fixed scorecard aux parsing (#266) #62
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: releaser | |
on: | |
push: | |
tags: | |
- '*' | |
permissions: | |
contents: 'write' | |
packages: 'write' | |
env: | |
GORELEASER_ARTIFACTS_NAME: release_candidate | |
SIGNED_MACOS_ARTIFACTS_NAME: signed_macos_release | |
GORELEASER_ARTIFACTS_DOWNLOAD_PATH: /tmp/archives | |
jobs: | |
goreleaser: | |
outputs: | |
hashes: ${{ steps.hash.outputs.hashes }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install osslsigncode | |
run: | | |
sudo apt-get update | |
sudo apt-get install osslsigncode=2.2-1ubuntu1 | |
- uses: 'actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b' | |
with: | |
fetch-depth: 0 | |
- uses: 'actions/setup-go@fcdc43634adb5f7ae75a9d7a9b9361790f7293e2' | |
with: | |
go-version: '1.19' | |
- uses: 'docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b' | |
with: | |
registry: 'ghcr.io' | |
username: '${{ github.actor }}' | |
password: '${{ secrets.GITHUB_TOKEN }}' | |
- name: save keys to files | |
run: echo ${{ secrets.WINDOWS_PUBLIC_KEY_B64 }} | base64 -d > /tmp/legit_signature.crt ; echo ${{ secrets.WINDOWS_PRIVATE_KEY_B64 }} | base64 -d > /tmp/legit_signature.key | |
- uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b | |
id: run-goreleaser | |
with: | |
version: latest | |
args: "release --rm-dist" | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 | |
with: | |
name: ${{ env.GORELEASER_ARTIFACTS_NAME }} | |
path: | | |
./dist/* | |
- name: provenance-inputs | |
id: hash | |
env: | |
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" | |
run: | | |
set -euo pipefail | |
hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join(" ") | sub("^sha256:";"")' | grep -v darwin | base64 -w0) | |
echo "hashes=$hashes" >> $GITHUB_OUTPUT | |
macos_sign: | |
needs: goreleaser | |
runs-on: macos-latest | |
outputs: | |
hashes: ${{ steps.hash.outputs.hashes }} | |
env: | |
SIGNED_ARTIFACTS_PATH: /tmp/signed_path | |
steps: | |
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b | |
with: | |
fetch-depth: 0 | |
- uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 | |
with: | |
name: ${{ env.GORELEASER_ARTIFACTS_NAME }} | |
path: ${{ env.GORELEASER_ARTIFACTS_DOWNLOAD_PATH }} | |
- name: Codesign executable | |
env: | |
MACOS_CERTIFICATE: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }} | |
MACOS_CERTIFICATE_PWD: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }} | |
PROD_MACOS_APPLICATION_ID_NAME: ${{ secrets.MACOS_APPLICATION_ID_NAME }} | |
PROD_MACOS_KEYCHAIN_PASSWORD: ${{ secrets.MACOS_KEYCHAIN_PASSWORD }} | |
PROD_MACOS_NOTARIZATION_APPLE_ID: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }} | |
PROD_MACOS_NOTARIZATION_TEAM_ID: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} | |
PROD_MACOS_NOTARIZATION_PWD: ${{ secrets.MACOS_NOTARIZATION_PWD }} | |
run: | | |
echo "extracting files to sign" | |
extracted_files=() | |
for file in $GORELEASER_ARTIFACTS_DOWNLOAD_PATH/*darwin*.tar.gz; do | |
dirname="${file%.tar.gz}" | |
mkdir "$dirname" | |
tar -xzvf "$file" -C "$dirname" | |
extracted_files+=($dirname/legitify) | |
done | |
echo "Prepare keychain to sign" | |
echo $MACOS_CERTIFICATE | base64 -d > certificate.p12 | |
security create-keychain -p "$PROD_MACOS_KEYCHAIN_PASSWORD" build.keychain | |
security default-keychain -s build.keychain | |
security unlock-keychain -p "$PROD_MACOS_KEYCHAIN_PASSWORD" build.keychain | |
security import certificate.p12 -k build.keychain -P $MACOS_CERTIFICATE_PWD -T /usr/bin/codesign | |
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$PROD_MACOS_KEYCHAIN_PASSWORD" build.keychain | |
for file in "${extracted_files[@]}"; do | |
echo "Signing $file" | |
/usr/bin/codesign --force -s "$PROD_MACOS_APPLICATION_ID_NAME" --options runtime "$file" -v | |
done | |
# Store the notarization credentials so that we can prevent a UI password dialog | |
# from blocking the CI | |
echo "Create keychain profile" | |
xcrun notarytool store-credentials "notarytool-profile" --apple-id "$PROD_MACOS_NOTARIZATION_APPLE_ID" --team-id "$PROD_MACOS_NOTARIZATION_TEAM_ID" --password "$PROD_MACOS_NOTARIZATION_PWD" | |
