(echo "$all_subjects" | base64 -w0)" >> "$GITHUB_OUTPUT"
|
|
|
|
assets-provenance:
|
|
needs: [ release, combine-subjects ]
|
|
|
|
permissions:
|
|
actions: read # For detecting the GitHub Actions environment.
|
|
id-token: write # For creating OIDC tokens for signing.
|
|
contents: write # For adding assets to a release.
|
|
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
|
|
with:
|
|
base64-subjects: "${{ needs.combine-subjects.outputs.all-subjects }}"
|
|
upload-assets: true
|
|
provenance-name: "sops-v${{ needs.release.outputs.version }}.intoto.jsonl"
|
|
|
|
ghcr-container-provenance:
|
|
needs: [ release ]
|
|
|
|
permissions:
|
|
actions: read # For detecting the Github Actions environment.
|
|
id-token: write # For creating OIDC tokens for signing.
|
|
packages: write # For uploading attestations.
|
|
|
|
strategy:
|
|
matrix: ${{ fromJSON(needs.release.outputs.container-subjects) }}
|
|
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
|
|
with:
|
|
image: ghcr.io/${{ matrix.image }}
|
|
digest: ${{ matrix.digest }}
|
|
registry-username: ${{ github.actor }}
|
|
secrets:
|
|
registry-password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
quay-container-provenance:
|
|
needs: [ release ]
|
|
|
|
permissions:
|
|
actions: read # For detecting the Github Actions environment.
|
|
id-token: write # For creating OIDC tokens for signing.
|
|
packages: write # For uploading attestations.
|
|
|
|
strategy:
|
|
matrix: ${{ fromJSON(needs.release.outputs.container-subjects) }}
|
|
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0
|
|
with:
|
|
image: quay.io/${{ matrix.image }}
|
|
digest: ${{ matrix.digest }}
|
|
secrets:
|
|
registry-username: ${{ secrets.QUAY_BOT_USERNAME }}
|
|
registry-password: ${{ secrets.QUAY_BOT_TOKEN }}
|