sigil/.github/workflows/release.yml at main · 0-draft/sigil · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
# release flow:
#   1. tag v* on main triggers this workflow
#   2. build job produces a tarball + slsa provenance via the slsa-github-generator
#      reusable workflow (which runs in an isolated builder, not in our repo's runner)
#   3. publish job uses npm trusted publisher (oidc) to publish with --provenance
#   4. sign job runs cosign sign-blob keylessly, identity = this workflow
#
# secrets used: none. there is no NPM_TOKEN. credentials are minted via oidc per run.

name: release

on:
  push:
    tags: ["v*"]
  workflow_dispatch:

permissions: {}

jobs:
  build:
    name: build tarball + slsa provenance
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    outputs:
      tarball-name: ${{ steps.pack.outputs.tarball-name }}
      tarball-sha256: ${{ steps.pack.outputs.tarball-sha256 }}
      subjects-base64: ${{ steps.pack.outputs.subjects-base64 }}
    steps:
      - name: harden runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          egress-policy: audit

      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: 24
          cache: npm
          registry-url: https://registry.npmjs.org

      - name: install (locked, no scripts)
        run: npm ci --ignore-scripts

      - name: build
        run: npm run build

      - name: pack
        id: pack
        run: |
          set -euo pipefail
          tarball=$(npm pack --silent | tail -n 1)
          sha=$(shasum -a 256 "$tarball" | awk '{print $1}')
          subjects=$(printf '%s  %s\n' "$sha" "$tarball" | base64 -w0)
          echo "tarball-name=$tarball"        >>"$GITHUB_OUTPUT"
          echo "tarball-sha256=$sha"          >>"$GITHUB_OUTPUT"
          echo "subjects-base64=$subjects"    >>"$GITHUB_OUTPUT"

      - name: upload tarball
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
        with:
          name: tarball
          path: ${{ steps.pack.outputs.tarball-name }}
          if-no-files-found: error
          retention-days: 7

  provenance:
    name: slsa v1.0 provenance
    needs: [build]
    permissions:
      actions: read
      contents: write
      id-token: write
    # exception: slsa-github-generator reusable workflows MUST be referenced by tag,
    # not sha. internally this ref is parsed as `refs/tags/vX.Y.Z` to fetch the pre-built
    # builder binary from the matching release. sha pinning makes the binary download
    # fail with "Invalid ref ... Expected ref of the form refs/tags/vX.Y.Z".
    # see https://github.com/slsa-framework/slsa-github-generator
    # check-pins.sh and pin-actions.sh both skip this path.
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: ${{ needs.build.outputs.subjects-base64 }}
      provenance-name: ${{ needs.build.outputs.tarball-name }}.intoto.jsonl
      upload-assets: true

  publish:
    name: npm trusted publisher (--provenance)
    needs: [build, provenance]
    runs-on: ubuntu-latest
    environment: release
    permissions:
      contents: read
      id-token: write
    steps:
      - name: harden runner
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          egress-policy: audit

      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false

      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
        with:
          node-version: 24
          registry-url: https://registry.npmjs.org

      - name: download tarball
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: tarball

      - name: publish
        run: npm publish "${{ needs.build.outputs.tarball-name }}" --provenance --access public

  sign:
    name: cosign sign-blob (keyless)
    needs: [build, publish]
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write
    steps:
      - uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2

      - name: download tarball
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
        with:
          name: tarball

      - name: sign
        # cosign v4 emits a single sigstore bundle (.sigstore.json) by default;
        # --output-signature / --output-certificate are deprecated and ignored.
        run: |
          cosign sign-blob --yes \
            --bundle "${{ needs.build.outputs.tarball-name }}.sigstore.json" \
            "${{ needs.build.outputs.tarball-name }}"

      - name: attach signature to release
        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3
        with:
          files: |
            ${{ needs.build.outputs.tarball-name }}.sigstore.json