Skip to content

Commit

Permalink
releng - update golang deps and provenance and trusted publishing (#173)
Browse files Browse the repository at this point in the history
  • Loading branch information
kapilt authored Jan 9, 2024
1 parent c67e5df commit 5e59649
Show file tree
Hide file tree
Showing 6 changed files with 236 additions and 172 deletions.
23 changes: 21 additions & 2 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,33 @@ updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
interval: "monthly"
commit-message:
prefix: ":seedling:"
groups:
github-actions:
patterns:
- "*"

- package-ecosystem: "pip"
directory: "/"
schedule:
interval: "weekly"
interval: "monthly"
commit-message:
prefix: ":seedling:"
groups:
python-requirements:
patterns:
- "*"

- package-ecosystem: "gomod"
directory: "/"
schedule:
interval: "monthly"
commit-message:
prefix: ":seedling:"
groups:
golang-requirements:
patterns:
- "*"

96 changes: 77 additions & 19 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,28 +6,38 @@ on:
workflow_dispatch:
inputs: {}
env:
CIBW_BUILD: "c39-* cp310-* cp311-* cp312-*"
CIBW_BUILD: "cp310-* cp311-* cp312-*"
jobs:

Build-Linux:
runs-on: ubuntu-latest
strategy:
matrix:
include:
- runner: ubuntu-latest
cibw_arch: aarch64
- runner: ubuntu-latest
cibw_arch: x86_64
runs-on: ${{ matrix.runner }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # ratchet:actions/[email protected]
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # ratchet:docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3
with:
platforms: arm64
- name: Build wheels
uses: pypa/cibuildwheel@fff9ec32ed25a9c576750c91e06b410ed0c15db7 # ratchet:pypa/[email protected]
uses: pypa/cibuildwheel@fff9ec32ed25a9c576750c91e06b410ed0c15db7
env:
CIBW_ENVIRONMENT: PATH=$(pwd)/go/bin:$PATH
CIBW_BEFORE_ALL: sh ci-setup-golang.sh
CIBW_SKIP: "*musllinux*"
CIBW_ARCHS: "x86_64 aarch64"
- uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # ratchet:actions/upload-artifact@v3
CIBW_ARCHS: ${{ matrix.cibw_arch }}
- name: Upload Artifacts
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392
with:
name: wheels
name: wheels-linux-${{ matrix.cibw_arch }}
path: ./wheelhouse/*.whl

Build-MacOS:
strategy:
matrix:
Expand All @@ -39,35 +49,83 @@ jobs:
runs-on: macos-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # ratchet:actions/[email protected]
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Set up Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # ratchet:actions/setup-go@v3
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
with:
go-version: "1.21.5"
cache: true
cache-dependency-path: "gotfparse/go.sum"
- name: Build wheels
uses: pypa/cibuildwheel@fff9ec32ed25a9c576750c91e06b410ed0c15db7 # ratchet:pypa/[email protected]
uses: pypa/cibuildwheel@fff9ec32ed25a9c576750c91e06b410ed0c15db7
env:
CGO_ENABLED: 1
CIBW_ARCHS: ${{ matrix.cibw_arch }}
GOARCH: ${{ matrix.go_arch }}
- name: Upload Artifacts
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # ratchet:actions/upload-artifact@v3
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392
with:
name: wheels
name: wheels-macos-${{ matrix.cibw_arch }}
path: ./wheelhouse/*.whl
Upload:

Gather:
needs: [Build-Linux, Build-MacOS]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
outputs:
hash: ${{ steps.hash.outputs.hash }}
steps:
- uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # ratchet:actions/[email protected]
- name: Fetch Wheels
uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110
with:
name: wheels
pattern: "wheels-*"
path: dist
merge-multiple: true
- name: Display downloaded artifacts
run: ls -lh dist
- uses: pypa/gh-action-pypi-publish@2f6f737ca5f74c637829c0f5c3acd0e29ea5e8bf # ratchet:pypa/[email protected]
- name: Generate Hashes
id: hash
run: cd dist && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT

Provenance:
needs: [Gather]
permissions:
actions: read
id-token: write
contents: write
# Can't pin with hash due to how this workflow works.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: ${{ needs.Gather.outputs.hash }}

Release:
runs-on: ubuntu-latest
needs: [Provenance]
permissions:
contents: write
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Fetch Wheels
uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110
with:
password: ${{ secrets.PYPI_TOKEN }}
pattern: "*"
path: dist
merge-multiple: true
- name: Upload Release Assets
run: |
gh release upload ${{ github.ref_name }} dist/*
Upload:
needs: [Release]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
permissions:
id-token: write
steps:
- name: Fetch Wheels
uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110
with:
pattern: "wheels-*"
path: dist
merge-multiple: true
- name: Upload to PYPI
uses: pypa/gh-action-pypi-publish@2f6f737ca5f74c637829c0f5c3acd0e29ea5e8bf
2 changes: 1 addition & 1 deletion ci-setup-golang.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

