gosec/.github/workflows/release.yml

78 lines
2.4 KiB
YAML
Raw Normal View History

name: Release
on:
push:
tags:
- 'v*'
jobs:
build:
runs-on: ubuntu-latest
env:
GO111MODULE: on
ACTIONS_ALLOW_UNSECURE_COMMANDS: true
steps:
- name: Checkout Source
uses: actions/checkout@v4
- name: Unshallow
run: git fetch --prune --unshallow
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: '1.23.4'
- name: Install Cosign
uses: sigstore/cosign-installer@v3
with:
cosign-release: 'v2.4.1'
- name: Store Cosign private key in a file
run: 'echo "$COSIGN_KEY" > /tmp/cosign.key'
shell: bash
env:
COSIGN_KEY: ${{secrets.COSIGN_KEY}}
- name: Set up QEMU
2023-09-18 02:56:22 +01:00
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
2023-09-18 02:56:22 +01:00
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
2023-09-18 02:56:22 +01:00
uses: docker/login-action@v3
with:
username: ${{secrets.DOCKER_USERNAME}}
password: ${{secrets.DOCKER_PASSWORD}}
- name: Generate SBOM
uses: CycloneDX/gh-gomod-generate-sbom@v2
with:
version: v1
args: mod -licenses -json -output bom.json
- name: Docker meta
2023-09-18 02:56:22 +01:00
uses: docker/metadata-action@v5
id: meta
with:
images: securego/gosec
flavor: |
latest=true
tags: |
type=sha,format=long
type=semver,pattern={{version}}
- name: Release Binaries
2024-06-10 02:23:27 +01:00
uses: goreleaser/goreleaser-action@v6
with:
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
- name: Release Docker Image
uses: docker/build-push-action@v6
id: relimage
with:
2023-11-16 04:40:03 +00:00
platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le
tags: ${{steps.meta.outputs.tags}}
labels: ${{steps.meta.outputs.labels}}
push: true
build-args: GO_VERSION=1.23
- name: Sign Docker Image
run: cosign sign --yes --key /tmp/cosign.key ${DIGEST} --registry-username="$secrets.DOCKER_USERNAME" --registry-password="::add-mask::$secrets.DOCKER_PASSWORD"
env:
TAGS: ${{steps.meta.outputs.tags}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
COSIGN_PRIVATE_KEY: /tmp/cosign.key
DIGEST: ${{steps.relimage.outputs.digest}}