COrrect and validate push values (note) (#419) #5
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # SPDX-FileCopyrightText: Copyright 2025 The SLSA Authors | |
| # SPDX-License-Identifier: Apache-2.0 | |
| --- | |
| name: release | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: {} | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write # To sign attestations | |
| attestations: write # To push build provenance to attestations store | |
| contents: write # To create the release | |
| steps: | |
| - name: Setup bnd | |
| uses: carabiner-dev/actions/install/bnd@94f29392187fe5082d1195a7d4cae3a7ddf09d9c # v1.2.1 | |
| - name: Check out code | |
| uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | |
| with: | |
| persist-credentials: false | |
| fetch-depth: 1 | |
| - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0 | |
| with: | |
| go-version-file: go.mod | |
| check-latest: true | |
| cache: false | |
| - name: Install tejolote | |
| uses: kubernetes-sigs/release-actions/setup-tejolote@8753ea6bdadb814d779c6ec34eaca689dbfb492b # v0.4.3 | |
| - name: Set tag output | |
| id: tag | |
| run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT" | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@f06c13b6b1a9625abc9e6e439d9c05a8f2190e94 # v7.2.3 | |
| id: goreleaser | |
| with: | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate Provenance | |
| id: tejolote | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| mkdir attestations | |
| tejolote attest --artifacts github://${{github.repository}}/${{ steps.tag.outputs.tag_name }} github://${{github.repository}}/"${GITHUB_RUN_ID}" --output attestations/provenance.json | |
| # Remove this once tejolote attests fine | |
| sed -i 's|https://github.com/Attestations/GitHubActionsWorkflow@v1|https://actions.github.io/buildtypes/workflow/v1|' attestations/provenance.json | |
| bnd statement attestations/provenance.json -o attestations/sourcetool-${{ steps.tag.outputs.tag_name }}.provenance.json | |
| rm attestations/provenance.json | |
| bnd pack attestations/ > sourcetool.intoto.jsonl | |
| gh release upload ${{ steps.tag.outputs.tag_name }} sourcetool.intoto.jsonl | |
| # Remove this once GitHub like the tejolote build predicate | |
| # bnd push github ${{github.repository}} attestations/sourcetool-${{ steps.tag.outputs.tag_name }}.provenance.json |