Skip to content

fixed scorecard aux parsing (#266) #62

fixed scorecard aux parsing (#266)

fixed scorecard aux parsing (#266) #62

Workflow file for this run

name: releaser
on:
push:
tags:
- '*'
permissions:
contents: 'write'
packages: 'write'
env:
GORELEASER_ARTIFACTS_NAME: release_candidate
SIGNED_MACOS_ARTIFACTS_NAME: signed_macos_release
GORELEASER_ARTIFACTS_DOWNLOAD_PATH: /tmp/archives
jobs:
goreleaser:
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
runs-on: ubuntu-latest
steps:
- name: Install osslsigncode
run: |
sudo apt-get update
sudo apt-get install osslsigncode=2.2-1ubuntu1
- uses: 'actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b'
with:
fetch-depth: 0
- uses: 'actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2'
with:
go-version: '1.19'
- uses: 'docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b'
with:
registry: 'ghcr.io'
username: '${{ github.actor }}'
password: '${{ secrets.GITHUB_TOKEN }}'
- name: save keys to files
run: echo ${{ secrets.WINDOWS_PUBLIC_KEY_B64 }} | base64 -d > /tmp/legit_signature.crt ; echo ${{ secrets.WINDOWS_PRIVATE_KEY_B64 }} | base64 -d > /tmp/legit_signature.key
- uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b
id: run-goreleaser
with:
version: latest
args: "release --rm-dist"
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3
with:
name: ${{ env.GORELEASER_ARTIFACTS_NAME }}
path: |
./dist/*
- name: provenance-inputs
id: hash
env:
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
run: |
set -euo pipefail
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | grep -v darwin | base64 -w0)
echo "hashes=$hashes" >> $GITHUB_OUTPUT
macos_sign:
needs: goreleaser
runs-on: macos-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
env:
SIGNED_ARTIFACTS_PATH: /tmp/signed_path
steps:
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
with:
fetch-depth: 0
- uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3
with:
name: ${{ env.GORELEASER_ARTIFACTS_NAME }}
path: ${{ env.GORELEASER_ARTIFACTS_DOWNLOAD_PATH }}
- name: Codesign executable
env:
MACOS_CERTIFICATE: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
MACOS_CERTIFICATE_PWD: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
PROD_MACOS_APPLICATION_ID_NAME: ${{ secrets.MACOS_APPLICATION_ID_NAME }}
PROD_MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }}
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }}
run: |
echo "extracting files to sign"
extracted_files=()
for file in $GORELEASER_ARTIFACTS_DOWNLOAD_PATH/*darwin*.tar.gz; do
dirname="${file%.tar.gz}"
mkdir "$dirname"
tar -xzvf "$file" -C "$dirname"
extracted_files+=($dirname/legitify)
done
echo "Prepare keychain to sign"
echo $MACOS_CERTIFICATE | base64 -d > certificate.p12
security create-keychain -p "$PROD_MACOS_KEYCHAIN_PASSWORD" build.keychain
security default-keychain -s build.keychain
security unlock-keychain -p "$PROD_MACOS_KEYCHAIN_PASSWORD" build.keychain
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$PROD_MACOS_KEYCHAIN_PASSWORD" build.keychain
for file in "${extracted_files[@]}"; do
echo "Signing $file"
/usr/bin/codesign --force -s "$PROD_MACOS_APPLICATION_ID_NAME" --options runtime "$file" -v
done
# Store the notarization credentials so that we can prevent a UI password dialog
# from blocking the CI
echo "Create keychain profile"
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD"
# We can't notarize an app bundle directly, but we need to compress it as an archive.
# Therefore, we create a zip file containing our app bundle, so that we can send it to the
# notarization service
echo "Creating temp notarization archive"
