Add Checksums and Attestation (#196)

Author: ChristopherHX

.github/workflows/build.yml

@@ -19,6 +19,10 @@ env:
   RUNNER_SERVER_VERSION: "3.11.16"
 jobs:
   build:
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
     runs-on: ubuntu-latest
     strategy:
       # 
@@ -75,9 +79,10 @@ jobs:
       with:
         submodules: recursive
     - name: Setup Go
-      uses: actions/setup-go@v3
+      uses: actions/setup-go@v5
       with:
-        go-version: "${{matrix.GOVERSION || vars.GOVERSION || '^1.16.0'}}"
+        go-version: "${{ matrix.GOVERSION || vars.GOVERSION || '^1.16.0' }}"
+        cache: false
     - name: Setup cgo ndk
       if: matrix.GOOS == 'android'
       run: |
@@ -117,6 +122,22 @@ jobs:
         cp compat/*.cmd output/
         cd output
         zip ../binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.zip ./*
+    - name: Create Signed Provenance
+      uses: actions/attest-build-provenance@v1
+      id: attest
+      if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.skip-packaging != 'true' }}
+      with:
+        subject-path: binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.${{ matrix.GOOS == 'windows' && 'zip' || 'tar.gz' }}
+    - name: Copy Signed Provenance to well known filepath
+      if: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.skip-packaging != 'true' }}
+      run: |
+        cp "$BUNDLE_PATH" binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.sigstore.json
+      env:
+        BUNDLE_PATH: ${{ steps.attest.outputs.bundle-path }}    
+    - name: Create Package Checksums
+      if: ${{ github.event.inputs.skip-packaging != 'true' }}
+      run: |
+        sha512sum binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.${{ matrix.GOOS == 'windows' && 'zip' || 'tar.gz' }} > binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.sha512
     - uses: actions/upload-artifact@v4
       with:
         name: binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}
@@ -125,7 +146,9 @@ jobs:
       if: ${{ github.event.inputs.skip-packaging != 'true' }}
       with:
         name: bundle-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}
-        path: 'binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.*'
+        path: |
+          binary-${{matrix.GOOS}}-${{matrix.GOARCH}}${{matrix.GOARM}}.*
+
 #######################################
 ########## publish to github ##########
 #######################################
@@ -141,7 +164,7 @@ jobs:
         path: "artifacts"
     - uses: ncipollo/release-action@v1
       with:
-        artifacts: "artifacts/**/*.zip,artifacts/**/*.tar.gz"
+        artifacts: "artifacts/**/*.zip,artifacts/**/*.tar.gz,artifacts/**/*.sha512,artifacts/**/*.sigstore.json"
         token: ${{ secrets.GITHUB_TOKEN }}
         tag: v${{ github.event.inputs.version }}
         commit: ${{ github.sha }}
@@ -179,7 +202,7 @@ jobs:
       with:
         path: "artifacts"
     - name: add cppfw repo to install myci scripts from
-      uses: myci-actions/add-deb-repo@master
+      uses: myci-actions/add-deb-repo@e2d8b32bd968fb27d9934670a4f27857194b607d
       with:
         repo: deb https://gagis.hopto.org/repo/cppfw/$(lsb_release --id --short | tr '[:upper:]' '[:lower:]') $(lsb_release --codename --short) main
         repo-name: cppfw
@@ -203,7 +226,7 @@ jobs:
     - name: create deb package
       run: |
         docker run -v "$PWD:$PWD" -w "$PWD" -e "DEPLOY_ARCHS=$DEPLOY_ARCHS" --rm ubuntu:noble bash script.sh
-    - uses: actions/upload-artifact@v3
+    - uses: actions/upload-artifact@v4
       continue-on-error: true
       with:
         name: debs
@@ -274,7 +297,7 @@ jobs:
       working-directory: logs
     - name: Upload Test Results
       if: ${{always()}}
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: test-results-linux-amd64
         path: 'logs.tar.gz'

README.md

@@ -22,7 +22,7 @@ Unlike the official [actions/runner](https://github.com/actions/runner), this wo
 (*1) Reachable docker daemon use `DOCKER_HOST` to specify a remote host.
 
 ### NodeJS via PATH
-(*2) For best compatibility with existing nodejs actions, please add nodejs in version 12 to your `PATH`, newer nodejs versions might lead to workflow failures.
+(*2) For best compatibility with existing nodejs actions, please add nodejs in version 20 to your `PATH`, newer nodejs versions might lead to workflow failures.
 
 ## Usage for github releases