openshift-pipelines
diff --git a/‎head
Lines changed: 1 addition & 0 deletions b/‎head
Lines changed: 1 addition & 0 deletions
diff --git a/‎upstream/.github/dependabot.yml
Lines changed: 10 additions & 0 deletions b/‎upstream/.github/dependabot.yml
Lines changed: 10 additions & 0 deletions
diff --git a/‎upstream/.github/workflows/build.yaml
Lines changed: 39 additions & 0 deletions b/‎upstream/.github/workflows/build.yaml
Lines changed: 39 additions & 0 deletions
diff --git a/‎upstream/.github/workflows/release.yaml
Lines changed: 153 additions & 0 deletions b/‎upstream/.github/workflows/release.yaml
Lines changed: 153 additions & 0 deletions
@@ -0,0 +1 @@
+e1791317e816171bff68c1f9e942cc1fef201902
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod" # See documentation for possible values
+    directory: "/git" # Location of package manifests
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
@@ -0,0 +1,39 @@
+name: Build
+
+on:
+  pull_request:
+    branches: ['main']
+  push:
+    branches: [ main ]
+  schedule:
+    - cron: '0 0 * * *'
+
+jobs:
+
+  build:
+    defaults:
+      run:
+        working-directory: image/git-init
+    strategy:
+      fail-fast: false
+      matrix:
+        go-version: ['1.20', '1.21', '1.22']
+    name: Build ${{ matrix.go-version }}
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version: ${{ matrix.go-version }}
+          check-latest: true
+
+      # FIXME: figure out how to configure or use golangci-lint
+      # - uses: golang/govulncheck-action@dd3ead030e4f2cf713062f7a3395191802364e13 # v1
+      #   with:
+      #     go-package: ./image/git-init/...
+      #     go-version-input: ${{ matrix.go-version }}
+
+      - run: |
+          go build ./...
+          go test -run=^$ ./...
@@ -0,0 +1,153 @@
+name: release
+
+on:
+ push:
+   tags:
+     - '*'
+# FIXME(vdemeester) Add commit + tag
+
+jobs:
+  goreleaser:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+      tag_name: ${{ steps.tag.outputs.tag_name }}
+
+    defaults:
+      run:
+        working-directory: image/git-init
+
+    permissions:
+      packages: write
+      id-token: write
+      contents: write
+
+    runs-on: ubuntu-latest
+    # defaults:
+    #   run:
+    #     working-directory: ./image/git-init
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - run: git fetch --prune --unshallow
+
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+        with:
+          go-version: '1.20'
+          check-latest: true
+
+      # This installs the current latest release.
+      - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
+
+      - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
+
+      - uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
+
+      - name: Set tag output
+        id: tag
+        run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
+
+      - uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
+        id: run-goreleaser
+        with:
+          version: latest
+          args: release --clean
+          workdir: ./image/git-init
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: sign ko-image
+        run: |
+          digest=$(crane digest "${REGISTRY}":"${GIT_TAG}")
+          cosign sign --yes \
+              -a GIT_HASH="${GIT_HASH}" \
+              -a GIT_TAG="${GIT_TAG}" \
+              -a RUN_ID="${RUN_ID}" \
+              -a RUN_ATTEMPT="${RUN_ATTEMPT}" \
+              "${REGISTRY}@${digest}"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GIT_HASH: ${{ github.sha }}
+          GIT_TAG: ${{ steps.tag.outputs.tag_name }}
+          RUN_ATTEMPT: ${{ github.run_attempt }}
+          RUN_ID: ${{ github.run_id }}
+          REGISTRY: "ghcr.io/${{ github.repository }}"
+
+      - name: Generate subject
+        id: hash
+        env:
+          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
+        run: |
+          set -euo pipefail
+
+          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  provenance:
+    needs:
+      - goreleaser
+
+    permissions:
+      actions: read   # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
+      upload-assets: true
+      upload-tag-name: "${{ needs.release.outputs.tag_name }}"
+
+  verification:
+    needs:
+      - goreleaser
+      - provenance
+
+    runs-on: ubuntu-latest
+    permissions: read-all
+
+    steps:
+      # Note: this will be replaced with the GHA in the future.
+      - name: Install the verifier
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          gh -R slsa-framework/slsa-verifier release download v1.3.2 -p "slsa-verifier-linux-amd64"
+          chmod ug+x slsa-verifier-linux-amd64
+          # Note: see https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md
+          COMPUTED_HASH=$(sha256sum slsa-verifier-linux-amd64 | cut -d ' ' -f1)
+          EXPECTED_HASH="b1d6c9bbce6274e253f0be33158cacd7fb894c5ebd643f14a911bfe55574f4c0"
+          if [[ "$EXPECTED_HASH" != "$COMPUTED_HASH" ]];then
+              echo "error: expected $EXPECTED_HASH, computed $COMPUTED_HASH"
+              exit 1
+          fi
+
+      - name: Download assets
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
+        run: |
+          set -euo pipefail
+
+          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
+          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"
+
+      - name: Verify assets
+        env:
+          CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
+          PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
+        run: |
+          set -euo pipefail
+
+          checksums=$(echo "$CHECKSUMS" | base64 -d)
+          while read -r line; do
+              fn=$(echo $line | cut -d ' ' -f2)
+
+              echo "Verifying $fn"
+              ./slsa-verifier-linux-amd64 -artifact-path "$fn" \
+                                      -provenance "$PROVENANCE" \
+                                      -source "github.com/$GITHUB_REPOSITORY" \
+                                      -tag "$GITHUB_REF_NAME"
+
+          done <<<"$checksums"
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+e1791317e816171bff68c1f9e942cc1fef201902`