chore: use sha256 for checksums, re-use existing release for SLSA #11

Workflow file for this run

.github/workflows/release.yaml at 6bae840

	name: Release

	on:
	push:
	tags:
	- "v*"

	jobs:
	goreleaser:
	name: Goreleaser
	runs-on: ${{ matrix.os }}
	strategy:
	fail-fast: false
	matrix:
	os: [ubuntu-22.04]
	go: ["1.22.3"]
	permissions:
	attestations: write
	id-token: write
	contents: write
	packages: write
	steps:
	- name: Setup Go
	uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
	with:
	go-version: ${{ matrix.go }}

	- name: Install cosign
	uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0

	- name: Install syft
	uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11

	- name: Install ko
	uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6

	- name: Code checkout
	uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
	with:
	fetch-depth: 0

	# https://github.com/actions/checkout/issues/290#issuecomment-680260080
	- name: Fetch upstream tags
	run: git fetch --tags --force

	- name: Run Goreleaser
	id: run-goreleaser
	uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	COSIGN_EXPERIMENTAL: 1
	with:
	args: release --clean

	- name: Generate SLSA metadata
	id: slsa
	env:
	ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
	METADATA: "${{ steps.run-goreleaser.outputs.metadata }}"
	run: \|
	set -euo pipefail

	checksum_file=$(echo "${ARTIFACTS}" \| jq -r '.[] \| select (.type == "Checksum") \| .path')
	echo "hashes=$(cat $checksum_file \| base64 -w0)" >> "$GITHUB_OUTPUT"
	tag_name=$(echo "${METADATA}" \| jq -r '.tag')
	echo "tag_name=${tag_name}" >> "$GITHUB_OUTPUT"
	outputs:
	hashes: "${{ steps.slsa.outputs.hashes }}"
	tag_name: "${{ steps.slsa.outputs.tag_name }}"

	provenance:
	name: Provenance
	needs:
	- goreleaser
	permissions:
	actions: read
	id-token: write
	contents: write
	# Must be refernced by a tag. https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#referencing-the-slsa-generator
	uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
	with:
	base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
	upload-assets: true
	# Use the existing release created by Goreleaser instead of creating another.
	upload-tag-name: "${{ needs.goreleaser.outputs.tag_name }}"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: use sha256 for checksums, re-use existing release for SLSA #11

Workflow file

chore: use sha256 for checksums, re-use existing release for SLSA #11

Jobs

Run details

Workflow file for this run