fix: replace kodata LICENSE symlink with copy #105

Workflow file for this run

.github/workflows/release.yaml at f7bbf68

	name: release

	on:
	push:
	tags:
	- '*'
	# FIXME(vdemeester) Add commit + tag

	jobs:
	goreleaser:
	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}
	tag_name: ${{ steps.tag.outputs.tag_name }}

	defaults:
	run:
	working-directory: image/git-init

	permissions:
	packages: write
	id-token: write
	contents: write

	runs-on: ubuntu-latest
	# defaults:
	# run:
	# working-directory: ./image/git-init
	steps:
	- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3

	- run: git fetch --prune --unshallow

	- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
	with:
	go-version-file: "image/git-init/go.mod"
	cache-dependency-path: "image/git-init/go.sum"

	# This installs the current latest release.
	- uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9

	- uses: imjasonh/setup-crane@59c71e96a00b28651f10369ba3359a6d730740a0 # v0.6

	- uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2

	- name: Set tag output
	id: tag
	run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"

	- uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
	id: run-goreleaser
	with:
	version: latest
	args: release --clean
	workdir: ./image/git-init
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: sign ko-image
	run: \|
	digest=$(crane digest "${REGISTRY}":"${GIT_TAG}")
	cosign sign --yes \
	-a GIT_HASH="${GIT_HASH}" \
	-a GIT_TAG="${GIT_TAG}" \
	-a RUN_ID="${RUN_ID}" \
	-a RUN_ATTEMPT="${RUN_ATTEMPT}" \
	"${REGISTRY}@${digest}"
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	GIT_HASH: ${{ github.sha }}
	GIT_TAG: ${{ steps.tag.outputs.tag_name }}
	RUN_ATTEMPT: ${{ github.run_attempt }}
	RUN_ID: ${{ github.run_id }}
	REGISTRY: "ghcr.io/${{ github.repository }}"

	- name: Generate subject
	id: hash
	env:
	ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
	run: \|
	set -euo pipefail

	checksum_file=$(echo "$ARTIFACTS" \| jq -r '.[] \| select (.type=="Checksum") \| .path')
	echo "hashes=$(cat $checksum_file \| base64 -w0)" >> "$GITHUB_OUTPUT"

	provenance:
	needs:
	- goreleaser

	permissions:
	actions: read # To read the workflow path.
	id-token: write # To sign the provenance.
	contents: write # To add assets to a release.

	uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
	with:
	base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
	upload-assets: true
	upload-tag-name: "${{ needs.goreleaser.outputs.tag_name }}"

	verification:
	needs:
	- goreleaser
	- provenance

	runs-on: ubuntu-latest
	permissions: read-all

	steps:
	# Note: this will be replaced with the GHA in the future.
	- name: Install the verifier
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	set -euo pipefail

	gh -R slsa-framework/slsa-verifier release download v2.7.1 -p "slsa-verifier-linux-amd64"
	chmod ug+x slsa-verifier-linux-amd64
	# Note: see https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md
	COMPUTED_HASH=$(sha256sum slsa-verifier-linux-amd64 \| cut -d ' ' -f1)
	EXPECTED_HASH="946dbec729094195e88ef78e1734324a27869f03e2c6bd2f61cbc06bd5350339"
	if [[ "$EXPECTED_HASH" != "$COMPUTED_HASH" ]];then
	echo "error: expected $EXPECTED_HASH, computed $COMPUTED_HASH"
	exit 1
	fi

	- name: Download assets
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
	run: \|
	set -euo pipefail

	gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
	gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"

	- name: Verify assets
	env:
	CHECKSUMS: ${{ needs.goreleaser.outputs.hashes }}
	PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
	run: \|
	set -euo pipefail

	checksums=$(echo "$CHECKSUMS" \| base64 -d)
	while read -r line; do
	fn=$(echo $line \| cut -d ' ' -f2)

	echo "Verifying $fn"
	./slsa-verifier-linux-amd64 verify-artifact "$fn" \
	--provenance-path "$PROVENANCE" \
	--source-uri "github.com/$GITHUB_REPOSITORY" \
	--source-tag "$GITHUB_REF_NAME"

	done <<<"$checksums"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix: replace kodata LICENSE symlink with copy #105

Workflow file

fix: replace kodata LICENSE symlink with copy #105

Uh oh!

Workflow file for this run