-
-
Notifications
You must be signed in to change notification settings - Fork 0
120 lines (102 loc) · 4.13 KB
/
release.yml
File metadata and controls
120 lines (102 loc) · 4.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
# SPDX-FileCopyrightText: 2026 The geany contributors.
# SPDX-License-Identifier: MPL-2.0
name: Release
on:
release:
types:
- published
permissions: read-all
concurrency:
group: release-${{ github.event.release.tag_name }}
cancel-in-progress: true
jobs:
Build:
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
ref: ${{ github.event.release.tag_name }}
- name: Generate source archive
shell: bash
env:
TAG_NAME: ${{ github.event.release.tag_name }}
run: |
set -euo pipefail
PROJECT_NAME=`go list -m | sed -r 's/(.*\/)*(.+)/\2/'`
TAG=`echo "$TAG_NAME" | sed 's/\//-/g'`
git archive \
--format=tar.gz \
--prefix="${PROJECT_NAME}-src-${TAG}/" \
--output="${PROJECT_NAME}-src-${TAG}.tar.gz" \
"$TAG_NAME"
- name: Upload Release (via GitHub CLI)
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG_NAME: ${{ github.event.release.tag_name }}
shell: bash
run: |
set -euo pipefail
PROJECT_NAME=`go list -m | sed -r 's/(.*\/)*(.+)/\2/'`
gh release upload "$TAG_NAME" ${PROJECT_NAME}-src-*.tar.gz --clobber
ChecksumReleaseAssets:
needs: Build
runs-on: ubuntu-latest
name: Checksum Release Assets
outputs:
hashBase64File: ${{ steps.hashes.outputs.handle }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 1
- name: Download all release assets via GitHub CLI
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG_NAME: ${{ github.event.release.tag_name }}
run: |
set -euo pipefail
mkdir -p release-assets
cd release-assets
# gets all assets of the release
gh release download "$TAG_NAME" --clobber
echo "Downloaded assets:"
ls -lah
- name: Generate Checksums
working-directory: release-assets
run: |
set -euo pipefail
# Robustly hash all regular files in this directory, then base64 and write via tee.
LC_ALL=C find . -maxdepth 1 -type f -printf '%P\0' \
| sort -z \
| xargs -0 sha256sum -- \
| base64 -w0 \
> check.sha256
- name: Upload Checksums
id: hashes
uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # 2.1.0
with:
path: release-assets/check.sha256
AssetProvenance:
permissions:
actions: read # Needed for detection of GitHub Actions environment.
id-token: write # Needed for provenance signing and ID
contents: write # Needed for release uploads
needs: ChecksumReleaseAssets
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 #must have semver!
with:
base64-subjects-as-file: |
${{ needs.ChecksumReleaseAssets.outputs.hashBase64File }}
upload-assets: true
upload-tag-name: "${{ github.event.release.tag_name }}"