Update codeql version pinning #38
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| # Copyright 2022 The GUAC Authors. | |
| # Copyright 2024 The Skootrs Authors. | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # | |
| # Unless required by applicable law or agreed to in writing, software | |
| # distributed under the License is distributed on an "AS IS" BASIS, | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| # See the License for the specific language governing permissions and | |
| # limitations under the License. | |
| name: release | |
| on: | |
| workflow_dispatch: # testing only, trigger manually to test it works | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - "v*" | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| contents: read | |
| jobs: | |
| cargo: | |
| permissions: | |
| contents: write # To upload assets to release. | |
| packages: write # To publish container images to GHCR | |
| id-token: write # needed for signing the images with GitHub OIDC Token | |
| runs-on: ubuntu-latest | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
| with: | |
| fetch-depth: 0 | |
| # TODO: This is currently isn't used. Working on creating container images for Rust. | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # TODO: This currently isn't used. Working on creating signign container images for Rust. | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # main | |
| - name: Setup Rust | |
| uses: dtolnay/rust-toolchain@nightly | |
| - name: Run Cargo Build for snapshot release | |
| if: ${{ !startsWith(github.ref, 'refs/tags/') }} | |
| id: run-cargo-snapshot | |
| run: cargo build --verbose && cargo test --verbose | |
| - name: Run Cargo Build for versioned Release | |
| if: startsWith(github.ref, 'refs/tags/') | |
| id: run-cargo-release | |
| run: cargo build --verbose --release && cargo test --verbose | |
| - name: Upload Release Asset | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: gh release upload ${{ github.ref_name }} target/release/skootrs | |
| # TODO: Don't make this hardcoded. | |
| - name: Generate hashes | |
| id: hash | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: | | |
| hashes=$(sha256sum target/release/skootrs | base64 -w0) | |
| echo "hashes=$hashes" >> $GITHUB_OUTPUT | |
| - name: Setup cargo release | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: cargo install cargo-release | |
| - name: Public to crates.io | |
| if: startsWith(github.ref, 'refs/tags/') | |
| env: | |
| CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }} | |
| run: | | |
| cargo release --execute --no-confirm | |
| sbom: | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| needs: [cargo] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup cargo | |
| uses: actions-rs/toolchain@v1 | |
| with: | |
| toolchain: nightly | |
| - name: Install cargo sbom | |
| run: cargo install cargo-sbom | |
| - name: Generate SBOM | |
| run: cargo sbom > skootrs.spdx.json | |
| - name: Upload SBOM | |
| if: startsWith(github.ref, 'refs/tags/') | |
| uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
| with: | |
| name: skootrs.spdx.json | |
| path: skootrs.spdx.json | |
| - name: Push SBOM to release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| if: startsWith(github.ref, 'refs/tags/') | |
| run: gh release upload ${{ github.ref_name }} skootrs.spdx.json | |
| provenance-bins: | |
| permissions: | |
| id-token: write | |
| actions: read | |
| contents: write | |
| packages: write | |
| name: generate provenance for binaries | |
| needs: [cargo] | |
| if: startsWith(github.ref, 'refs/tags/') | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # must use semver here | |
| with: | |
| base64-subjects: "${{ needs.cargo.outputs.hashes }}" | |
| upload-assets: true |