1212 required : true
1313
1414permissions :
15- contents : write # needed to write releases
16- id-token : write # needed for keyless signing
17- packages : write # needed for ghcr access
15+ contents : read
1816
1917env :
2018 CONTROLLER : ${{ github.event.repository.name }}
2119
2220jobs :
2321 release :
22+ outputs :
23+ hashes : ${{ steps.hash.outputs.hashes }}
2424 runs-on : ubuntu-latest
25+ permissions :
26+ contents : write # needed to write releases
27+ id-token : write # needed for keyless signing
28+ packages : write # needed for ghcr access
2529 steps :
26- - uses : actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
30+ - name : Checkout
31+ uses : actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
32+ - name : Setup Kustomize
33+ uses : fluxcd/pkg/actions/kustomize@main
2734 - name : Prepare
2835 id : prep
2936 run : |
@@ -32,20 +39,17 @@ jobs:
3239 VERSION=${GITHUB_REF/refs\/tags\//}
3340 fi
3441 echo "version=${VERSION}" >> $GITHUB_OUTPUT
35- uses : actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
42+ name : Setup Go
43+ uses : actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
3644 with :
3745 go-version : 1.20.x
38- - uses : actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1
39- with :
40- path : ~/go/pkg/mod
41- key : ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
42- restore-keys : |
43- ${{ runner.os }}-go-
46+ cache-dependency-path : |
47+ **/go.sum
48+ **/go.mod
4449uses : docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
4550 - uses : docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2.7.0
4651 - uses : sigstore/cosign-installer@dd6b2e2b610a11fd73dd187a43d57cc1394e35f9 # v3.0.5
4752 - uses : anchore/sbom-action/download-syft@4d571ad1038a9cc29d676154ef265ab8f9027042 # v0.14.2
48- - uses : fluxcd/pkg/actions/kustomize@main
4953 - name : Docker login ghcr.io
5054 uses : docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
5155 with :
@@ -69,24 +73,47 @@ jobs:
6973name : Docker push
7074 uses : docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
7175 with :
76+ sbom : true
77+ provenance : true
7278 push : true
7379 builder : ${{ steps.buildx.outputs.name }}
7480 context : .
7581 file : ./Dockerfile
7682 platforms : linux/amd64,linux/arm/v7,linux/arm64
7783 tags : ${{ steps.meta.outputs.tags }}
7884 labels : ${{ steps.meta.outputs.labels }}
79- - name : Cosign sign ghcr.io
85+ - name : Sign images
8086 env :
8187 COSIGN_EXPERIMENTAL : 1
8288 run : |
8389 cosign sign --yes fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
8490 cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
8591name : GoReleaser publish signed SBOM
92+ id : run-goreleaser
8693 if : startsWith(github.ref, 'refs/tags/v')
8794 uses : goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0
8895 with :
8996 version : latest
90- args : release --rm-dist --skip-validate
97+ args : release --clean --skip-validate
9198 env :
9299 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
100+ - name : Generate SLSA hashes
101+ id : hash
102+ env :
103+ ARTIFACTS : " ${{ steps.run-goreleaser.outputs.artifacts }}"
104+ run : |
105+ set -euo pipefail
106+
107+ hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
108+ echo "hashes=$hashes" >> $GITHUB_OUTPUT
109+
110+ provenance :
111+ needs : [release]
112+ permissions :
113+ actions : read # To read the workflow path.
114+ id-token : write # To sign the provenance.
115+ contents : write # To add assets to the release.
116+ uses :
slsa-framework/slsa-github-generator/.github/workflows/[email protected] 117+ with :
118+ base64-subjects : " ${{ needs.release.outputs.hashes }}"
119+ upload-assets : true
0 commit comments