.github/workflows/e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml #27014
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| schedule: | |
| - cron: "0 2 * * *" | |
| workflow_dispatch: | |
| push: | |
| tags: | |
| - "v[0-9]+.[0-9]+.[0-9]+" # # triggers only if push new tag version, like `v0.8.4` or else | |
| permissions: read-all | |
| concurrency: "e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3" | |
| env: | |
| GH_TOKEN: ${{ secrets.E2E_GENERIC_TOKEN }} | |
| ISSUE_REPOSITORY: slsa-framework/slsa-github-generator | |
| DEFAULT_VERSION: v38.0.0 | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch' | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - id: create | |
| run: ./.github/workflows/scripts/e2e-create-release.sh | |
| shim: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' && github.ref_type == 'tag' | |
| outputs: | |
| continue: ${{ steps.verify.outputs.continue }} | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - id: verify | |
| run: ./.github/workflows/scripts/e2e-verify-release.sh | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # For uploading assets to release | |
| needs: [shim] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Generate version flags | |
| id: args | |
| run: | | |
| set -euo pipefail | |
| THIS_FILE=$(gh api -H "Accept: application/vnd.github.v3+json" "/repos/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" | jq -r '.path' | cut -d '/' -f3) | |
| BRANCH=$(echo "$THIS_FILE" | cut -d '.' -f4) | |
| SOURCE_DATE_EPOCH=$(git log --date=iso8601-strict -1 --pretty=%ct) | |
| GIT_TREESTATE=$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi) | |
| echo "version_flags=-X main.gitVersion=v1.2.3 -X main.gitCommit=abcdef -X main.gitBranch=${BRANCH} -X main.gitTreeState=${GIT_TREESTATE} -X main.buildDate=${SOURCE_DATE_EPOCH} -w" >> "${GITHUB_OUTPUT}" | |
| - name: Run GoReleaser | |
| id: run-goreleaser | |
| uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0 | |
| with: | |
| version: latest | |
| args: release --clean | |
| workdir: ./e2e/goreleaser | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VERSION_LDFLAGS: ${{ steps.args.outputs.version_flags }} | |
| - name: Generate subject | |
| id: hash | |
| env: | |
| ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" | |
| working-directory: ./e2e/goreleaser | |
| run: | | |
| set -euo pipefail | |
| checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') | |
| echo "hashes=$(base64 -w0 <"$checksum_file")" >> "${GITHUB_OUTPUT}" | |
| provenance: | |
| needs: [shim, build] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' | |
| permissions: | |
| id-token: write # For signing. | |
| contents: write # For asset uploads. | |
| actions: read # For the entrypoint. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main | |
| with: | |
| base64-subjects: "${{ needs.build.outputs.hashes }}" | |
| compile-generator: true | |
| upload-assets: true | |
| verify: | |
| runs-on: ubuntu-latest | |
| needs: [shim, build, provenance] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - name: Download assets | |
| run: gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" | |
| - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0 | |
| with: | |
| go-version: "1.24" | |
| - env: | |
| CHECKSUMS_B64: ${{ needs.build.outputs.hashes }} | |
| PROVENANCE: ${{ needs.provenance.outputs.provenance-name }} | |
| run: | | |
| set -euo pipefail | |
| checksums=$(echo "${CHECKSUMS_B64}" | base64 -d) | |
| while read -r line; do | |
| fn=$(echo "$line" | awk '{ print $2 }') | |
| echo "Verifying $fn" | |
| BINARY="$fn" ./.github/workflows/scripts/e2e.generic.default.verify.sh | |
| done <<<"$checksums" | |
| if-succeeded: | |
| runs-on: ubuntu-latest | |
| needs: [shim, build, provenance, verify] | |
| if: needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && needs.build.result == 'success' && needs.provenance.result == 'success' && needs.verify.result == 'success' | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - run: ./.github/workflows/scripts/e2e-report-success.sh | |
| if-failed: | |
| runs-on: ubuntu-latest | |
| needs: [shim, build, provenance, verify] | |
| if: always() && needs.shim.outputs.continue == 'yes' && github.event_name == 'push' && github.ref_type == 'tag' && (needs.build.result == 'failure' || needs.provenance.result == 'failure' || needs.verify.result == 'failure') | |
| steps: | |
| - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| - run: ./.github/workflows/scripts/e2e-report-failure.sh |