Skip to content

Merge pull request #816 from jonjohnsonjr/sbom #420

Merge pull request #816 from jonjohnsonjr/sbom

Merge pull request #816 from jonjohnsonjr/sbom #420

Workflow file for this run

name: Create Release
on:
push:
branches:
- main
tags:
- 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
env:
GO_VERSION: "1.20"
jobs:
cli:
# Only release CLI for tagged releases
if: startsWith(github.event.ref, 'refs/tags/v')
name: Release the CLI
runs-on: ubuntu-latest
# https://docs.github.com/en/actions/reference/authentication-in-a-workflow
permissions:
id-token: write
contents: write
steps:
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v2.2.0
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v2.4.0
- uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v2.3.0
- uses: goreleaser/goreleaser-action@336e29918d653399e599bfca99fadc1d7ffbc9f7 # v2.8.1
with:
version: latest
install-only: true
- name: Release
run: make release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ko-build:
name: Release apko image
runs-on: ubuntu-latest
# https://docs.github.com/en/actions/reference/authentication-in-a-workflow
permissions:
id-token: write
packages: write
contents: read
env:
KO_DOCKER_REPO: ghcr.io/${{ github.repository }}
COSIGN_EXPERIMENTAL: "true"
steps:
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v2.2.0
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.4
- uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v2.3.0
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v2.4.0
- name: Login to registry
run: |
echo ${{ github.token }} | go run ./ login ghcr.io --username=${{ github.repository_owner }} --password-stdin
- name: Publish/Sign apko image
run: |
# If not a tagged release, override image tag to "canary"
export IMAGE_TAG=${GITHUB_REF#refs/tags/}
if [[ $GITHUB_REF != refs/tags/* ]]; then
export IMAGE_TAG=canary
fi
make sign-image
tekton-task:
# Only release the Tekton Task after a CLI release has been created, since
# goreleaser creates a GitHub Release which the Tekton Task will be
# attached to.
needs: cli
name: Release the Tekton Task
runs-on: ubuntu-latest
# https://docs.github.com/en/actions/reference/authentication-in-a-workflow
permissions:
id-token: write
contents: write
packages: write
steps:
- uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v2.2.0
with:
go-version: ${{ env.GO_VERSION }}
check-latest: true
- uses: imjasonh/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.4
- uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 # v2.3.0
- uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v2.4.0
- name: Login to registry
run: |
echo ${{ github.token }} | go run ./ login ghcr.io --username=${{ github.repository_owner }} --password-stdin
- name: Generate Tekton Task
run: |
# If not a tagged release, override image tag to "canary"
export IMAGE_TAG=${GITHUB_REF#refs/tags/}
if [[ $GITHUB_REF != refs/tags/* ]]; then
export IMAGE_TAG=canary
fi
make ko-resolve
- name: Attach to release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload ${GITHUB_REF#refs/tags/} task.yaml