goreleaser #18
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: goreleaser | |
on: | |
push: | |
tags: | |
- 'v*' | |
jobs: | |
goreleaser: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
id-token: write | |
packages: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v2 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/setup-go@v3 | |
with: | |
go-version: 1.21.3 | |
- name: Set up Cosign | |
uses: sigstore/cosign-installer@v3 | |
- name: Retrieve version | |
run: | | |
echo "TAG_NAME=$(echo ${{ github.ref }} | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT | |
id: version | |
- name: Run GoReleaser | |
# GoReleaser v4.2.0 | |
uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
version: 1.16.2 | |
args: release --rm-dist --debug ${{ env.SKIP_PUBLISH }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GORELEASER_CURRENT_TAG: ${{ steps.version.outputs.TAG_NAME }} | |
- uses: actions/github-script@v4 | |
id: get-checksums-from-draft-release | |
if: startsWith(github.ref, 'refs/tags/') && ${{ !env.ACT }} | |
with: | |
github-token: ${{secrets.GITHUB_TOKEN}} | |
result-encoding: string | |
script: | | |
var crypto = require('crypto'); | |
const { owner, repo } = context.repo; | |
// https://docs.github.com/en/rest/reference/repos#list-releases | |
// https://octokit.github.io/rest.js/v18#repos-list-releases | |
var releases = await github.repos.listReleases({ | |
owner: owner, | |
repo: repo | |
}); | |
var crypto = require('crypto') | |
var fs = require('fs') | |
const url = require('url'); | |
const https = require('https'); | |
checksums = {} | |
for (const r of releases["data"]) { | |
if (r.draft && `refs/tags/${r.tag_name}` == "${{ github.ref }}") { | |
for (const asset of r.assets) { | |
var release_asset = await github.repos.getReleaseAsset({ headers: {accept: `application/octet-stream`}, accept: `application/octet-stream`, owner: owner, repo: repo, asset_id: asset.id }); | |
const hash = crypto.createHash('sha256'); | |
let http_promise = new Promise((resolve, reject) => { | |
https.get(release_asset.url, (stream) => { | |
stream.on('data', function (data) { | |
hash.update(data); | |
}); | |
stream.on('end', function () { | |
checksums[asset.name]= hash.digest('hex'); | |
resolve(`${asset.name}`); | |
}); | |
}); | |
}); | |
await http_promise; | |
} | |
} | |
} | |
console.log(checksums) | |
return `${checksums['imgpkg-darwin-amd64']} ./imgpkg-darwin-amd64 | |
${checksums['imgpkg-darwin-arm64']} ./imgpkg-darwin-arm64 | |
${checksums['imgpkg-linux-amd64']} ./imgpkg-linux-amd64 | |
${checksums['imgpkg-linux-arm64']} ./imgpkg-linux-arm64 | |
${checksums['imgpkg-windows-amd64.exe']} ./imgpkg-windows-amd64.exe` | |
- name: Verify checksums signature | |
run: | | |
cosign verify-blob \ | |
--cert dist/checksums.txt.pem \ | |
--signature dist/checksums.txt.sig \ | |
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | |
dist/checksums.txt | |
- name: verify uploaded artifacts | |
if: startsWith(github.ref, 'refs/tags/') && ${{ !env.ACT }} | |
env: | |
GITHUB_CONTEXT: ${{ toJson(github) }} | |
run: | | |
set -e -x | |
VERSION=`echo ${{ github.ref }} | grep -Eo '[0-9].*'` | |
./hack/build-binaries.sh "$VERSION" > /tmp/go-checksums | |
cat /tmp/go-checksums | |
diff /tmp/go-checksums <(cat <<EOF | |
${{steps.get-checksums-from-draft-release.outputs.result}} | |
EOF | |
) | |
- run: | | |
RELEASE_TAG=$(git describe --tags --abbrev=0) | |
RELEASE_ID=$(gh release view $RELEASE_TAG --json id -q .id) | |
MULTILINE_STRING=""" | |
### Verify checksums file signature | |
The checksums file provided within the artifacts attached to this release is signed using [Cosign](https://docs.sigstore.dev/cosign/overview/) with GitHub OIDC. To validate the signature of this file, run the following commands: | |
\`\`\`shell | |
# Download the checksums file, certificate and signature | |
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt | |
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.pem | |
curl -LO https://github.com/{{ .Env.GITHUB_REPOSITORY }}/releases/download/{{ .Tag }}/checksums.txt.sig | |
# Verify the checksums file | |
cosign verify-blob checksums.txt \ | |
--certificate checksums.txt.pem \ | |
--signature checksums.txt.sig \ | |
--certificate-identity-regexp=https://github.com/{{ .Env.GITHUB_REPOSITORY_OWNER }} \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com | |
\`\`\` | |
""" | |
echo "$MULTILINE_STRING" | |
gh release view $RELEASE_TAG --json body | jq -r '.body' > release_notes.txt | |
MULTILINE_STRING+="$(cat release_notes.txt)" | |
echo "$MULTILINE_STRING" | |
gh release edit $RELEASE_TAG --notes $MULTILINE_STRING | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
OWNER: ${{ github.repository_owner }} | |
REPO: ${{ github.event.repository.name }} | |