-
Notifications
You must be signed in to change notification settings - Fork 13
154 lines (134 loc) · 5.79 KB
/
release.yml
File metadata and controls
154 lines (134 loc) · 5.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
name: Release
on:
workflow_dispatch:
permissions: {}
jobs:
release:
name: Build & Draft Release
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
attestations: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Extract version from source
id: version
run: |
version=$(grep -m1 'Version.*=' internal/buildinfo/version.go | sed 's/.*"\(.*\)".*/\1/')
if [ -z "$version" ]; then
echo "::error::Could not extract Version from internal/buildinfo/version.go"
exit 1
fi
tag="v${version}"
echo "version=${version}" >> "$GITHUB_OUTPUT"
echo "tag=${tag}" >> "$GITHUB_OUTPUT"
- name: Check tag does not already exist
run: |
if git rev-parse "refs/tags/${{ steps.version.outputs.tag }}" >/dev/null 2>&1; then
echo "::error::Tag ${{ steps.version.outputs.tag }} already exists."
exit 1
fi
- name: Create tag
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git tag -a "${{ steps.version.outputs.tag }}" -m "Release ${{ steps.version.outputs.tag }}"
git push origin "${{ steps.version.outputs.tag }}"
- name: Set up Go
uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
with:
go-version-file: go.mod
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
with:
distribution: goreleaser
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Resolve draft release tag
id: release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# GoReleaser creates draft releases under an "untagged-*" slug,
# so gh release upload by version tag returns 404. Look up the
# actual tag GitHub assigned to the draft.
release_tag=$(gh api "repos/${{ github.repository }}/releases" \
--jq '[.[] | select(.draft and .tag_name == "${{ steps.version.outputs.tag }}")] | first | .tag_name')
if [ -z "$release_tag" ] || [ "$release_tag" = "null" ]; then
echo "::error::Could not find draft release for ${{ steps.version.outputs.tag }}"
exit 1
fi
echo "tag=$release_tag" >> "$GITHUB_OUTPUT"
echo "Resolved draft release tag: $release_tag"
- name: Install cosign
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
- name: Locate binaries
id: binaries
run: |
DARWIN=$(find dist -type f -name '*darwin_unnotarized' | head -1)
WIN_AMD64=$(find dist -type f -name '*.exe' -path '*windows_amd64*' | head -1)
WIN_ARM64=$(find dist -type f -name '*.exe' -path '*windows_arm64*' | head -1)
for label in "darwin:${DARWIN}" "windows_amd64:${WIN_AMD64}" "windows_arm64:${WIN_ARM64}"; do
name="${label%%:*}"
path="${label#*:}"
if [ -z "$path" ] || [ ! -f "$path" ]; then
echo "::error::Binary not found for ${name}"
find dist -type f
exit 1
fi
done
echo "darwin=$DARWIN" >> "$GITHUB_OUTPUT"
echo "win_amd64=$WIN_AMD64" >> "$GITHUB_OUTPUT"
echo "win_arm64=$WIN_ARM64" >> "$GITHUB_OUTPUT"
- name: Sign artifacts with Sigstore
shell: bash
run: |
sign_with_retry() {
local blob="$1"
local bundle="$2"
for attempt in 1 2 3; do
if cosign sign-blob "$blob" --bundle "$bundle" --yes; then
return 0
fi
echo "::warning::Signing attempt $attempt failed for $(basename "$blob"), retrying in 10s..."
sleep 10
done
echo "::error::Signing failed for $(basename "$blob") after 3 attempts"
return 1
}
sign_with_retry "${{ steps.binaries.outputs.darwin }}" \
"dist/stepsecurity-dev-machine-guard-darwin_unnotarized.bundle"
sign_with_retry "${{ steps.binaries.outputs.win_amd64 }}" \
"dist/stepsecurity-dev-machine-guard-windows_amd64.exe.bundle"
sign_with_retry "${{ steps.binaries.outputs.win_arm64 }}" \
"dist/stepsecurity-dev-machine-guard-windows_arm64.exe.bundle"
sign_with_retry "stepsecurity-dev-machine-guard.sh" \
"dist/stepsecurity-dev-machine-guard.sh.bundle"
- name: Upload cosign bundles
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
gh release upload "${{ steps.release.outputs.tag }}" \
dist/stepsecurity-dev-machine-guard-darwin_unnotarized.bundle \
dist/stepsecurity-dev-machine-guard-windows_amd64.exe.bundle \
dist/stepsecurity-dev-machine-guard-windows_arm64.exe.bundle \
dist/stepsecurity-dev-machine-guard.sh.bundle \
--clobber
- name: Attest build provenance
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-path: |
${{ steps.binaries.outputs.darwin }}
${{ steps.binaries.outputs.win_amd64 }}
${{ steps.binaries.outputs.win_arm64 }}
stepsecurity-dev-machine-guard.sh