File tree 1 file changed +17
-3
lines changed
1 file changed +17
-3
lines changed Original file line number Diff line number Diff line change 4545 packages : write
4646 # use OIDC token for signing
4747 id-token : write
48+ # required by attest-build-provenance
49+ attestations : write
4850 needs : release-tag
4951 if : needs.release-tag.outputs.new-tag == 'true'
5052 runs-on : ubuntu-latest
6365 password : ${{ secrets.GITHUB_TOKEN }}
6466 - name : Set up environment
6567 run : echo "GOVERSION=$(go version)" >> "$GITHUB_ENV"
66- - uses : sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
6768 - uses : advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1
6869 id : sbom
6970 env :
8081 env :
8182 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
8283 GITHUB_SBOM_PATH : ./sbom.spdx.json
83- - run : echo metadata && echo "$METADATA" && echo artifacts && echo "$ARTIFACTS"
84+ # parse metadata to the format required for image attestation
85+ - run : |
86+ echo "digest=$(echo "$METADATA" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.extra.Digest')" >> "$GITHUB_OUTPUT"
87+ echo "name=$(echo "$METADATA" | jq -r '.[]|select(.type=="Docker Manifest")|select(.name|test(":v"))|.name|split(":")[0]')" >> "$GITHUB_OUTPUT"
88+ id: artifact_metadata
8489 env:
8590 METADATA: ${{steps.goreleaser.outputs.metadata}}
86- ARTIFACTS : ${{steps.goreleaser.outputs.artifacts}}
91+ # attest archives
92+ - uses : actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
93+ with :
94+ subject-path : " dist/*.tar.gz"
95+ # attest images
96+ - uses : actions/attest-build-provenance@173725a1209d09b31f9d30a3890cf2757ebbff0d # v1.1.2
97+ with :
98+ subject-digest : ${{steps.artifact_metadata.outputs.digest}}
99+ subject-name : ${{steps.artifact_metadata.outputs.name}}
100+ push-to-registry : true
You can’t perform that action at this time.
0 commit comments