forked from carvel-dev/imgpkg
-
Notifications
You must be signed in to change notification settings - Fork 0
132 lines (115 loc) · 4.56 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: goreleaser
on:
push:
tags:
- 'v*'
jobs:
goreleaser:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
packages: write
steps:
- name: Checkout
uses: actions/checkout@v2
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.21.3
- name: Set up Cosign
uses: sigstore/cosign-installer@v3
- name: Retrieve version
run: |
echo "TAG_NAME=$(echo ${{ github.ref }} | grep -Eo 'v[0-9].*')" >> $GITHUB_OUTPUT
id: version
- name: Run GoReleaser
# GoReleaser v4.2.0
uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b
if: startsWith(github.ref, 'refs/tags/')
with:
version: 1.16.2
args: release --rm-dist --debug ${{ env.SKIP_PUBLISH }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: ${{ steps.version.outputs.TAG_NAME }}
- uses: actions/github-script@v4
id: get-checksums-from-draft-release
if: startsWith(github.ref, 'refs/tags/') && ${{ !env.ACT }}
with:
github-token: ${{secrets.GITHUB_TOKEN}}
result-encoding: string
script: |
var crypto = require('crypto');
const { owner, repo } = context.repo;
// https://docs.github.com/en/rest/reference/repos#list-releases
// https://octokit.github.io/rest.js/v18#repos-list-releases
var releases = await github.repos.listReleases({
owner: owner,
repo: repo
});
var crypto = require('crypto')
var fs = require('fs')
const url = require('url');
const https = require('https');
checksums = {}
for (const r of releases["data"]) {
if (r.draft && `refs/tags/${r.tag_name}` == "${{ github.ref }}") {
for (const asset of r.assets) {
var release_asset = await github.repos.getReleaseAsset({ headers: {accept: `application/octet-stream`}, accept: `application/octet-stream`, owner: owner, repo: repo, asset_id: asset.id });
const hash = crypto.createHash('sha256');
let http_promise = new Promise((resolve, reject) => {
https.get(release_asset.url, (stream) => {
stream.on('data', function (data) {
hash.update(data);
});
stream.on('end', function () {
checksums[asset.name]= hash.digest('hex');
resolve(`${asset.name}`);
});
});
});
await http_promise;
}
}
}
console.log(checksums)
return `${checksums['imgpkg-darwin-amd64']} ./imgpkg-darwin-amd64
${checksums['imgpkg-darwin-arm64']} ./imgpkg-darwin-arm64
${checksums['imgpkg-linux-amd64']} ./imgpkg-linux-amd64
${checksums['imgpkg-linux-arm64']} ./imgpkg-linux-arm64
${checksums['imgpkg-windows-amd64.exe']} ./imgpkg-windows-amd64.exe`
- name: Verify checksums signature
run: |
cosign verify-blob \
--cert dist/checksums.txt.pem \
--signature dist/checksums.txt.sig \
--certificate-identity-regexp=https://github.com/${{ github.repository_owner }} \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
dist/checksums.txt
- name: verify uploaded artifacts
if: startsWith(github.ref, 'refs/tags/') && ${{ !env.ACT }}
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: |
set -e -x
VERSION=`echo ${{ github.ref }} | grep -Eo '[0-9].*'`
./hack/build-binaries.sh "$VERSION" > /tmp/go-checksums
cat /tmp/go-checksums
diff /tmp/go-checksums <(cat <<EOF
${{steps.get-checksums-from-draft-release.outputs.result}}
EOF
)
- run: |
RELEASE_TAG=$(git describe --tags --abbrev=0)
RELEASE_ID=$(gh release view $RELEASE_TAG --json id -q .id)
gh release edit $RELEASE_ID --notes <<EOF
Your multiline
release notes here.
EOF
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OWNER: ${{ github.repository_owner }}
REPO: ${{ github.event.repository.name }}