go/ko-build
1
0
Fork 0
mirror of https://github.com/ko-build/ko.git synced 2025-02-01 19:14:40 +02:00
Code Issues Releases Activity

refactor release job (#986)

Browse Source 
* add tag name to the provenance

Signed-off-by: cpanato <ctadeu@gmail.com>

* refactor release job

Signed-off-by: cpanato <ctadeu@gmail.com>

---------

Signed-off-by: cpanato <ctadeu@gmail.com>
This commit is contained in:
Carlos Tadeu Panato Junior 2023-03-17 14:37:59 +01:00 committed by GitHub
parent 817eeefc66
commit deb13d71da
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 110 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
.github/workflows/release.yml vendored
View File

@ -9,22 +9,59 @@ jobs:
goreleaser:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
tag_name: ${{ steps.tag.outputs.tag_name }}
permissions:
packages: write
id-token: write
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: git fetch --prune --unshallow
- uses: actions/setup-go@v3
with:
go-version: '1.20'
check-latest: true
- uses: ko-build/setup-ko@v0.6 # This installs the current latest release.
- uses: imjasonh/setup-crane@v0.3
- uses: sigstore/cosign-installer@v3.0.1
- name: Set tag output
id: tag
run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
- uses: goreleaser/goreleaser-action@v4.2.0
id: run-goreleaser
with:
version: latest
args: release --rm-dist
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: sign ko-image
run: |
digest=$(crane digest "${REGISTRY}":"${GIT_TAG}")
cosign sign --yes \
-a GIT_HASH="${GIT_HASH}" \
-a GIT_TAG="${GIT_TAG}" \
-a RUN_ID="${RUN_ID}" \
-a RUN_ATTEMPT="${RUN_ATTEMPT}" \
"${REGISTRY}@${digest}"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GIT_HASH: ${{ github.sha }}
GIT_TAG: ${{ steps.tag.outputs.tag_name }}
RUN_ATTEMPT: ${{ github.run_attempt }}
RUN_ID: ${{ github.run_id }}
REGISTRY: "ghcr.io/${{ github.repository }}"
- name: Generate subject
id: hash
env:
@ -33,45 +70,31 @@ jobs:
set -euo pipefail
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
echo "::set-output name=hashes::$(cat $checksum_file | base64 -w0)"
publish:
needs: [goreleaser]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- run: git fetch --prune --unshallow
- uses: actions/setup-go@v3
with:
go-version: '1.20'
check-latest: true
- uses: imjasonh/setup-ko@v0.6 # This installs the current latest release.
- uses: sigstore/cosign-installer@v3.0.1
- run: |
tag=$(echo ${{ github.ref }} | cut -c11-) # get tag name without tags/refs/ prefix.
img=$(ko build --bare --platform=all -t latest -t ${{ github.sha }} -t ${tag} ./)
echo "built ${img}"
cosign sign ${img} --yes \
-a sha=${{ github.sha }} \
-a run_id=${{ github.run_id }} \
-a run_attempt=${{ github.run_attempt }} \
-a tag=${tag}
echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
provenance:
needs: [goreleaser]
needs:
- goreleaser
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true
upload-tag-name: "${{ needs.release.outputs.tag_name }}"
verification:
needs: [goreleaser, provenance]
needs:
- goreleaser
- provenance
runs-on: ubuntu-latest
permissions: read-all
steps:
# Note: this will be replaced with the GHA in the future.
- name: Install the verifier

90
.goreleaser.yml
View File

@ -1,45 +1,75 @@
# This is an example goreleaser.yaml file with some sane defaults.
# Make sure to check the documentation at http://goreleaser.com
before:
hooks:
# you may remove this if you don't use vgo
- go mod tidy
# you may remove this if you don't need go generate
- go generate ./...
- /bin/bash -c 'if [ -n "$(git --no-pager diff --exit-code go.mod go.sum)" ]; then exit 1; fi'
builds:
- main: ./main.go
env:
- CGO_ENABLED=0
flags:
- -trimpath
ldflags:
- "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}"
goos:
- windows
- linux
- darwin
goarch:
- amd64
- arm64
- s390x
- 386
- mips64le
- ppc64le
- id: binary
main: ./main.go
env:
- CGO_ENABLED=0
flags:
- -trimpath
ldflags:
- "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}"
goos:
- windows
- linux
- darwin
goarch:
- amd64
- arm64
- s390x
- 386
- mips64le
- ppc64le
kos:
- id: ko-image
build: binary
main: .
base_image: golang:1.20
ldflags:
- "-s -w -X github.com/google/ko/pkg/commands.Version={{.Version}}"
platforms:
- all
tags:
- '{{ .Tag }}'
- '{{ .FullCommit }}'
- latest
sbom: spdx
bare: true
preserve_import_paths: false
base_import_paths: false
archives:
- replacements:
darwin: Darwin
linux: Linux
windows: Windows
386: i386
amd64: x86_64
- id: with-version
name_template: >-
{{ .ProjectName }}_
{{- .Version }}_
{{- title .Os }}_
{{- if eq .Arch "amd64" }}x86_64
{{- else if eq .Arch "386" }}i386
{{- else }}{{ .Arch }}{{ end }}
- id: without-version
name_template: >-
{{ .ProjectName }}_
{{- title .Os }}_
{{- if eq .Arch "amd64" }}x86_64
{{- else if eq .Arch "386" }}i386
{{- else }}{{ .Arch }}{{ end }}
checksum:
name_template: 'checksums.txt'
snapshot:
name_template: "{{ .Tag }}-next"
changelog:
sort: asc
use: github
filters:
exclude:
- '^docs:'
- '^test:'
- '^docs:'
- '^test:'

2
hack/boilerplate/boilerplate.sh.txt
View File

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
# Copyright 2020 Google LLC All Rights Reserved.
#