Skip to content

COrrect and validate push values (note) (#419) #5

COrrect and validate push values (note) (#419)

COrrect and validate push values (note) (#419) #5

Workflow file for this run

# SPDX-FileCopyrightText: Copyright 2025 The SLSA Authors
# SPDX-License-Identifier: Apache-2.0
---
name: release
on:
push:
tags:
- 'v*'
permissions: {}
jobs:
release:
runs-on: ubuntu-latest
permissions:
id-token: write # To sign attestations
attestations: write # To push build provenance to attestations store
contents: write # To create the release
steps:
- name: Setup bnd
uses: carabiner-dev/actions/install/bnd@94f29392187fe5082d1195a7d4cae3a7ddf09d9c # v1.2.1
- name: Check out code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
fetch-depth: 1
- uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
with:
go-version-file: go.mod
check-latest: true
cache: false
- name: Install tejolote
uses: kubernetes-sigs/release-actions/setup-tejolote@8753ea6bdadb814d779c6ec34eaca689dbfb492b # v0.4.3
- name: Set tag output
id: tag
run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@f06c13b6b1a9625abc9e6e439d9c05a8f2190e94 # v7.2.3
id: goreleaser
with:
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Generate Provenance
id: tejolote
env:
GH_TOKEN: ${{ github.token }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
mkdir attestations
tejolote attest --artifacts github://${{github.repository}}/${{ steps.tag.outputs.tag_name }} github://${{github.repository}}/"${GITHUB_RUN_ID}" --output attestations/provenance.json
# Remove this once tejolote attests fine
sed -i 's|https://github.com/Attestations/GitHubActionsWorkflow@v1|https://actions.github.io/buildtypes/workflow/v1|' attestations/provenance.json
bnd statement attestations/provenance.json -o attestations/sourcetool-${{ steps.tag.outputs.tag_name }}.provenance.json
rm attestations/provenance.json
bnd pack attestations/ > sourcetool.intoto.jsonl
gh release upload ${{ steps.tag.outputs.tag_name }} sourcetool.intoto.jsonl
# Remove this once GitHub like the tejolote build predicate
# bnd push github ${{github.repository}} attestations/sourcetool-${{ steps.tag.outputs.tag_name }}.provenance.json