mirror of
https://github.com/securego/gosec.git
synced 2025-01-24 03:16:54 +02:00
6a2c5e16a1
Signed-off-by: Cosmin Cojocar <gcojocar@adobe.com>
77 lines
2.3 KiB
YAML
77 lines
2.3 KiB
YAML
name: Release
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
GO111MODULE: on
|
|
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
|
|
steps:
|
|
- name: Checkout Source
|
|
uses: actions/checkout@v3
|
|
- name: Unshallow
|
|
run: git fetch --prune --unshallow
|
|
- name: Set up Go
|
|
uses: actions/setup-go@v4
|
|
with:
|
|
go-version: '1.21.0'
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@v3
|
|
with:
|
|
cosign-release: 'v2.1.1'
|
|
- name: Store Cosign private key in a file
|
|
run: 'echo "$COSIGN_KEY" > /tmp/cosign.key'
|
|
shell: bash
|
|
env:
|
|
COSIGN_KEY: ${{secrets.COSIGN_KEY}}
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v2
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v2
|
|
- name: Login to DockerHub
|
|
uses: docker/login-action@v2
|
|
with:
|
|
username: ${{secrets.DOCKER_USERNAME}}
|
|
password: ${{secrets.DOCKER_PASSWORD}}
|
|
- name: Generate SBOM
|
|
uses: CycloneDX/gh-gomod-generate-sbom@v2
|
|
with:
|
|
version: v1
|
|
args: mod -licenses -json -output bom.json
|
|
- name: Docker meta
|
|
uses: docker/metadata-action@v4
|
|
id: meta
|
|
with:
|
|
images: securego/gosec
|
|
flavor: |
|
|
latest=true
|
|
tags: |
|
|
type=sha,format=long
|
|
type=semver,pattern={{version}}
|
|
- name: Release Binaries
|
|
uses: goreleaser/goreleaser-action@v4
|
|
with:
|
|
version: latest
|
|
args: release --clean
|
|
env:
|
|
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
|
|
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
|
|
- name: Release Docker Image
|
|
uses: docker/build-push-action@v4
|
|
with:
|
|
platforms: linux/amd64,linux/arm/v7,linux/arm64
|
|
tags: ${{steps.meta.outputs.tags}}
|
|
labels: ${{steps.meta.outputs.labels}}
|
|
push: true
|
|
build-args: GO_VERSION=1.21
|
|
- name: Sign Docker Image
|
|
run: cosign sign --yes --key /tmp/cosign.key ${DIGEST}
|
|
env:
|
|
TAGS: ${{steps.meta.outputs.tags}}
|
|
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
|
|
COSIGN_PRIVATE_KEY: /tmp/cosign.key
|
|
DIGEST: ${{steps.build-push-action.outputs.digest}}
|