Skip to content

release: v0.6.0 (#386) #1351

release: v0.6.0 (#386)

release: v0.6.0 (#386) #1351

Workflow file for this run

name: Build, Test and Publish
on:
merge_group:
push:
branches:
- main
tags:
- 'v*'
pull_request:
workflow_dispatch:
permissions:
contents: read
env:
GO_VERSION: '>=1.21.3'
jobs:
lint:
name: Lints
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.5.4
with:
fetch-depth: 0
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
cache-dependency-path: './go.sum'
check-latest: true
go-version: ${{ env.GO_VERSION }}
- name: golangci-lint
uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
with:
version: latest
args: -v -c .golangci.yaml
audit:
name: Security Audits
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.5.4
with:
fetch-depth: 0
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
cache-dependency-path: './go.sum'
check-latest: true
go-version: ${{ env.GO_VERSION }}
- name: Run govulncheck
run: make audit
test:
name: Tests
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.5.4
with:
fetch-depth: 0
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
cache-dependency-path: './go.sum'
check-latest: true
go-version: ${{ env.GO_VERSION }}
- name: Build
run: make build
- name: Run tests
run: make test
shellcheck:
name: Shellcheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 #2.0.0
test-go-releaser:
name: Test Release Process
if: startsWith(github.ref, 'refs/tags/v') != true
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.5.4
with:
fetch-depth: 0
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
cache-dependency-path: './go.sum'
check-latest: true
go-version: ${{ env.GO_VERSION }}
- name: Extract Version from Tag
id: tag_name
run: |
echo "current_version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
shell: bash
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.5.4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
cache-dependency-path: './go.sum'
check-latest: true
go-version: ${{ env.GO_VERSION }}
- uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
with:
distribution: goreleaser
version: '~> v2'
args: release --clean --config .goreleaser.yaml --snapshot --skip sign,publish,announce
goreleaser:
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
needs: [lint,audit,test,shellcheck]
permissions:
contents: write
packages: write # publish a new github release
id-token: write # needed for keyless signing
outputs:
digest: ${{ steps.image.outputs.digest }}
subjects-as-file: ${{ steps.hashes.outputs.handle }}
steps:
- name: Extract Version from Tag
id: tag_name
run: |
echo "current_version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
shell: bash
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.5.4
with:
fetch-depth: 0
- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
cache-dependency-path: './go.sum'
check-latest: true
go-version: ${{ env.GO_VERSION }}
- name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
- name: Run GoReleaser
id: goreleaser
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
with:
distribution: goreleaser
version: '~> v2'
args: release --clean --config .goreleaser.yaml
env:
GITHUB_TOKEN: ${{ secrets.GORELEASER_GITHUB_TOKEN }}
- name: Update Docker Hub Description
uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae # v4.0.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
repository: openfga/cli
short-description: ${{ github.event.repository.description }}
- name: Generate binary hashes
id: binary
env:
ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
run: |
set -euo pipefail
hashes=$(echo $ARTIFACTS | jq --raw-output '[.[] | {name, "digest": (.extra.Digest // .extra.Checksum)}] | unique | .[] | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
echo $hashes > digests.txt
- uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@5a775b367a56d5bd118a224a811bba288150a563 # [email protected]
id: hashes
with:
path: digests.txt
- name: Image digest
id: image
env:
ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
run: |
set -euo pipefail
artifact=$(echo "$ARTIFACTS" | jq -r '[.[] | select (.type=="Docker Manifest")][0]')
image=$(echo "$artifact" | jq -r '.path' | cut -d':' -f1)
digest=$(echo "$artifact" | jq -r '.extra.Digest')
echo "digest=$digest" >> "$GITHUB_OUTPUT"
binary-provenance:
needs: [ goreleaser ]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
# Note: this _must_ be referenced by tag. See: https://github.com/slsa-framework/slsa-verifier/issues/12
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects-as-file: "${{ needs.goreleaser.outputs.subjects-as-file }}"
provenance-name: "fga.intoto.jsonl"
upload-assets: true # upload to a new release
image-provenance:
needs: [ goreleaser ]
permissions:
actions: read
id-token: write
packages: write
# Note: this _must_ be referenced by tag. See: https://github.com/slsa-framework/slsa-verifier/issues/12
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: openfga/cli
digest: ${{ needs.goreleaser.outputs.digest }}
secrets:
registry-username: ${{ secrets.DOCKERHUB_USERNAME }}
registry-password: ${{ secrets.DOCKERHUB_TOKEN }}
verification-with-slsa-verifier:
needs: [ goreleaser, binary-provenance ]
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/installer@3714a2a4684014deb874a0e737dffa0ee02dd647 # [email protected]
- name: Download assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
run: |
set -euo pipefail
gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" \
-p "$PROVENANCE" -p "*.tar.gz" -p "*.tar.gz.sbom.json"
- name: Verify assets
env:
PROVENANCE: "${{ needs.binary-provenance.outputs.provenance-name }}"
run: |
slsa-verifier verify-artifact \
--provenance-path "$PROVENANCE" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME" \
*.tar.gz *.tar.gz.sbom.json
verification-with-cosign:
needs: [ goreleaser, image-provenance ]
runs-on: ubuntu-latest
permissions: read-all
steps:
- name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Install Cosign
uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0
- name: Verify image
env:
IMAGE: openfga/cli
DIGEST: ${{ needs.goreleaser.outputs.digest }}
run: |
cosign verify-attestation \
--type slsaprovenance \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp '^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9]+.[0-9]+.[0-9]+$' \
$IMAGE@$DIGEST