seclab-taskflow-agent/.github/workflows/release.yml at main · GitHubSecurityLab/seclab-taskflow-agent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
name: Release

on:
  workflow_dispatch:
    inputs:
      release_tag:
        description: 'Release tag (e.g. v1.0.0)'
        required: false
        default: 'latest'

permissions:
  id-token: write
  contents: read
  attestations: write
  packages: write

env:
  REGISTRY: ghcr.io
  USER: githubsecuritylab
  IMAGE_NAME: seclab-taskflow-agent

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Set up Python
        uses: actions/setup-python@v6
        with:
          python-version: '3.11'

      - name: Create release
        id: docker_build
        run: |
          echo ${{ secrets.GHCR_TOKEN }} | docker login ghcr.io -u GitHubSecurityLab --password-stdin
          python release_tools/publish_docker.py ${{ env.REGISTRY }}/${{ env.USER }}/${{ env.IMAGE_NAME }} ${{ github.event.inputs.release_tag }}
          DIGEST=$(cat /tmp/digest.txt)
          echo "digest=$DIGEST" >> $GITHUB_OUTPUT

      - name: Generate artifact attestation
        uses: actions/attest-build-provenance@v4
        with:
          subject-name: ${{ env.REGISTRY }}/${{ env.USER }}/${{ env.IMAGE_NAME }}
          subject-digest: '${{ steps.docker_build.outputs.digest }}'
          push-to-registry: true

      - name: Verify
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh attestation verify oci://ghcr.io/${{ env.USER }}/${{ env.IMAGE_NAME }}:${{ github.event.inputs.release_tag }} -R ${{ github.repository }}