build(deps): Bump slsa-framework/slsa-verifier from 2.4.0 to 2.5.1 (#72) #12
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| permissions: | |
| contents: read | |
| jobs: | |
| goreleaser: | |
| outputs: | |
| hashes: ${{ steps.binary.outputs.hashes }} | |
| permissions: | |
| contents: write | |
| packages: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'go.mod' | |
| cache: true | |
| go-version: "1.20" | |
| check-latest: true | |
| - uses: anchore/sbom-action/[email protected] | |
| - name: Run GoReleaser | |
| uses: goreleaser/[email protected] | |
| with: | |
| version: latest | |
| args: release --rm-dist | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VERSION_LDFLAGS: ${{ steps.ldflags.outputs.version }} | |
| - name: Generate binary hashes | |
| id: binary | |
| env: | |
| ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}" | |
| run: | | |
| set -euo pipefail | |
| checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') | |
| echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" | |
| binary-provenance: | |
| needs: [goreleaser] | |
| permissions: | |
| actions: read | |
| id-token: write | |
| contents: write | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| with: | |
| base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" | |
| upload-assets: true | |
| verification-with-slsa-verifier: | |
| needs: [goreleaser, binary-provenance] | |
| runs-on: ubuntu-latest | |
| permissions: read-all | |
| steps: | |
| - name: Install the verifier | |
| uses: slsa-framework/slsa-verifier/actions/[email protected] | |
| - name: Download assets | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}" | |
| run: | | |
| set -euo pipefail | |
| gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz" | |
| gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.zip" | |
| gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE" | |
| - name: Verify assets | |
| env: | |
| CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }} | |
| PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}" | |
| run: | | |
| set -euo pipefail | |
| checksums=$(echo "$CHECKSUMS" | base64 -d) | |
| while read -r line; do | |
| fn=$(echo $line | cut -d ' ' -f2) | |
| echo "Verifying $fn" | |
| slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \ | |
| --source-uri "github.com/$GITHUB_REPOSITORY" \ | |
| --source-tag "$GITHUB_REF_NAME" \ | |
| "$fn" | |
| done <<<"$checksums" |