Release Automation #18
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release Automation | |
| on: | |
| push: | |
| tags: | |
| - "*" # triggers only if push new tag version, like `0.8.4` or else | |
| permissions: | |
| contents: read | |
| jobs: | |
| goreleaser: | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| permissions: | |
| contents: write # for goreleaser/goreleaser-action to create a GitHub release | |
| packages: write # for goreleaser/goreleaser-action to publish docker images | |
| runs-on: ubuntu-latest | |
| env: | |
| # Required for buildx on docker 19.x | |
| DOCKER_CLI_EXPERIMENTAL: "enabled" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
| with: | |
| fetch-depth: 0 | |
| - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2 | |
| - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2 | |
| - name: Set up Go | |
| uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 | |
| with: | |
| go-version: 1.21 | |
| check-latest: true | |
| - name: ghcr-login | |
| uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 # v1 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install GCC Multilib Support | |
| run: sudo apt-get install clang gcc-multilib g++-multilib | |
| - name: Run GoReleaser | |
| id: run-goreleaser | |
| uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0 | |
| with: | |
| version: latest | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN }} | |
| - name: Generate subject | |
| id: hash | |
| env: | |
| ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" | |
| run: | | |
| set -euo pipefail | |
| checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') | |
| echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" | |
| provenance: | |
| needs: [goreleaser] | |
| permissions: | |
| actions: read # To read the workflow path. | |
| id-token: write # To sign the provenance. | |
| contents: write # To add assets to a release. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 | |
| with: | |
| base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" | |
| upload-assets: true | |
| private-repository: true | |