Skip to content

fix(goreleaser): use latest tag when two tags point to the same commit #45

fix(goreleaser): use latest tag when two tags point to the same commit

fix(goreleaser): use latest tag when two tags point to the same commit #45

Workflow file for this run

name: Release
on:
push:
tags:
- 'v*'
jobs:
goreleaser:
runs-on: ubuntu-22.04
permissions:
contents: write # To add assets to a release.
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Fetch all tags
run: git fetch --force --tags
- name: Setup Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version-file: 'go.mod'
check-latest: true
- name: Run GoReleaser
id: run-goreleaser
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
with:
distribution: goreleaser
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate subject
id: hash
env:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
run: |
set -euo pipefail
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
provenance-for-binaries:
needs: [goreleaser]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true # upload to a new release
verification:
needs: [goreleaser, provenance-for-binaries]
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/[email protected]
- name: Download assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PROVENANCE: "${{ needs.provenance-for-binaries.outputs.provenance-name }}"
run: |
set -euo pipefail
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.zip"
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"
- name: Verify assets
env:
CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
PROVENANCE: "${{ needs.provenance-for-binaries.outputs.provenance-name }}"
run: |
set -euo pipefail
checksums=$(echo "$CHECKSUMS" | base64 -d)
while read -r line; do
fn=$(echo $line | cut -d ' ' -f2)
echo "Verifying $fn"
slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME" \
"$fn"
done <<<"$checksums"
docker-configure:
runs-on: ubuntu-22.04
outputs:
release: ${{ steps.vars.outputs.release }}
commit: ${{ steps.vars.outputs.commit }}
build_date: ${{ steps.vars.outputs.build_date }}
steps:
- name: Set version fields
id: vars
run: |
echo "release=$(echo $GITHUB_REF | cut -d / -f 3 | sed 's/^v//')" >> $GITHUB_OUTPUT
echo "commit=${{ github.sha }}" >> $GITHUB_OUTPUT
echo "build_date=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
docker-image:
needs: docker-configure
uses: ./.github/workflows/docker-image.yaml
secrets: inherit
permissions:
contents: read
packages: write
id-token: write # needed for signing the images with GitHub OIDC Token
with:
release: ${{ needs.docker-configure.outputs.release }}
commit: ${{ needs.docker-configure.outputs.commit }}
build_date: ${{ needs.docker-configure.outputs.build_date }}
sign: true
provenance-for-images-docker:
needs: [docker-configure, docker-image]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: docker.io/falcosecurity/falcoctl
# The image digest is used to prevent TOCTOU issues.
# This is an output of the docker/build-push-action
# See: https://github.com/slsa-framework/slsa-verifier#toctou-attacks
digest: ${{ needs.docker-image.outputs.digest }}
secrets:
registry-username: ${{ secrets.DOCKERHUB_USER }}
registry-password: ${{ secrets.DOCKERHUB_SECRET }}
login-to-amazon-ecr:
runs-on: ubuntu-22.04
permissions:
contents: read
id-token: write
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: arn:aws:iam::292999226676:role/github_actions-falcoctl-ecr
aws-region: us-east-1
- name: Login to Amazon ECR
id: login-ecr-public
uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
with:
registry-type: public
mask-password: 'false'
outputs:
registry: ${{ steps.login-ecr-public.outputs.registry }}
docker_username: ${{ steps.login-ecr-public.outputs.docker_username_public_ecr_aws }}
docker_password: ${{ steps.login-ecr-public.outputs.docker_password_public_ecr_aws }}
provenance-for-images-aws-ecr:
needs: [docker-configure, docker-image, login-to-amazon-ecr]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: public.ecr.aws/falcosecurity/falcoctl
# The image digest is used to prevent TOCTOU issues.
# This is an output of the docker/build-push-action
# See: https://github.com/slsa-framework/slsa-verifier#toctou-attacks
digest: ${{ needs.docker-image.outputs.digest }}
secrets:
registry-username: ${{ needs.login-to-amazon-ecr.outputs.docker_username }}
registry-password: ${{ needs.login-to-amazon-ecr.outputs.docker_password }}