gosec/.github/workflows/release.yml

77 lines
2.3 KiB
YAML
Raw Normal View History

name: Release
on:
push:
tags:
- 'v*'
jobs:
build:
runs-on: ubuntu-latest
env:
GO111MODULE: on
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
steps:
- name: Checkout Source
uses: actions/checkout@v3
- name: Unshallow
run: git fetch --prune --unshallow
- name: Set up Go
uses: actions/setup-go@v4
with:
go-version: '1.20.4'
- name: Install Cosign
uses: sigstore/cosign-installer@v3
with:
cosign-release: 'v2.0.2'
- name: Store Cosign private key in a file
run: 'echo "$COSIGN_KEY" > /tmp/cosign.key'
shell: bash
env:
COSIGN_KEY: ${{secrets.COSIGN_KEY}}
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to DockerHub
uses: docker/login-action@v2
with:
username: ${{secrets.DOCKER_USERNAME}}
password: ${{secrets.DOCKER_PASSWORD}}
- name: Generate SBOM
uses: CycloneDX/gh-gomod-generate-sbom@v1
with:
version: v1
args: mod -licenses -json -output bom.json
- name: Docker meta
uses: docker/metadata-action@v4
id: meta
with:
images: securego/gosec
flavor: |
latest=true
tags: |
type=sha,format=long
type=semver,pattern={{version}}
- name: Release Binaries
uses: goreleaser/goreleaser-action@v4
with:
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
- name: Release Docker Image
uses: docker/build-push-action@v4
with:
platforms: linux/amd64,linux/arm/v7,linux/arm64
tags: ${{steps.meta.outputs.tags}}
labels: ${{steps.meta.outputs.labels}}
push: true
build-args: GO_VERSION=1.20
- name: Sign Docker Image
run: cosign sign --yes --key /tmp/cosign.key ${DIGEST}
env:
TAGS: ${{steps.meta.outputs.tags}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
COSIGN_PRIVATE_KEY: /tmp/cosign.key
DIGEST: ${{steps.build-push-action.outputs.digest}}