-
Notifications
You must be signed in to change notification settings - Fork 96
74 lines (64 loc) · 2.71 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
# Copyright 2023 Terramate GmbH
# SPDX-License-Identifier: MPL-2.0
name: release
on:
push:
tags:
- '*'
permissions:
contents: write
packages: write
jobs:
goreleaser:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4
with:
fetch-depth: 0
- uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # pin@v4
with:
go-version: '1.21'
- name: Log in to ghcr.io container registry
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: install goreleaser
run: |
curl -sL https://github.com/goreleaser/goreleaser-pro/releases/download/v1.14.0-pro/goreleaser-pro_Linux_x86_64.tar.gz -o /tmp/goreleaser.tar.gz
cd /tmp && tar -xzf goreleaser.tar.gz && chmod +x goreleaser
sudo mv /tmp/goreleaser /usr/local/bin/
- name: install cosign
run: go install github.com/sigstore/cosign/v2/cmd/[email protected]
- name: Create cosign.pub file
run: echo "${{ secrets.COSIGN_PUBLIC_KEY }}" > cosign.pub
- name: Run GoReleaser
run: make release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DISCORD_WEBHOOK_ID: ${{ secrets.DISCORD_WEBHOOK_ID }}
DISCORD_WEBHOOK_TOKEN: ${{ secrets.DISCORD_WEBHOOK_TOKEN }}
TWITTER_CONSUMER_KEY: ${{ secrets.TWITTER_APP_TERRAMATE_RELEASE_CONSUMER_API_KEY }}
TWITTER_CONSUMER_SECRET: ${{ secrets.TWITTER_APP_TERRAMATE_RELEASE_CONSUMER_API_KEY_SECRET }}
TWITTER_ACCESS_TOKEN: ${{ secrets.TWITTER_MINEIROS_IO_ACCESS_TOKEN_KEY }}
TWITTER_ACCESS_TOKEN_SECRET: ${{ secrets.TWITTER_MINEIROS_IO_ACCESS_TOKEN_SECRET }}
GORELEASER_KEY: ${{ secrets.GORELEASER_API_KEY }}
FURY_TOKEN: ${{ secrets.FURY_TOKEN}}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD}}
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY }}
- name: Locate checksum file
id: find_checksum
run: |
if [ -z "$(ls dist/*checksums.txt)" ]; then
echo "Error: Checksum file not found."
exit 1
fi
echo "CHECKSUM_FILE=$(ls dist/*checksums.txt)" >> $GITHUB_ENV
- name: Locate signature file
id: find_signature
run: |
if [ -z "$(ls dist/*checksum*.txt.sig)" ]; then
echo "Error: Signature file not found."
exit 1
fi
echo "SIGNATURE_FILE=$(ls dist/*checksum*.txt.sig)" >> $GITHUB_ENV
- name: Verify checksums with cosign
run: |
cosign verify-blob --key cosign.pub --signature ${{ env.SIGNATURE_FILE }} ${{ env.CHECKSUM_FILE }}