Skip to content

Merge pull request #11 from trustification/appstudio-trustification-guac #33

Merge pull request #11 from trustification/appstudio-trustification-guac

Merge pull request #11 from trustification/appstudio-trustification-guac #33

Workflow file for this run

#
# Copyright 2022 The GUAC Authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: release
on:
workflow_dispatch: # testing only, trigger manually to test it works
push:
branches:
- main
tags:
- 'v*'
permissions:
actions: read # for detecting the Github Actions environment.
contents: write # To upload assets to release.
packages: write # To publish container images to GHCR
id-token: write # needed for signing the images with GitHub OIDC Token
jobs:
goreleaser:
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
image: ${{ steps.hash.outputs.image }}
digest: ${{ steps.hash.outputs.digest }}
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
- name: Login to GitHub Container Registry
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
- name: Install cosign
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # main
- name: Install syft
uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # v0.14.3
- name: Run GoReleaser Snapshot
if: ${{ !startsWith(github.ref, 'refs/tags/') }}
id: run-goreleaser-snapshot
uses: goreleaser/goreleaser-action@3fa32b8bb5620a2c1afe798654bbad59f9da4906 # v4.4.0
with:
distribution: goreleaser
version: latest
args: release --clean --snapshot --skip-sign
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_CURRENT_TAG: v0.0.0-snapshot-tag
DOCKER_CONTEXT: default
- name: Run GoReleaser Release
if: startsWith(github.ref, 'refs/tags/')
id: run-goreleaser-release
uses: goreleaser/goreleaser-action@3fa32b8bb5620a2c1afe798654bbad59f9da4906 # v4.4.0
with:
distribution: goreleaser
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DOCKER_CONTEXT: default
- name: Generate hashes and extract image digest
id: hash
if: startsWith(github.ref, 'refs/tags/')
env:
ARTIFACTS: "${{ steps.run-goreleaser-release.outputs.artifacts }}"
run: |
set -euo pipefail
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | base64 -w0)
if test "$hashes" = ""; then # goreleaser < v1.13.0
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
hashes=$(cat $checksum_file | base64 -w0)
fi
echo "hashes=$hashes" >> $GITHUB_OUTPUT
image=$(echo $ARTIFACTS | jq --raw-output '.[] | select( .type =="Docker Manifest" ).name | split(":")[0]')
echo "image=$image" >> $GITHUB_OUTPUT
digest=$(echo $ARTIFACTS | jq --raw-output '.[] | select( .type =="Docker Manifest" ).extra.Digest')
echo "digest=$digest" >> $GITHUB_OUTPUT
sbom-container:
# generate sbom for container as goreleaser can't - https://goreleaser.com/customization/sbom/#limitations
name: generate sbom for container
runs-on: ubuntu-latest
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Checkout code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # tag=v3
- name: Login to GitHub Container Registry
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy in fs mode to generate SBOM
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f # master
with:
scan-type: 'fs'
format: 'spdx-json'
output: 'spdx.sbom.json'
- name: Install cosign
uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # main
- name: Sign image and sbom
run: |
#!/usr/bin/env bash
set -euo pipefail
cosign attach sbom --sbom spdx.sbom.json ${IMAGE_URI_DIGEST}
cosign sign -a git_sha=$GITHUB_SHA --attachment sbom ${IMAGE_URI_DIGEST} --yes
shell: bash
env:
IMAGE_URI_DIGEST: ${{ needs.goreleaser.outputs.image }}@${{ needs.goreleaser.outputs.digest }}
provenance-bins:
name: generate provenance for binaries
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # must use semver here
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true
provenance-container:
name: generate provenance for container
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # must use semver here
with:
image: ${{ needs.goreleaser.outputs.image }}
digest: ${{ needs.goreleaser.outputs.digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
compose-tarball:
runs-on: ubuntu-latest
name: generate compose tarball
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Checkout code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # tag=v3
- name: Create and publish compose tarball
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
#!/usr/bin/env bash
set -euo pipefail
mkdir guac-compose
cp .env guac-compose/
cp docker-compose.yml guac-compose/
cp -r container_files guac-compose/
sed -i s/local-organic-guac/ghcr.io\\/${{ github.repository_owner }}\\/guac:${{ github.ref_name }}/ guac-compose/.env
tar -zcvf guac-compose-${{ github.ref_name }}.tar.gz guac-compose/
rm -rf guac-compose/
gh release upload ${{ github.ref_name }} guac-compose-${{ github.ref_name }}.tar.gz
rm guac-compose-${{ github.ref_name }}.tar.gz
shell: bash