add package write to slsa workflow (#2347) #1145

Workflow file for this run

.github/workflows/release.yaml at d275b45

	#
	# Copyright 2022 The GUAC Authors.
	#
	# Licensed under the Apache License, Version 2.0 (the "License");
	# you may not use this file except in compliance with the License.
	# You may obtain a copy of the License at
	#
	# http://www.apache.org/licenses/LICENSE-2.0
	#
	# Unless required by applicable law or agreed to in writing, software
	# distributed under the License is distributed on an "AS IS" BASIS,
	# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	# See the License for the specific language governing permissions and
	# limitations under the License.
	name: release

	on:
	workflow_dispatch: # testing only, trigger manually to test it works
	push:
	branches:
	- main
	tags:
	- "v*"

	permissions:
	actions: read # for detecting the Github Actions environment.
	packages: read # for reading from GHCR

	jobs:
	goreleaser:
	runs-on: ubuntu-latest
	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}
	image: ${{ steps.hash.outputs.image }}
	digest: ${{ steps.hash.outputs.digest }}
	permissions:
	packages: write # To publish container images to GHCR
	id-token: write # To use our OIDC token
	steps:
	- name: Checkout
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	fetch-depth: 0
	persist-credentials: false
	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Set up Go
	uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
	with:
	go-version: "1.21"
	- name: Install cosign
	uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # main
	- name: Install syft
	uses: anchore/sbom-action/download-syft@55dc4ee22412511ee8c3142cbea40418e6cec693 # v0.17.8

	- name: Run GoReleaser Snapshot
	if: ${{ !startsWith(github.ref, 'refs/tags/') }}
	id: run-goreleaser-snapshot
	uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
	with:
	distribution: goreleaser
	version: latest
	args: release --clean --snapshot --skip=sign
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	GORELEASER_CURRENT_TAG: v0.0.0-snapshot-tag
	DOCKER_CONTEXT: default
	- name: Run GoReleaser Release
	if: startsWith(github.ref, 'refs/tags/')
	id: run-goreleaser-release
	uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
	with:
	distribution: goreleaser
	version: latest
	# use .goreleaser-nightly.yaml for nightly build; otherwise use the default
	args: ${{ contains( github.ref, 'nightly' ) && 'release --clean -f .goreleaser-nightly.yaml' \|\| 'release --clean' }}
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	DOCKER_CONTEXT: default

	- name: Generate hashes and extract image digest
	id: hash
	if: startsWith(github.ref, 'refs/tags/')
	env:
	ARTIFACTS: "${{ steps.run-goreleaser-release.outputs.artifacts }}"
	run: \|
	set -euo pipefail

	hashes=$(echo $ARTIFACTS \| jq --raw-output '.[] \| {name, "digest": (.extra.Digest // .extra.Checksum)} \| select(.digest) \| {digest} + {name} \| join(" ") \| sub("^sha256:";"")' \| base64 -w0)
	if test "$hashes" = ""; then # goreleaser < v1.13.0
	checksum_file=$(echo "$ARTIFACTS" \| jq -r '.[] \| select (.type=="Checksum") \| .path')
	hashes=$(cat $checksum_file \| base64 -w0)
	fi
	echo "hashes=$hashes" >> $GITHUB_OUTPUT

	image=$(echo $ARTIFACTS \| jq --raw-output '.[] \| select( .type =="Docker Manifest" ).name \| split(":")[0]')
	echo "image=$image" >> $GITHUB_OUTPUT
	digest=$(echo $ARTIFACTS \| jq --raw-output '.[] \| select( .type =="Docker Manifest" ).extra.Digest')
	echo "digest=$digest" >> $GITHUB_OUTPUT

	build-atlas:
	runs-on: ubuntu-latest
	if: startsWith(github.ref, 'refs/tags/')
	permissions:
	packages: write # To publish container images to GHCR
	id-token: write # To use our OIDC token
	steps:
	- name: Check out the code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
	with:
	persist-credentials: false

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

	- name: Log in to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build and push the Docker image
	uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
	with:
	context: ./pkg/assembler/backends/ent/migrate
	push: true
	tags: ghcr.io/${{ github.repository }}/atlas-migration:${{ github.ref_name }}

