ci: fix provenance hashes #17

Workflow file for this run

.github/workflows/release.yaml at c2982fd

	name: Release

	on:
	push:
	tags:
	- "v*"

	permissions:
	contents: read

	jobs:
	publish_provider:
	runs-on: ubuntu-latest
	name: Publish Provider
	outputs:
	hashes: ${{ steps.hash.outputs.hashes }}
	permissions:
	contents: write # for goreleaser/goreleaser-action to create a GitHub release
	strategy:
	matrix:
	goversion: [1.21.x]
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Install Go
	uses: actions/setup-go@v5
	with:
	go-version: ${{ matrix.goversion }}

	- name: Install Syft
	uses: anchore/sbom-action/[email protected]

	- name: Install pulumictl
	uses: jaxxstorm/[email protected]
	with:
	repo: pulumi/pulumictl

	- name: Set PreRelease Version
	run: echo "GORELEASER_CURRENT_TAG=v$(pulumictl get version --language generic)" >> $GITHUB_ENV

	- name: Run GoReleaser
	id: run-goreleaser
	uses: goreleaser/goreleaser-action@v5
	with:
	args: -p 3 release --clean --timeout 60m0s
	version: latest
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	- name: Generate subject
	id: hash
	env:
	ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
	run: \|
	set -euo pipefail

	checksum_file=$(echo "$ARTIFACTS" \| jq -r '.[] \| select (.type=="Checksum") \| .path')
	echo "hashes=$(cat $checksum_file \| base64 -w0)" >> "$GITHUB_OUTPUT"

	provenance:
	needs: [publish_provider]
	permissions:
	actions: read # To read the workflow path.
	id-token: write # To sign the provenance.
	contents: write # To add assets to a release.
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	base64-subjects: "${{ needs.publish_provider.outputs.hashes }}"
	upload-assets: true # upload to a new release
	verification:
	needs: [publish_provider, provenance]
	runs-on: ubuntu-latest
	permissions: read-all
	steps:
	- name: Install the verifier
	uses: slsa-framework/slsa-verifier/actions/[email protected]

	- name: Download assets
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
	run: \|
	set -euo pipefail
	gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
	gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.sbom"
	gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"
	- name: Verify assets
	env:
	CHECKSUMS: ${{ needs.publish_provider.outputs.hashes }}
	PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
	run: \|
	set -euo pipefail
	checksums=$(echo "$CHECKSUMS" \| base64 -d)
	while read -r line; do
	fn=$(echo $line \| cut -d ' ' -f2)
	echo "Verifying $fn"
	slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
	--source-uri "github.com/$GITHUB_REPOSITORY" \
	--source-tag "$GITHUB_REF_NAME" \
	"$fn"
	done <<<"$checksums"

	publish_sdk:
	runs-on: ubuntu-latest
	name: Publish SDK
	permissions:
	id-token: write
	contents: read
	needs: [publish_provider]
	strategy:
	max-parallel: 10
	matrix:
	go-version: [1.21.x]
	node-version: [18.x]
	dotnet-version: [3.1.301]
	python-version: [3.9]
	language:
	- go
	- nodejs
	- python
	- dotnet
	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0

	- name: Install Go
	uses: actions/setup-go@v5
	with:
	go-version: "${{ matrix.go-version }}"

	- name: Install pulumictl
	uses: jaxxstorm/[email protected]
	with:
	repo: pulumi/pulumictl
	- name: Install Pulumi CLI
	uses: pulumi/actions@v5

	- name: Setup DotNet
	uses: actions/setup-dotnet@v4
	with:
	dotnet-version: "${{ matrix.dotnet-version }}"
	if: matrix.language == 'dotnet'
	- name: Setup Python
	uses: actions/setup-python@v5
	with:
	python-version: "${{ matrix.python-version }}"
	if: matrix.language == 'python'
	- name: Use Node.js
	uses: actions/setup-node@v4
	with:
	node-version: "${{ matrix.node-version }}"
	if: matrix.language == 'nodejs'

	- name: Install Plugins
	run: make install_plugins
	- name: Update Path
	run: echo "${{ github.workspace }}/bin" >> $GITHUB_PATH

	- name: Build SDK
	run: make build_${{ matrix.language }}

	- name: Publish .NET SDK
	run: \|
	dotnet nuget push -s "${{ env.NUGET_FEED_URL }}" -k "${{ secrets.NUGET_PUBLISH_KEY }}" ${{github.workspace}}/sdk/dotnet/bin/Debug/*.nupkg
	env:
	NUGET_PUBLISH_KEY: ${{ secrets.NUGET_TOKEN }}
	NUGET_FEED_URL: https://api.nuget.org/v3/index.json
	if: matrix.language == 'dotnet'

	- name: Publish Python SDK
	uses: pypa/gh-action-pypi-publish@release/v1
	with:
	skip-existing: true
	packages-dir: "${{ github.workspace }}/sdk/python/bin/dist/"
	if: matrix.language == 'python'

	- name: Publish NodeJS SDK
	uses: JS-DevTools/npm-publish@v3
	with:
	package: ./sdk/nodejs/bin/package.json
	access: public
	token: ${{ secrets.NPM_TOKEN }}
	provenance: true
	if: matrix.language == 'nodejs'

	tag_sdk:
	runs-on: ubuntu-latest
	name: Tag SDK Release
	permissions:
	id-token: write
	contents: write
	needs:
	- publish_sdk

	steps:
	- name: Checkout repository
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	- name: Setup Git
	run: \|
	git config --local user.email "${{ env.GITHUB_ACTION }}+github-actions[bot]@users.noreply.github.com"
	git config --local user.name "github-actions[bot]"

	- name: Get Tag Name
	run: \|
	REF_NAME=`git describe --abbrev=0 --tags`
	echo "REF_NAME=${REF_NAME}" >> $GITHUB_ENV

	- name: Tag SDK Version
	run: \|
	git tag -a sdk/${{ env.REF_NAME }} -m sdk/${{ env.REF_NAME }}
	- name: Push to Repository
	run: \|
	git push origin sdk/${{ env.REF_NAME }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: fix provenance hashes #17

Workflow file

ci: fix provenance hashes #17

Jobs

Run details

Workflow file for this run