Add check for PGP signed tags to release workflow #26

Workflow file for this run

.github/workflows/release.yaml at 73dec0f

	name: release

	on:
	push:
	tags:
	- 'v*'
	workflow_dispatch:
	inputs:
	tag:
	description: 'image tag prefix'
	default: 'rc'
	required: true

	permissions:
	contents: read

	env:
	CONTROLLER: ${{ github.event.repository.name }}

	jobs:
	release:
	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}
	image_url: ${{ steps.hash.outputs.image_url }}
	image_digest: ${{ steps.hash.outputs.image_digest }}
	runs-on: ubuntu-latest
	permissions:
	contents: write # needed to write releases
	id-token: write # needed for keyless signing
	packages: write # needed for ghcr access
	steps:
	- name: Checkout
	uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
	- name: Setup Kustomize
	uses: fluxcd/pkg/actions/kustomize@main
	- name: Verify signed release
	if: startsWith(github.ref, 'refs/tags/v')
	run: \|
	git -P show ${GITHUB_REF_NAME} \| grep -q 'PGP SIGNATURE' \|\| \
	{ echo "No PGP signature found for tag ${GITHUB_REF_NAME}. Aborting release process..."; exit 1; }
	- name: Prepare
	id: prep
	run: \|
	VERSION="${{ github.event.inputs.tag }}-${GITHUB_SHA::8}"
	if [[ $GITHUB_REF == refs/tags/* ]]; then
	VERSION=${GITHUB_REF/refs\/tags\//}
	fi
	echo "version=${VERSION}" >> $GITHUB_OUTPUT
	- name: Setup Go
	uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
	with:
	go-version: 1.20.x
	cache-dependency-path: \|
	**/go.sum
	**/go.mod
	- uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
	- uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34 # v2.7.0
	- uses: sigstore/cosign-installer@d13028333d784fcc802b67ec924bcebe75aa0a5f # v3.1.0
	- uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
	- name: Docker login ghcr.io
	uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
	with:
	registry: ghcr.io
	username: fluxcdbot
	password: ${{ secrets.GHCR_TOKEN }}
	- name: Docker login docker.io
	uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
	with:
	username: fluxcdbot
	password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
	- name: Docker meta
	id: meta
	uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
	with:
	images: \|
	fluxcd/${{ env.CONTROLLER }}
	ghcr.io/fluxcd/${{ env.CONTROLLER }}
	tags: \|
	type=raw,value=${{ steps.prep.outputs.version }}
	- name: Docker push
	uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
	id: build-push
	with:
	sbom: true
	provenance: true
	push: true
	builder: ${{ steps.buildx.outputs.name }}
	context: .
	file: ./Dockerfile
	platforms: linux/amd64,linux/arm/v7,linux/arm64
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	- name: Sign images
	env:
	COSIGN_EXPERIMENTAL: 1
	run: \|
	cosign sign --yes fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
	cosign sign --yes ghcr.io/fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
	- name: GoReleaser publish signed SBOM
	id: run-goreleaser
	if: startsWith(github.ref, 'refs/tags/v')
	uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v4.3.0
	with:
	version: latest
	args: release --clean --skip-validate
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	- name: Generate SLSA hashes
	id: hash
	env:
	ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
	run: \|
	set -euo pipefail

	hashes=$(echo $ARTIFACTS \| jq --raw-output '.[] \| {name, "digest": (.extra.Digest // .extra.Checksum)} \| select(.digest) \| {digest} + {name} \| join(" ") \| sub("^sha256:";"")' \| base64 -w0)
	echo "hashes=$hashes" >> $GITHUB_OUTPUT

	image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
	image_digest=${{ steps.build-push.outputs.digest }}
	echo "image_url=$image_url" >> $GITHUB_OUTPUT
	echo "image_digest=$image_digest" >> $GITHUB_OUTPUT

	release-provenance:
	needs: [release]
	permissions:
	actions: read # To read the workflow path.
	id-token: write # To sign the provenance.
	contents: write # To add assets to the release.
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	base64-subjects: "${{ needs.release.outputs.hashes }}"
	upload-assets: true

	dockerhub-provenance:
	needs: [release]
	permissions:
	actions: read # for detecting the Github Actions environment.
	id-token: write # for creating OIDC tokens for signing.
	packages: write # for uploading attestations.
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	image: ${{ needs.release.outputs.image_url }}
	digest: ${{ needs.release.outputs.image_digest }}
	registry-username: fluxcdbot
	secrets:
	registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}

	ghcr-provenance:
	needs: [release]
	permissions:
	actions: read # for detecting the Github Actions environment.
	id-token: write # for creating OIDC tokens for signing.
	packages: write # for uploading attestations.
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	image: ghcr.io/${{ needs.release.outputs.image_url }}
	digest: ${{ needs.release.outputs.image_digest }}
	registry-username: fluxcdbot
	secrets:
	registry-password: ${{ secrets.GHCR_TOKEN }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add check for PGP signed tags to release workflow #26

Workflow file

Add check for PGP signed tags to release workflow #26

Jobs

Run details

Workflow file for this run