|
8 | 8 | - 'master' |
9 | 9 |
|
10 | 10 | jobs: |
11 | | - # goreleaser: |
12 | | - # runs-on: 'ubuntu-latest' |
13 | | - # permissions: |
14 | | - # contents: 'write' # Needs write access for upload-artifact. |
15 | | - # outputs: |
16 | | - # hashes: '${{ steps.outputs.outputs.hashes }}' |
17 | | - # steps: |
18 | | - # - name: 'checkout' |
19 | | - # uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 |
20 | | - # with: |
21 | | - # fetch-depth: 0 # So that goreleaser can determine the base version. |
22 | | - # - name: 'build' |
23 | | - # id: 'goreleaser' |
24 | | - # uses: 'goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a' # ratchet:goreleaser/goreleaser-action@v6 |
25 | | - # with: |
26 | | - # args: 'release --snapshot --clean --skip docker --skip publish' |
27 | | - # version: '~> v1' |
28 | | - # - name: 'get version' |
29 | | - # id: 'version' |
30 | | - # shell: 'bash' |
31 | | - # run: | |
32 | | - # echo "version=$(jq -r .version dist/metadata.json)" >> "$GITHUB_OUTPUT" |
33 | | - # - name: 'upload' |
34 | | - # uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 |
35 | | - # with: |
36 | | - # name: 'conftest_${{ steps.version.outputs.version }}' |
37 | | - # path: 'dist/*.*' |
38 | | - # retention-days: 30 |
39 | | - # - name: 'generate outputs' |
40 | | - # id: 'outputs' |
41 | | - # env: |
42 | | - # GORELEASER_ARTIFACTS: '${{ steps.goreleaser.outputs.artifacts }}' |
43 | | - # shell: 'bash' |
44 | | - # run: | |
45 | | - # set -euo pipefail |
46 | | - |
47 | | - # checksum_file=$(echo "${GORELEASER_ARTIFACTS}" | jq -r '.[] | select (.type == "Checksum") | .path' | tr -d '\n') |
48 | | - # echo "hashes=$(cat ${checksum_file} | base64 -w0)" >> "$GITHUB_OUTPUT" |
49 | | - |
50 | | - # binary-provenance: |
51 | | - # needs: ['goreleaser'] |
52 | | - # permissions: |
53 | | - # contents: 'write' # Needs write access for upload-artifact even when upload-assets is false. |
54 | | - # actions: 'read' # To read the workflow path. |
55 | | - # id-token: 'write' # To sign the provenance. |
56 | | - # uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # ratchet:exclude |
57 | | - # with: |
58 | | - # base64-subjects: '${{ needs.goreleaser.outputs.hashes }}' |
59 | | - # upload-assets: false |
60 | | - |
61 | | - docker: |
| 11 | + goreleaser: |
62 | 12 | runs-on: 'ubuntu-latest' |
63 | 13 | permissions: |
64 | | - contents: 'read' |
| 14 | + contents: 'write' # Needs write access for upload-artifact. |
65 | 15 | outputs: |
66 | | - digest: '${{ steps.build.outputs.digest }}' |
| 16 | + checksums-handle: '${{ steps.checksum-handle.outputs.handle }}' |
| 17 | + sbom-handle: '${{ steps.sbom-handle.outputs.handle }}' |
| 18 | + version: '${{ steps.version.outputs.version }}' |
67 | 19 | env: |
68 | | - CONFTEST_IMAGE: 'openpolicyagent/conftest' |
69 | | - strategy: |
70 | | - matrix: |
71 | | - target: |
72 | | - - '' # Conftest |
73 | | - # - 'examples' # Examples |
74 | | - platform: |
75 | | - - 'linux/amd64' |
76 | | - # - 'linux/arm64' |
| 20 | + SBOM_FILE_NAME: 'cyclonedx_bom.json' |
77 | 21 | steps: |
78 | | - - name: 'setup docker buildx' |
79 | | - run: 'docker buildx create --name conftestbuild --use' |
| 22 | + - name: 'checkout' |
| 23 | + uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 |
| 24 | + with: |
| 25 | + fetch-depth: 0 # So that goreleaser can determine the base version. |
80 | 26 | - name: 'build' |
81 | | - id: 'build' |
82 | | - uses: 'docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83' # ratchet:docker/build-push-action@v6 |
| 27 | + id: 'goreleaser' |
| 28 | + uses: 'goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a' # ratchet:goreleaser/goreleaser-action@v6 |
