Update release.yml #109
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| permissions: | |
| id-token: write # This is required for requesting the JWT | |
| contents: read # This is required for actions/checkout | |
| name: release | |
| on: | |
| push: | |
| branches: | |
| - cole/witness | |
| jobs: | |
| build-binaries: | |
| runs-on: "ubuntu-22.04" | |
| steps: | |
| - name: Download syft | |
| uses: anchore/sbom-action/download-syft@v0.14.3 | |
| - name: Checkout | |
| uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up Go | |
| uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 | |
| with: | |
| go-version: "1.19" | |
| cache: true | |
| - name: Download GoReleaser | |
| run: go install github.com/goreleaser/goreleaser@v1.17.1 | |
| - name: Run GoReleaser | |
| uses: testifysec/witness-run-action@v0.1.3 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} | |
| with: | |
| enable-sigstore: true | |
| enable-archivista: true | |
| trace: true | |
| step: "build" | |
| command: goreleaser release --clean --snapshot | |
| - name: "Upload artifact" | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: binaries | |
| path: dist/ | |
| retention-days: 5 | |
| build-docker-server: | |
| runs-on: "ubuntu-22.04" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup KO | |
| uses: imjasonh/setup-ko@v0.6 | |
| env: | |
| KO_DOCKER_REPO: ghcr.io/github.com/testifysec/galadriel | |
| - name: Login to GHCR | |
| env: | |
| AUTH_TOKEN: ${{ secrets.AUTH_TOKEN }} | |
| run: | | |
| echo "${AUTH_TOKEN}" | ko login ghcr.io --username dummy --password-stdin | |
| - name: Build Server | |
| uses: testifysec/witness-run-action@v0.1.3 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} | |
| KO_DOCKER_REPO: ghcr.io/github.com/testifysec/galadriel | |
| with: | |
| enable-sigstore: true | |
| enable-archivista: true | |
| trace: true | |
| step: "build" | |
| attestations: "git github oci" | |
| command: ko build --tarball server.tar --sbom-dir . ./cmd/server | |
| - name: "Upload Server artifact" | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: server | |
| path: server.tar | |
| retention-days: 5 | |
| build-docker-harvestor: | |
| runs-on: "ubuntu-22.04" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup KO | |
| uses: imjasonh/setup-ko@v0.6 | |
| env: | |
| KO_DOCKER_REPO: ghcr.io/github.com/testifysec/galadriel | |
| - name: Login to GHCR | |
| env: | |
| AUTH_TOKEN: ${{ secrets.AUTH_TOKEN }} | |
| run: | | |
| echo "${AUTH_TOKEN}" | ko login ghcr.io --username dummy --password-stdin | |
| - name: Build Harvestor | |
| uses: testifysec/witness-run-action@v0.1.3 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} | |
| KO_DOCKER_REPO: ghcr.io/github.com/testifysec/galadriel | |
| with: | |
| enable-sigstore: true | |
| enable-archivista: true | |
| trace: true | |
| step: "build" | |
| attestations: "git github oci" | |
| command: ko build --tarball harvestor.tar --sbom-dir . ./cmd/harvester | |
| - name: "Upload Harvestor artifact" | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: harvestor | |
| path: harvestor.tar | |
| retention-days: 5 | |
| - name: "Upload Signed Policy and Public Key" | |
| uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | |
| with: | |
| name: witness | |
| path: | | |
| .witness/policy-signed.json | |
| .witness/policy-bin-signed.json | |
| .witness/policy.pub | |
| retention-days: 90 | |
| verify-artifacts: | |
| needs: [build-binaries, build-docker-server, build-docker-harvestor] | |
| runs-on: "ubuntu-22.04" | |
| steps: | |
| - name: Download Server artifact | |
| uses: actions/download-artifact@v3.0.2 | |
| with: | |
| name: server | |
| path: . | |
| - name: Download Harvestor artifact | |
| uses: actions/download-artifact@v3.0.2 | |
| with: | |
| name: harvestor | |
| path: . | |
| - name: Download Signed Policy and Public Key | |
| uses: actions/download-artifact@v3.0.2 | |
| with: | |
| name: witness | |
| path: .witness | |
| - name: Download binaries | |
| uses: actions/download-artifact@v3.0.2 | |
| with: | |
| name: binaries | |
| path: dist | |
| - name: InstallWitness | |
| uses: jaxxstorm/action-install-gh-release@v1.10.0 | |
| with: # Grab the latest version | |
| repo: testifysec/witness | |
| tag: v0.1.13 | |
| - name: Verify Server Container | |
| run: witness verify -f server.tar -p .witness/policy-signed.json -k .witness/policy.pub --enable-archivista | |
| - name: Verify Harvestor Container | |
| run: witness verify -f harvestor.tar -p .witness/policy-signed.json -k .witness/policy.pub --enable-archivista | |
| - name: Verify dist folder | |
| run: |- | |
| find ./dist -type f | while read FILE | |
| do | |
| # Exclude config.yaml since it is common | |
| if [[ $FILE == *"config.yaml"* ]]; then | |
| continue | |
| fi | |
| # Run witness verify on the file | |
| echo "Verifying $FILE" | |
| witness verify -f $FILE -p .witness/policy-bin-signed.json -k .witness/policy.pub --enable-archivista | |
| done |