Merge pull request #265 from smlx/dependabot/github_actions/github-ac… #164
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| push: | |
| branches: | |
| - main | |
| permissions: {} | |
| jobs: | |
| release-tag: | |
| permissions: | |
| # create tag | |
| contents: write | |
| runs-on: ubuntu-latest | |
| outputs: | |
| new-tag: ${{ steps.ccv.outputs.new-tag }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Bump tag if necessary | |
| id: ccv | |
| uses: smlx/ccv@7318e2f25a52dcd550e75384b84983973251a1f8 # v0.10.0 | |
| release-build: | |
| permissions: | |
| # create release | |
| contents: write | |
| # push docker images to registry | |
| packages: write | |
| # required by attest-build-provenance | |
| id-token: write | |
| attestations: write | |
| needs: release-tag | |
| if: needs.release-tag.outputs.new-tag == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0 | |
| with: | |
| go-version: stable | |
| # The setup-buildx-action enables the docker-container driver, which allows | |
| # SBOM generation for the resulting container image using the syft | |
| # container which is automatically pulled and run during the container | |
| # image build. However, because the release process also generates an SBOM | |
| # for the binaries attached to the GitHub release (see the "sboms" section | |
| # in .gorleaser.yaml), it also needs to install syft into the action | |
| # environment. | |
| - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 | |
| - uses: anchore/sbom-action/download-syft@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1 | |
| - name: Login to GHCR | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0 | |
| id: goreleaser | |
| with: | |
| version: latest | |
| args: release --verbose | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # attest artifacts | |
| - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 | |
| with: | |
| subject-checksums: ./dist/checksums.txt | |
| # attest images | |
| - uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 | |
| with: | |
| subject-checksums: ./dist/digests.txt | |
| push-to-registry: true |