for file in "${extracted_files[@]}"; do
echo "dittoing $file"
ditto -c -k "$file" "notarization.zip"
# Here we send the notarization request to the Apple's Notarization service, waiting for the result.
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App
# characteristics.
echo "Notarize app"
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait
done
mkdir ${{ env.SIGNED_ARTIFACTS_PATH }}
for file in "${extracted_files[@]}"; do
parent_dirname=$(basename "$(dirname "$file")")
currnet_archive_name=${parent_dirname}.tar.gz
cli_path=$(dirname $file)
cli_name=$(basename $file)
cd "$cli_path"
tar -czvf "$currnet_archive_name" -C "$cli_path" *
cp "$currnet_archive_name" ${{ env.SIGNED_ARTIFACTS_PATH }}
done
- uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3
with:
name: ${{ env.SIGNED_MACOS_ARTIFACTS_NAME }}
path: ${{ env.SIGNED_ARTIFACTS_PATH }}
- name: provenance-inputs
id: hash
run: |
set -euo pipefail
cd "${{ env.SIGNED_ARTIFACTS_PATH }}"
mac_hashes="$(shasum -a 256 *.tar.gz)"
release_hashes="$(echo "${{ needs.goreleaser.outputs.hashes }}" | base64 -d)" # without darwin
hashes="$(echo -e "${release_hashes}\n${mac_hashes}" | base64)"
echo "hashes=$hashes" >> $GITHUB_OUTPUT
release:
needs: macos_sign
runs-on: ubuntu-latest
outputs:
brew_release_file: ${{ steps.artifact_name.outputs.brew_release_file }}
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
env:
ARTIFACTS_DOWNLOAD_PATH: /tmp/macos_archives
steps:
- uses: 'actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b'
with:
fetch-depth: 0
- uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3
with:
name: ${{ env.SIGNED_MACOS_ARTIFACTS_NAME }}
path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }}
- uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3
with:
name: ${{ env.GORELEASER_ARTIFACTS_NAME }}
path: ${{ env.GORELEASER_ARTIFACTS_DOWNLOAD_PATH }}
- name: prepare-release-files
run: |
find ${{ env.GORELEASER_ARTIFACTS_DOWNLOAD_PATH }} -maxdepth 1 -type f -not -name '*darwin*' -exec cp {} ${{ env.ARTIFACTS_DOWNLOAD_PATH }}/ \;
- name: Release
uses: softprops/action-gh-release@d4e8205d7e959a9107da6396278b2f1f07af0f9b
# if: startsWith(github.ref, 'refs/tags/')
with:
files: ${{ env.ARTIFACTS_DOWNLOAD_PATH }}/*
- name: brew-inputs
id: artifact_name
run: |
set -euo pipefail
echo "version=${GITHUB_REF/refs\/tags\/v/}" >> $GITHUB_OUTPUT
cd "${{ env.ARTIFACTS_DOWNLOAD_PATH }}"
darwin_intel_file_name=$(find . -maxdepth 1 -type f -name "*darwin_amd64*" -exec basename {} \;)
darwin_intel_sha="$(shasum -a 256 $darwin_intel_file_name | awk '{printf $1}')"
echo "brew_intel_files_sha=$darwin_intel_sha" >> $GITHUB_OUTPUT
darwin_arm_file_name=$(find . -maxdepth 1 -type f -name "*darwin_arm64*" -exec basename {} \;)
darwin_arm_sha="$(shasum -a 256 $darwin_arm_file_name | awk '{printf $1}')"
echo "brew_arm_files_sha=$darwin_arm_sha" >> $GITHUB_OUTPUT
- name: update brew formula
env:
# Required token to create a pull request in the tap repository
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }}
GITHUB_USER: ${{ secrets.HOMEBREW_TAP_GITHUB_USER }}
run: |
python3 scripts/gen-brew-multi-arch.py ${{ steps.artifact_name.outputs.version }} ${{ steps.artifact_name.outputs.brew_arm_files_sha }} ${{ steps.artifact_name.outputs.brew_intel_files_sha }}
provenance:
needs: macos_sign
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.macos_sign.outputs.hashes }}"
upload-assets: true # upload to a new release