mirror of
https://github.com/block/goose.git
synced 2026-07-17 12:56:20 +02:00
Add SLSA build provenance attestations to release workflows (#7097)
This commit is contained in:
@@ -15,6 +15,13 @@ concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
# Permissions for SLSA attestation, AWS OIDC codesigning, and release creation
|
||||
permissions:
|
||||
id-token: write # Required for Sigstore OIDC signing and AWS OIDC codesigning
|
||||
contents: write # Required for creating releases and by actions/checkout
|
||||
actions: read # Required by bundle-desktop-windows.yml reusable workflow
|
||||
attestations: write # Required for SLSA build provenance attestations
|
||||
|
||||
jobs:
|
||||
# ------------------------------------
|
||||
# 1) Prepare Version
|
||||
@@ -100,6 +107,8 @@ jobs:
|
||||
needs: [build-cli, install-script, bundle-desktop, bundle-desktop-linux, bundle-desktop-windows]
|
||||
permissions:
|
||||
contents: write
|
||||
id-token: write # Required for Sigstore OIDC signing
|
||||
attestations: write # Required for SLSA build provenance attestations
|
||||
|
||||
steps:
|
||||
- name: Download all artifacts
|
||||
@@ -107,6 +116,17 @@ jobs:
|
||||
with:
|
||||
merge-multiple: true
|
||||
|
||||
- name: Attest build provenance
|
||||
uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
|
||||
with:
|
||||
subject-path: |
|
||||
goose-*.tar.bz2
|
||||
Goose*.zip
|
||||
*.deb
|
||||
*.rpm
|
||||
*.flatpak
|
||||
download_cli.sh
|
||||
|
||||
# Create/update the canary release
|
||||
- name: Release canary
|
||||
uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
|
||||
|
||||
@@ -15,6 +15,8 @@ on:
|
||||
permissions:
|
||||
contents: read
|
||||
packages: write
|
||||
id-token: write # Required for Sigstore OIDC signing
|
||||
attestations: write # Required for SLSA build provenance attestations
|
||||
|
||||
jobs:
|
||||
docker:
|
||||
@@ -51,6 +53,7 @@ jobs:
|
||||
type=raw,value={{tag}},enable=${{ startsWith(github.ref, 'refs/tags/v') }}
|
||||
|
||||
- name: Build and push Docker image
|
||||
id: docker-push
|
||||
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # pin@v6.18.0
|
||||
with:
|
||||
context: .
|
||||
@@ -60,3 +63,10 @@ jobs:
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
platforms: linux/amd64,linux/arm64
|
||||
|
||||
- name: Attest Docker image
|
||||
uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
|
||||
with:
|
||||
subject-name: ghcr.io/${{ github.repository_owner }}/goose
|
||||
subject-digest: ${{ steps.docker-push.outputs.digest }}
|
||||
push-to-registry: true
|
||||
|
||||
@@ -13,6 +13,7 @@ permissions:
|
||||
id-token: write # Required for AWS OIDC authentication in called workflow
|
||||
contents: write # Required for creating releases and by actions/checkout
|
||||
actions: read # May be needed for some workflows
|
||||
attestations: write # Required for SLSA build provenance attestations
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
@@ -92,12 +93,26 @@ jobs:
|
||||
needs: [build-cli, install-script, bundle-desktop, bundle-desktop-intel, bundle-desktop-linux, bundle-desktop-windows]
|
||||
permissions:
|
||||
contents: write
|
||||
id-token: write # Required for Sigstore OIDC signing
|
||||
attestations: write # Required for SLSA build provenance attestations
|
||||
steps:
|
||||
- name: Download all artifacts
|
||||
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
|
||||
with:
|
||||
merge-multiple: true
|
||||
|
||||
- name: Attest build provenance
|
||||
uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
|
||||
with:
|
||||
subject-path: |
|
||||
goose-*.tar.bz2
|
||||
goose-*.zip
|
||||
Goose*.zip
|
||||
*.deb
|
||||
*.rpm
|
||||
*.flatpak
|
||||
download_cli.sh
|
||||
|
||||
# Create/update the versioned release
|
||||
- name: Release versioned
|
||||
uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
|
||||
|
||||
Reference in New Issue
Block a user