	- name: Log out of GitHub Container Registry
	run: docker logout ghcr.io

	sbom-container:
	# generate sbom for container as goreleaser can't - https://goreleaser.com/customization/sbom/#limitations
	name: generate sbom for container
	runs-on: ubuntu-latest
	needs: [goreleaser]
	if: startsWith(github.ref, 'refs/tags/')
	permissions:
	id-token: write # needed for signing the images with GitHub OIDC Token
	steps:
	- name: Checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v3
	with:
	persist-credentials: false
	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}
	- name: Run Trivy in fs mode to generate SBOM
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # master
	with:
	scan-type: "fs"
	format: "spdx-json"
	output: "spdx.sbom.json"
	- name: Install cosign
	uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # main
	- name: Sign image and sbom
	run: \|
	#!/usr/bin/env bash
	set -euo pipefail
	cosign attach sbom --sbom spdx.sbom.json ${IMAGE_URI_DIGEST}
	cosign sign -a git_sha=$GITHUB_SHA --attachment sbom ${IMAGE_URI_DIGEST} --yes
	shell: bash
	env:
	IMAGE_URI_DIGEST: ${{ needs.goreleaser.outputs.image }}@${{ needs.goreleaser.outputs.digest }}

	provenance-bins:
	name: generate provenance for binaries
	needs: [goreleaser]
	if: startsWith(github.ref, 'refs/tags/')
	permissions:
	id-token: write # To sign the provenance
	contents: write # To upload assets to release
	actions: read # To read the workflow path
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # must use semver here
	with:
	base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
	upload-assets: true

	provenance-container:
	name: generate provenance for container
	needs: [goreleaser]
	if: startsWith(github.ref, 'refs/tags/')
	permissions:
	id-token: write # To sign the provenance
	contents: write # To upload assets to release
	packages: write # To publish container images to GHCR
	actions: read # To read the workflow path
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # must use semver here
	with:
	image: ${{ needs.goreleaser.outputs.image }}
	digest: ${{ needs.goreleaser.outputs.digest }}
	registry-username: ${{ github.actor }}
	secrets:
	registry-password: ${{ secrets.GITHUB_TOKEN }}

	compose-tarball:
	runs-on: ubuntu-latest
	name: generate compose tarball
	needs: [goreleaser]
	if: startsWith(github.ref, 'refs/tags/')
	permissions:
	contents: write # To upload assets to release.
	packages: write # To publish container images to GHCR
	id-token: write # To use our GitHub token
	steps:
	- name: Checkout code
	uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # tag=v3
	with:
	persist-credentials: false
	- name: Create and publish compose tarball
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	#!/usr/bin/env bash
	set -euo pipefail
	mkdir guac-compose
	cp .env guac-compose/
	cp docker-compose.yml guac-compose/
	cp -r container_files guac-compose/
	sed -i s/local-organic-guac/ghcr.io\\/${{ github.repository_owner }}\\/guac:${{ github.ref_name }}/ guac-compose/.env
	tar -zcvf guac-compose.tar.gz guac-compose/
	rm -rf guac-compose/
	gh release upload ${{ github.ref_name }} guac-compose.tar.gz
	rm guac-compose.tar.gz
	shell: bash
	- name: Modify and publish demo compose yaml
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	#!/usr/bin/env bash
	set -euo pipefail
	cp container_files/guac-demo-compose.yaml .
	sed -i s/\$GUAC_IMAGE/ghcr.io\\/${{ github.repository_owner }}\\/guac:${{ github.ref_name }}/ guac-demo-compose.yaml
	gh release upload ${{ github.ref_name }} guac-demo-compose.yaml
	rm guac-demo-compose.yaml
	shell: bash
	- name: Modify and publish postgres compose yaml
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	#!/usr/bin/env bash
	set -euo pipefail
	cp container_files/guac-postgres-compose.yaml .
	sed -i s/\$GUAC_IMAGE/ghcr.io\\/${{ github.repository_owner }}\\/guac:${{ github.ref_name }}/ guac-postgres-compose.yaml
	gh release upload ${{ github.ref_name }} guac-postgres-compose.yaml
	rm guac-postgres-compose.yaml
	shell: bash

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add package write to slsa workflow (#2347) #1145

Workflow file

add package write to slsa workflow (#2347) #1145

Jobs

Run details

Workflow file for this run