Skip to content
Release Kusari CLI

Merge pull request #219 from kusaridev/pxp928-fix-cli-output #380

Sign in to view logs

Merge pull request #219 from kusaridev/pxp928-fix-cli-output

Merge pull request #219 from kusaridev/pxp928-fix-cli-output #380

Workflow file for this run

.github/workflows/release.yaml at a1fe46f
name: Release Kusari CLI
on:
workflow_dispatch: # testing only, trigger manually to test it works
push:
branches:
- "*"
tags:
- "v*"
permissions:
actions: read # for detecting the Github Actions environment.
packages: read # for reading from GHCR
jobs:
goreleaser:
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
image: ${{ steps.hash.outputs.image }}
digest: ${{ steps.hash.outputs.digest }}
permissions:
packages: write # To publish container images to GHCR
id-token: write # To use our OIDC token
contents: write # To upload assets to release
steps:
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Login to GitHub Container Registry
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Go
uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
with:
go-version-file: 'go.mod'
cache: false
- name: Setup ko
uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
- name: Build and publish image with ko (non-release)
if: ${{ !startsWith(github.ref, 'refs/tags/') }}
run: |
ko build ./kusari --bare \
--platform=linux/amd64,linux/arm64 \
--tags=latest,sha-${{ github.sha }}
- name: Build and publish image with ko (release)
if: startsWith(github.ref, 'refs/tags/')
run: |
ko build ./kusari --bare \
--platform=linux/amd64,linux/arm64 \
--tags=latest,sha-${{ github.sha }},$(echo "${{ github.ref_name }}" | sed 's/[^a-zA-Z0-9._-]//g')
- name: Install cosign
uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # main
- name: Install syft
uses: anchore/sbom-action/download-syft@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
- name: Run GoReleaser Snapshot
if: ${{ !startsWith(github.ref, 'refs/tags/') }}
id: run-goreleaser-snapshot
uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
with:
distribution: goreleaser
version: '~> v2'
args: release --clean --snapshot --skip=sign
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: v0.0.0-snapshot-tag
DOCKER_CONTEXT: default
- name: Run GoReleaser Release
if: startsWith(github.ref, 'refs/tags/')
id: run-goreleaser-release
uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
with:
distribution: goreleaser
version: '~> v2'
args: 'release --clean'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DOCKER_CONTEXT: default
# Generate image SBOM
- uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
name: Generate image SBOM
if: startsWith(github.ref, 'refs/tags/')
with:
image: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
output-file: 'cyclonedx.sbom.json'
format: cyclonedx-json
# Download cyclonedx-gomod
- name: Download cyclonedx-gomod
if: startsWith(github.ref, 'refs/tags/')
uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2.0.0
with:
version: v1
- name: Generate CycloneDX Build SBOM
if: startsWith(github.ref, 'refs/tags/')
run: |
cyclonedx-gomod app -licenses -json -output cyclonedx_build.json -main ./kusari
# Ingest image SBOM
- uses: kusaridev/kusari-ingest@de095cf0055369199682c3ec9ecf0d9207b2e26a #v2.0.8
name: Kusari ingestion for image SBOM
if: startsWith(github.ref, 'refs/tags/')
continue-on-error: true
with:
file-path: 'cyclonedx.sbom.json'
tenant-endpoint: https://kusari.api.us.kusari.cloud
client-id: ${{ secrets.KUSARI_CLIENT_ID }}
client-secret: ${{ secrets.KUSARI_CLIENT_SECRET }}
alias: kusari-cli
document-type: 'image'
# Ingest build SBOM
- uses: kusaridev/kusari-ingest@de095cf0055369199682c3ec9ecf0d9207b2e26a #v2.0.8
name: Kusari ingestion for build SBOM
if: startsWith(github.ref, 'refs/tags/')
continue-on-error: true
with:
file-path: 'cyclonedx_build.json'
tenant-endpoint: https://kusari.api.us.kusari.cloud
client-id: ${{ secrets.KUSARI_CLIENT_ID }}
client-secret: ${{ secrets.KUSARI_CLIENT_SECRET }}
alias: kusari-cli
document-type: 'build'
- name: Generate hashes and extract image digest
id: hash
if: startsWith(github.ref, 'refs/tags/')
env:
ARTIFACTS: "${{ steps.run-goreleaser-release.outputs.artifacts }}"
run: |
set -euo pipefail
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
if test "$hashes" = ""; then # goreleaser < v1.13.0
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
hashes=$(cat $checksum_file | base64 -w0)
fi
echo "hashes=$hashes" >> $GITHUB_OUTPUT
image=$(echo $ARTIFACTS | jq --raw-output '.[] | select( .type =="Docker Manifest" ).name | split(":")[0]')
echo "image=$image" >> $GITHUB_OUTPUT
digest=$(echo $ARTIFACTS | jq --raw-output '.[] | select( .type =="Docker Manifest" ).extra.Digest')
echo "digest=$digest" >> $GITHUB_OUTPUT
# sbom-container:
# # generate sbom for container as goreleaser can't - https://goreleaser.com/customization/sbom/#limitations
# name: generate sbom for container
# runs-on: ubuntu-latest
# needs: [goreleaser]
# if: startsWith(github.ref, 'refs/tags/')
# permissions:
# id-token: write # needed for signing the images with GitHub OIDC Token
# packages: write # needed to upload signatures
# contents: write # To upload assets to release
# steps:
# - name: Checkout code
# uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v3
# with:
# persist-credentials: false
# - name: Login to GitHub Container Registry
# uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
# with:
# registry: ghcr.io
# username: ${{ github.actor }}
# password: ${{ secrets.GITHUB_TOKEN }}
# - name: Run Trivy in fs mode to generate SBOM
# uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # master
# with:
# scan-type: "fs"
# format: "spdx-json"
# output: "spdx.sbom.json"
# - name: Install cosign
# uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # main
# - name: Sign image and sbom
# run: |
# #!/usr/bin/env bash
# set -euo pipefail
# cosign attach sbom --sbom spdx.sbom.json ${IMAGE_URI_DIGEST}
# cosign sign -a git_sha=$GITHUB_SHA --attachment sbom ${IMAGE_URI_DIGEST} --yes
# shell: bash
# env:
# IMAGE_URI_DIGEST: ${{ needs.goreleaser.outputs.image }}@${{ needs.goreleaser.outputs.digest }}
provenance-bins:
name: generate provenance for binaries
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
permissions:
id-token: write # To sign the provenance
contents: write # To upload assets to release
actions: read # To read the workflow path
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # must use semver here
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true
# provenance-container:
# name: generate provenance for container
# needs: [goreleaser]
# if: startsWith(github.ref, 'refs/tags/')
# permissions:
# id-token: write # To sign the provenance
# contents: write # To upload assets to release
# packages: write # To publish container images to GHCR
# actions: read # To read the workflow path
# uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0 # must use semver here
# with:
# image: ${{ needs.goreleaser.outputs.image }}
# digest: ${{ needs.goreleaser.outputs.digest }}
# registry-username: ${{ github.actor }}
# secrets:
# registry-password: ${{ secrets.GITHUB_TOKEN }}