XXX Test ko

AlCutter · AlCutter · commit 8da20f5ac45a · 2025-11-17T19:06:59.000Z
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,88 @@
+name: Release
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'main'
+
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    strategy:
+      matrix:
+        binary: ["fsck", "tesseract/aws", "tesseract/gcp", "tesseract/posix"]
+    steps:
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          path: tesseract
+
+      - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+        with:
+          go-version-file: tesseract/go.mod
+      - name: Install ko
+        uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9.0
+
+      - name: Install cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+
+      - name: Login to GHCR
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and publish image
+        id: build
+        run: |
+          export KO_DOCKER_REPO="ghcr.io/$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]' )"
+
+          mkdir -p ${GITHUB_WORKSPACE}/sbom-output
+
+          cd ${GITHUB_WORKSPACE}/tesseract
+          image_and_digest=$(ko publish \
+            --platform=linux/amd64,linux/arm64 \
+            --tags=latest,${{ github.sha }} \
+            --sbom-dir=${GITHUB_WORKSPACE}/sbom-output \
+            github.com/transparency-dev/tesseract/cmd/${BINARY})
+
+          echo "Images: ${image}"
+          echo "SBOM files:"
+          ls -la ${GITHUB_WORKSPACE}/sbom-output/
+
+          image=$(echo "${image_and_digest}" | cut -d'@' -f1)
+          digest=$(echo "${image_and_digest}" | cut -d'@' -f2)
+          echo "image=${image}" >> "${GITHUB_OUTPUT}"
+          echo "digest=${digest}" >> "${GITHUB_OUTPUT}"
+        env:
+          BINARY: ${{ matrix.binary }}
+
+      - name: Generate artifact attestation
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-name: ${{ steps.build.outputs.image }}
+          subject-digest: ${{ steps.build.outputs.digest }}
+          push-to-registry: true
+
+      - name: Sign images
+        run: |
+          cosign sign --yes --recursive "${IMAGE}"
+        env:
+          IMAGE: ${{ steps.build.outputs.image }}
+
+      - name: Attest SBOMs
+        run: |
+            sbom="${GITHUB_WORKSPACE}/sbom-output/${BINARY##*/})-index.spdx.json"
+            cosign attest --yes --predicate "${sbom}" --type "https://spdx.dev/Document" "${IMAGE}@${DIGEST}"
+        env:
+          BINARY: ${{ matrix.binary }}
+          IMAGE: ${{ steps.build.outputs.image }}
+          DIGEST: ${{ steps.build.outputs.digest }}
+
