Skip to content

Add github token secret to upload actions #28

Add github token secret to upload actions

Add github token secret to upload actions #28

Workflow file for this run

#
# Copyright 2022 The GUAC Authors.
# Copyright 2024 The Skootrs Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: release
on:
workflow_dispatch: # testing only, trigger manually to test it works
push:
branches:
- main
tags:
- "v*"
permissions:
actions: read # for detecting the Github Actions environment.
contents: read
jobs:
cargo:
permissions:
contents: write # To upload assets to release.
packages: write # To publish container images to GHCR
id-token: write # needed for signing the images with GitHub OIDC Token
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
fetch-depth: 0
# TODO: This is currently isn't used. Working on creating container images for Rust.
- name: Login to GitHub Container Registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# TODO: This currently isn't used. Working on creating signign container images for Rust.
- name: Install cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # main
- name: Setup Rust
uses: dtolnay/rust-toolchain@nightly
- name: Run Cargo Build for snapshot release
if: ${{ !startsWith(github.ref, 'refs/tags/') }}
id: run-cargo-snapshot
run: cargo build --verbose && cargo test --verbose
- name: Run Cargo Build for versioned Release
if: startsWith(github.ref, 'refs/tags/')
id: run-cargo-release
run: cargo build --verbose --release && cargo test --verbose
- name: Upload Release Asset
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
if: startsWith(github.ref, 'refs/tags/')
run: gh release upload ${{github.event.release.tag_name}} target/release/skootrs
# TODO: Don't make this hardcoded.
- name: Generate hashes
id: hash
if: startsWith(github.ref, 'refs/tags/')
run: |
hashes=$(sha256sum target/release/skootrs | base64 -w0)
echo "hashes=$hashes" >> $GITHUB_OUTPUT
sbom:
permissions:
contents: write
runs-on: ubuntu-latest
needs: [cargo]
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
fetch-depth: 0
- name: Setup cargo
uses: actions-rs/toolchain@v1
with:
toolchain: nightly
- name: Install cargo sbom
run: cargo install cargo-sbom
- name: Generate SBOM
run: cargo sbom > skootrs.spdx.json
- name: Upload SBOM
if: startsWith(github.ref, 'refs/tags/')
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: skootrs.spdx.json
path: skootrs.spdx.json
- name: Push SBOM to release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
if: startsWith(github.ref, 'refs/tags/')
run: gh release upload ${{github.event.release.tag_name}} skootrs.spdx.json
provenance-bins:
permissions:
id-token: write
actions: read
contents: write
packages: write
name: generate provenance for binaries
needs: [cargo]
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # must use semver here
with:
base64-subjects: "${{ needs.cargo.outputs.hashes }}"
upload-assets: true