| 29 | + with: |
| 30 | + version: '~> v1' |
| 31 | + args: >- |
| 32 | + release |
| 33 | + --snapshot |
| 34 | + --clean |
| 35 | + --skip docker |
| 36 | + --skip publish |
| 37 | + - name: 'get version' |
| 38 | + id: 'version' |
| 39 | + shell: 'bash' |
| 40 | + run: | |
| 41 | + echo "version=$(jq -r .version dist/metadata.json)" >> "$GITHUB_OUTPUT" |
| 42 | + - name: 'upload build' |
| 43 | + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4 |
83 | 44 | with: |
84 | | - push: false |
85 | | - # target: '${{ matrix.target }}' |
86 | | - tags: '${{ env.CONFTEST_IMAGE }}:latest' |
87 | | - # platforms: '${{ matrix.platform }}' |
| 45 | + name: 'conftest_${{ steps.version.outputs.version }}' |
| 46 | + path: 'dist/*.*' |
| 47 | + retention-days: 30 |
| 48 | + - name: 'generate sbom' |
| 49 | + uses: 'CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f' # ratchet:CycloneDX/gh-gomod-generate-sbom@v2 |
| 50 | + with: |
| 51 | + version: 'v1' |
| 52 | + args: >- |
| 53 | + mod |
| 54 | + -licenses |
| 55 | + -json |
| 56 | + -verbose |
| 57 | + -output ${{ env.SBOM_FILE_NAME }} |
| 58 | + - name: 'get checksums handle' |
| 59 | + id: 'checksum-handle' |
| 60 | + uses: 'slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.1.0' # ratchet:exclude |
| 61 | + with: |
| 62 | + path: 'dist/checksums.txt' |
| 63 | + - name: 'get sbom handle' |
| 64 | + id: 'sbom-handle' |
| 65 | + uses: 'slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.1.0' # ratchet:exclude |
| 66 | + with: |
| 67 | + path: '${{ env.SBOM_FILE_NAME }}' |
| 68 | + |
| 69 | + binary-provenance: |
| 70 | + needs: ['goreleaser'] |
| 71 | + permissions: |
| 72 | + contents: 'write' # Needs write access for upload-artifact even when upload-assets is false. |
| 73 | + actions: 'read' # To read the workflow path. |
| 74 | + id-token: 'write' # To sign the provenance. |
| 75 | + uses: 'slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0' # ratchet:exclude |
| 76 | + with: |
| 77 | + base64-subjects-as-file: '${{ needs.goreleaser.outputs.checksums-handle }}' |
| 78 | + upload-assets: false |
| 79 | + |
| 80 | + sbom-provenance: |
| 81 | + needs: ['goreleaser'] |
| 82 | + permissions: |
| 83 | + contents: 'write' # Needs write access for upload-artifact even when upload-assets is false. |
| 84 | + actions: 'read' # To read the workflow path. |
| 85 | + id-token: 'write' # To sign the provenance. |
| 86 | + uses: 'slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0' # ratchet:exclude |
| 87 | + with: |
| 88 | + base64-subjects-as-file: '${{ needs.goreleaser.outputs.sbom-handle }}' |
| 89 | + upload-assets: false |
| 90 | + |
| 91 | + # docker: |
| 92 | + # runs-on: 'ubuntu-latest' |
| 93 | + # permissions: |
| 94 | + # contents: 'read' |
| 95 | + # outputs: |
| 96 | + # digest: '${{ steps.build.outputs.digest }}' |
| 97 | + # env: |
| 98 | + # CONFTEST_IMAGE: 'openpolicyagent/conftest' |
| 99 | + # strategy: |
| 100 | + # matrix: |
| 101 | + # target: |
| 102 | + # - '' # Conftest |
| 103 | + # # - 'examples' # Examples |
| 104 | + # platform: |
| 105 | + # - 'linux/amd64' |
| 106 | + # # - 'linux/arm64' |
| 107 | + # steps: |
| 108 | + # - name: 'setup docker buildx' |
| 109 | + # run: 'docker buildx create --name conftestbuild --use' |
| 110 | + # - name: 'build' |
| 111 | + # id: 'build' |
| 112 | + # uses: 'docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83' # ratchet:docker/build-push-action@v6 |
| 113 | + # with: |
| 114 | + # push: false |
| 115 | + # # target: '${{ matrix.target }}' |
| 116 | + # tags: '${{ env.CONFTEST_IMAGE }}:latest' |
| 117 | + # # platforms: '${{ matrix.platform }}' |
0 commit comments