OS=$(uname -s)
ARCH=$(uname -m)
GOVER="1.19.2"
GOVER="1.21.5"
case $ARCH in
x86_64) ARCH="amd64" ;;
aarch64) ARCH="arm64" ;;
Expand Down
69 changes: 38 additions & 31 deletions gotfparse/go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -4,58 +4,65 @@ go 1.18

require (
github.com/Jeffail/gabs/v2 v2.7.0
github.com/aquasecurity/defsec v0.91.1
github.com/hashicorp/hcl/v2 v2.17.0
github.com/zclconf/go-cty v1.13.2
github.com/aquasecurity/defsec v0.93.1
github.com/hashicorp/hcl/v2 v2.19.1
github.com/zclconf/go-cty v1.14.1
)

require (
cloud.google.com/go v0.110.7 // indirect
cloud.google.com/go/compute v1.23.0 // indirect
cloud.google.com/go v0.111.0 // indirect
cloud.google.com/go/compute v1.23.3 // indirect
cloud.google.com/go/compute/metadata v0.2.3 // indirect
cloud.google.com/go/iam v1.1.2 // indirect
cloud.google.com/go/storage v1.32.0 // indirect
cloud.google.com/go/iam v1.1.5 // indirect
cloud.google.com/go/storage v1.36.0 // indirect
github.com/Masterminds/semver v1.5.0 // indirect
github.com/agext/levenshtein v1.2.3 // indirect
github.com/apparentlymart/go-cidr v1.1.0 // indirect
github.com/apparentlymart/go-textseg/v13 v13.0.0 // indirect
github.com/aws/aws-sdk-go v1.44.325 // indirect
github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
github.com/aws/aws-sdk-go v1.49.16 // indirect
github.com/bgentry/go-netrc v0.0.0-20140422174119-9fd32a8b3d3d // indirect
github.com/bmatcuk/doublestar v1.3.4 // indirect
github.com/bmatcuk/doublestar/v4 v4.6.0 // indirect
github.com/bmatcuk/doublestar/v4 v4.6.1 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/google/go-cmp v0.5.9 // indirect
github.com/google/s2a-go v0.1.5 // indirect
github.com/google/uuid v1.3.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.2.5 // indirect
github.com/google/s2a-go v0.1.7 // indirect
github.com/google/uuid v1.5.0 // indirect
github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
github.com/googleapis/gax-go/v2 v2.12.0 // indirect
github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
github.com/hashicorp/go-getter v1.7.2 // indirect
github.com/hashicorp/go-getter v1.7.3 // indirect
github.com/hashicorp/go-safetemp v1.0.0 // indirect
github.com/hashicorp/go-uuid v1.0.3 // indirect
github.com/hashicorp/go-version v1.6.0 // indirect
github.com/jmespath/go-jmespath v0.4.0 // indirect
github.com/klauspost/compress v1.16.7 // indirect
github.com/klauspost/compress v1.17.4 // indirect
github.com/kr/text v0.2.0 // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
github.com/mitchellh/go-wordwrap v1.0.1 // indirect
github.com/ulikunitz/xz v0.5.11 // indirect
github.com/zclconf/go-cty-yaml v1.0.3 // indirect
go.opencensus.io v0.24.0 // indirect
golang.org/x/crypto v0.12.0 // indirect
golang.org/x/net v0.14.0 // indirect
golang.org/x/oauth2 v0.11.0 // indirect
golang.org/x/sync v0.3.0 // indirect
golang.org/x/sys v0.11.0 // indirect
golang.org/x/text v0.12.0 // indirect
golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
google.golang.org/api v0.137.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/genproto v0.0.0-20230815205213-6bfd019c3878 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20230815205213-6bfd019c3878 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230815205213-6bfd019c3878 // indirect
google.golang.org/grpc v1.57.0 // indirect
google.golang.org/protobuf v1.31.0 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
go.opentelemetry.io/otel v1.21.0 // indirect
go.opentelemetry.io/otel/metric v1.21.0 // indirect
go.opentelemetry.io/otel/trace v1.21.0 // indirect
golang.org/x/crypto v0.17.0 // indirect
golang.org/x/net v0.19.0 // indirect
golang.org/x/oauth2 v0.15.0 // indirect
golang.org/x/sync v0.6.0 // indirect
golang.org/x/sys v0.16.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.5.0 // indirect
golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
google.golang.org/api v0.155.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto v0.0.0-20240102182953-50ed04b92917 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20240102182953-50ed04b92917 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240102182953-50ed04b92917 // indirect
google.golang.org/grpc v1.60.1 // indirect
google.golang.org/protobuf v1.32.0 // indirect
)
Loading

0 comments on commit 5e59649

Please sign in to comment.