-
Notifications
You must be signed in to change notification settings - Fork 4
108 lines (104 loc) · 3.77 KB
/
releases.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
#
# Copyright 2022 The GUAC Authors.
# Copyright 2024 The Skootrs Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: release
on:
workflow_dispatch: # testing only, trigger manually to test it works
push:
branches:
- main
tags:
- "v*"
permissions:
actions: read # for detecting the Github Actions environment.
contents: read
jobs:
cargo:
permissions:
contents: write # To upload assets to release.
packages: write # To publish container images to GHCR
id-token: write # needed for signing the images with GitHub OIDC Token
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
fetch-depth: 0
# TODO: This is currently isn't used. Working on creating container images for Rust.
- name: Login to GitHub Container Registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# TODO: This currently isn't used. Working on creating signign container images for Rust.
- name: Install cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # main
- name: Setup Rust
uses: dtolnay/rust-toolchain@nightly
- name: Run Cargo Build for snapshot release
if: ${{ !startsWith(github.ref, 'refs/tags/') }}
id: run-cargo-snapshot
run: cargo build --verbose && cargo test --verbose
- name: Run Cargo Build for versioned Release
if: startsWith(github.ref, 'refs/tags/')
id: run-cargo-release
run: cargo build --verbose --release && cargo test --verbose
# TODO: Don't make this hardcoded.
- name: Generate hashes and extract image digest
id: hash
if: startsWith(github.ref, 'refs/tags/')
run: |
hashes=sha256sum target/release/skootrs | base64 -w0
echo "hashes=$hashes" >> $GITHUB_OUTPUT
sbom:
permissions:
contents: write
runs-on: ubuntu-latest
needs: [cargo]
steps:
- name: Checkout
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
fetch-depth: 0
- name: Setup cargo
uses: actions-rs/toolchain@v1
with:
toolchain: nightly
- name: Install cargo sbom
run: cargo install cargo-sbom
- name: Generate SBOM
run: cargo sbom > skootrs.spdx.json
- name: Upload SBOM
if: startsWith(github.ref, 'refs/tags/')
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: skootrs.spdx.json
path: skootrs.spdx.json
provenance-bins:
permissions:
id-token: write
actions: read
contents: write
packages: write
name: generate provenance for binaries
needs: [cargo]
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # must use semver here
with:
base64-subjects: "${{ needs.cargo.outputs.hashes }}"
upload-assets: true