name: Release on: push: tags: - 'v*' jobs: build: runs-on: ubuntu-latest env: GO111MODULE: on ACTIONS_ALLOW_UNSECURE_COMMANDS: true steps: - name: Checkout Source uses: actions/checkout@v4 - name: Unshallow run: git fetch --prune --unshallow - name: Set up Go uses: actions/setup-go@v5 with: go-version: '1.23.2' - name: Install Cosign uses: sigstore/cosign-installer@v3 with: cosign-release: 'v2.4.1' - name: Store Cosign private key in a file run: 'echo "$COSIGN_KEY" > /tmp/cosign.key' shell: bash env: COSIGN_KEY: ${{secrets.COSIGN_KEY}} - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to DockerHub uses: docker/login-action@v3 with: username: ${{secrets.DOCKER_USERNAME}} password: ${{secrets.DOCKER_PASSWORD}} - name: Generate SBOM uses: CycloneDX/gh-gomod-generate-sbom@v2 with: version: v1 args: mod -licenses -json -output bom.json - name: Docker meta uses: docker/metadata-action@v5 id: meta with: images: securego/gosec flavor: | latest=true tags: | type=sha,format=long type=semver,pattern={{version}} - name: Release Binaries uses: goreleaser/goreleaser-action@v6 with: version: latest args: release --clean env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} - name: Release Docker Image uses: docker/build-push-action@v6 id: relimage with: platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le tags: ${{steps.meta.outputs.tags}} labels: ${{steps.meta.outputs.labels}} push: true build-args: GO_VERSION=1.23 - name: Sign Docker Image run: cosign sign --yes --key /tmp/cosign.key ${DIGEST} --registry-username="$secrets.DOCKER_USERNAME" --registry-password="::add-mask::$secrets.DOCKER_PASSWORD" env: TAGS: ${{steps.meta.outputs.tags}} COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} COSIGN_PRIVATE_KEY: /tmp/cosign.key DIGEST: ${{steps.relimage.outputs.digest}}