name: Release on: push: tags: - 'v*' jobs: build: runs-on: ubuntu-latest env: GO111MODULE: on ACTIONS_ALLOW_UNSECURE_COMMANDS: true steps: - name: Checkout Source uses: actions/checkout@v3 - name: Unshallow run: git fetch --prune --unshallow - name: Set up Go uses: actions/setup-go@v3 with: go-version: 1.18 - name: Install Cosign uses: sigstore/cosign-installer@v2 with: cosign-release: 'v1.6.0' - name: Store Cosign private key in a file run: 'echo "$COSIGN_KEY" > /tmp/cosign.key' shell: bash env: COSIGN_KEY: ${{secrets.COSIGN_KEY}} - name: Set up QEMU uses: docker/setup-qemu-action@v2 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 - name: Login to DockerHub uses: docker/login-action@v2 with: username: ${{secrets.DOCKER_USERNAME}} password: ${{secrets.DOCKER_PASSWORD}} - name: Generate SBOM uses: CycloneDX/gh-gomod-generate-sbom@v1 with: version: v1 args: mod -licenses -json -output bom.json - name: Docker meta uses: docker/metadata-action@v4 id: meta with: images: securego/gosec flavor: | latest=true tags: | type=sha,format=long type=semver,pattern={{version}} - name: Release Binaries uses: goreleaser/goreleaser-action@v3 with: version: latest args: release --rm-dist env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} - name: Release Docker Image uses: docker/build-push-action@v3 with: platforms: linux/amd64,linux/arm/v7,linux/arm64 tags: ${{steps.meta.outputs.tags}} labels: ${{steps.meta.outputs.labels}} push: true build-args: GO_VERSION=1.18 - name: Sign Docker Image run: cosign sign -key /tmp/cosign.key ${TAGS} env: TAGS: ${{steps.meta.outputs.tags}} COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}