Skip config modification for updates (#261) #906
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: SLSA Client Releaser | |
on: | |
workflow_dispatch: | |
push: | |
branches: [ master ] | |
tags: | |
- "*" | |
permissions: read-all | |
jobs: | |
# ldflags to embed the commit hash in the binary | |
args: | |
runs-on: ubuntu-latest | |
outputs: | |
ldflags: ${{ steps.ldflags.outputs.value }} | |
steps: | |
- id: checkout | |
uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # v2.3.4 | |
with: | |
fetch-depth: 0 | |
- id: ldflags | |
run: | | |
echo "::set-output name=value::$(./scripts/client-ldflags)" | |
# Trusted builders | |
build-linux-amd64: | |
permissions: | |
id-token: write | |
contents: write | |
actions: read | |
needs: args | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
config-file: .github/slsa/.slsa-goreleaser-linux-amd64.yml | |
go-version: 1.23 | |
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" | |
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942 | |
build-linux-arm64: | |
permissions: | |
id-token: write | |
contents: write | |
actions: read | |
needs: args | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
config-file: .github/slsa/.slsa-goreleaser-linux-arm64.yml | |
go-version: 1.23 | |
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" | |
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942 | |
build-linux-arm7: | |
permissions: | |
id-token: write | |
contents: write | |
actions: read | |
needs: args | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
config-file: .github/slsa/.slsa-goreleaser-linux-arm7.yml | |
go-version: 1.23 | |
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" | |
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942 | |
build-freebsd-amd64: | |
permissions: | |
id-token: write | |
contents: write | |
actions: read | |
needs: args | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
config-file: .github/slsa/.slsa-goreleaser-freebsd-amd64.yml | |
go-version: 1.23 | |
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" | |
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942 | |
build-netbsd-amd64: | |
permissions: | |
id-token: write | |
contents: write | |
actions: read | |
needs: args | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
config-file: .github/slsa/.slsa-goreleaser-netbsd-amd64.yml | |
go-version: 1.23 | |
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" | |
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942 | |
build-darwin-amd64: | |
permissions: | |
id-token: write | |
contents: write | |
actions: read | |
needs: | |
- args | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
config-file: .github/slsa/.slsa-goreleaser-darwin-amd64.yml | |
go-version: 1.23 | |
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" | |
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942 | |
build-darwin-arm64: | |
permissions: | |
id-token: write | |
contents: write | |
actions: read | |
needs: | |
- args | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
config-file: .github/slsa/.slsa-goreleaser-darwin-arm64.yml | |
go-version: 1.23 | |
evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}" | |
compile-builder: true # See github.com/slsa-framework/slsa-github-generator/issues/942 | |
# Sign the binaries and upload the signed binaries | |
macos_signer: | |
runs-on: macos-latest | |
needs: | |
- build-darwin-amd64 | |
- build-darwin-arm64 | |
permissions: | |
contents: write | |
steps: | |
- uses: actions/checkout@v2 | |
- name: Extra Sleep | |
run: | | |
sleep 60 | |
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
with: | |
name: hishtory-darwin-arm64 | |
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
with: | |
name: hishtory-darwin-amd64 | |
- name: Download and sign the latest executables | |
env: | |
GH_TOKEN: ${{ github.token }} | |
MACOS_CERTIFICATE: ${{ secrets.MACOS_CERTIFICATE }} | |
MACOS_CERTIFICATE_PWD: ${{ secrets.MACOS_CERTIFICATE_PWD }} | |
run: | | |
export GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" | |
brew install coreutils | |
python3 scripts/actions-sign.py | |
- name: Upload Artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: hishtory-darwin-arm64 | |
path: hishtory-darwin-arm64 | |
- name: Upload Artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: hishtory-darwin-amd64 | |
path: hishtory-darwin-amd64 | |
- name: Upload Artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: hishtory-darwin-arm64-unsigned | |
path: hishtory-darwin-arm64-unsigned | |
- name: Upload Artifacts | |
uses: actions/upload-artifact@v3 | |
with: | |
name: hishtory-darwin-amd64-unsigned | |
path: hishtory-darwin-amd64-unsigned | |
- name: Release | |
uses: softprops/action-gh-release@v1 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
files: | | |
hishtory-darwin-arm64 | |
hishtory-darwin-arm64-unsigned | |
hishtory-darwin-amd64 | |
hishtory-darwin-amd64-unsigned | |
# Validate the signed binaries | |
validate: | |
permissions: | |
contents: write | |
runs-on: macos-latest | |
needs: | |
- build-linux-amd64 | |
- build-darwin-amd64 | |
- build-darwin-arm64 | |
- macos_signer | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Set up Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: 1.23 | |
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
with: | |
name: hishtory-linux-amd64 | |
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
with: | |
name: hishtory-linux-amd64.intoto.jsonl | |
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
with: | |
name: hishtory-linux-arm64 | |
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
with: | |
name: hishtory-linux-arm64.intoto.jsonl | |
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
with: | |
name: hishtory-darwin-amd64 | |
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
with: | |
name: hishtory-darwin-amd64.intoto.jsonl | |
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
with: | |
name: hishtory-darwin-amd64-unsigned | |
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
with: | |
name: hishtory-darwin-arm64 | |
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
with: | |
name: hishtory-darwin-arm64.intoto.jsonl | |
- uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
with: | |
name: hishtory-darwin-arm64-unsigned | |
- name: Validate Release | |
run: | | |
export HISHTORY_TEST=1 | |
curl https://hishtory.dev/install.py | python3 - | |
unset HISHTORY_TEST | |
python3 scripts/actions-validate.py | |
echo DONE > hishtory-release-validation-completed | |
- name: Release | |
uses: softprops/action-gh-release@v1 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
files: | | |
hishtory-release-validation-completed | |
- name: Trigger the backend API service so it knows a release is finished | |
run: | | |
sleep 10 | |
curl https://api.hishtory.dev/api/v1/trigger-cron |