# We can't notarize an app bundle directly, but we need to compress it as an archive. | |
# Therefore, we create a zip file containing our app bundle, so that we can send it to the | |
# notarization service | |
echo "Creating temp notarization archive" | |
for file in "${extracted_files[@]}"; do | |
echo "dittoing $file" | |
ditto -c -k "$file" "notarization.zip" | |
# Here we send the notarization request to the Apple's Notarization service, waiting for the result. | |
# This typically takes a few seconds inside a CI environment, but it might take more depending on the App | |
# characteristics. | |
echo "Notarize app" | |
xcrun notarytool submit "notarization.zip" --keychain-profile "notarytool-profile" --wait | |
done | |
mkdir ${{ env.SIGNED_ARTIFACTS_PATH }} | |
for file in "${extracted_files[@]}"; do | |
parent_dirname=$(basename "$(dirname "$file")") | |
currnet_archive_name=${parent_dirname}.tar.gz | |
cli_path=$(dirname $file) | |
cli_name=$(basename $file) | |
cd "$cli_path" | |
tar -czvf "$currnet_archive_name" -C "$cli_path" * | |
cp "$currnet_archive_name" ${{ env.SIGNED_ARTIFACTS_PATH }} | |
done | |
- uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # ratchet:actions/upload-artifact@v3 | |
with: | |
name: ${{ env.SIGNED_MACOS_ARTIFACTS_NAME }} | |
path: ${{ env.SIGNED_ARTIFACTS_PATH }} | |
- name: provenance-inputs | |
id: hash | |
run: | | |
set -euo pipefail | |
cd "${{ env.SIGNED_ARTIFACTS_PATH }}" | |
mac_hashes="$(shasum -a 256 *.tar.gz)" | |
release_hashes="$(echo "${{ needs.goreleaser.outputs.hashes }}" | base64 -d)" # without darwin | |
hashes="$(echo -e "${release_hashes}\n${mac_hashes}" | base64)" | |
echo "hashes=$hashes" >> $GITHUB_OUTPUT | |
release: | |
needs: macos_sign | |
runs-on: ubuntu-latest | |
outputs: | |
brew_release_file: ${{ steps.artifact_name.outputs.brew_release_file }} | |
permissions: | |
actions: read # To read the workflow path. | |
id-token: write # To sign the provenance. | |
contents: write # To add assets to a release. | |
env: | |
ARTIFACTS_DOWNLOAD_PATH: /tmp/macos_archives | |
steps: | |
- uses: 'actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b' | |
with: | |
fetch-depth: 0 | |
- uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 | |
with: | |
name: ${{ env.SIGNED_MACOS_ARTIFACTS_NAME }} | |
path: ${{ env.ARTIFACTS_DOWNLOAD_PATH }} | |
- uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # ratchet:actions/download-artifact@v3 | |
with: | |
name: ${{ env.GORELEASER_ARTIFACTS_NAME }} | |
path: ${{ env.GORELEASER_ARTIFACTS_DOWNLOAD_PATH }} | |
- name: prepare-release-files | |
run: | | |
find ${{ env.GORELEASER_ARTIFACTS_DOWNLOAD_PATH }} -maxdepth 1 -type f -not -name '*darwin*' -exec cp {} ${{ env.ARTIFACTS_DOWNLOAD_PATH }}/ \; | |
- name: Release | |
uses: softprops/action-gh-release@d4e8205d7e959a9107da6396278b2f1f07af0f9b | |
# if: startsWith(github.ref, 'refs/tags/') | |
with: | |
files: ${{ env.ARTIFACTS_DOWNLOAD_PATH }}/* | |
- name: brew-inputs | |
id: artifact_name | |
run: | | |
set -euo pipefail | |
echo "version=${GITHUB_REF/refs\/tags\/v/}" >> $GITHUB_OUTPUT | |
cd "${{ env.ARTIFACTS_DOWNLOAD_PATH }}" | |
darwin_intel_file_name=$(find . -maxdepth 1 -type f -name "*darwin_amd64*" -exec basename {} \;) | |
darwin_intel_sha="$(shasum -a 256 $darwin_intel_file_name | awk '{printf $1}')" | |
echo "brew_intel_files_sha=$darwin_intel_sha" >> $GITHUB_OUTPUT | |
darwin_arm_file_name=$(find . -maxdepth 1 -type f -name "*darwin_arm64*" -exec basename {} \;) | |
darwin_arm_sha="$(shasum -a 256 $darwin_arm_file_name | awk '{printf $1}')" | |
echo "brew_arm_files_sha=$darwin_arm_sha" >> $GITHUB_OUTPUT | |
- name: update brew formula | |
env: | |
# Required token to create a pull request in the tap repository | |
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.HOMEBREW_TAP_GITHUB_TOKEN }} | |
GITHUB_USER: ${{ secrets.HOMEBREW_TAP_GITHUB_USER }} | |
run: | | |
python3 scripts/gen-brew-multi-arch.py ${{ steps.artifact_name.outputs.version }} ${{ steps.artifact_name.outputs.brew_arm_files_sha }} ${{ steps.artifact_name.outputs.brew_intel_files_sha }} | |
provenance: | |
needs: macos_sign | |
permissions: | |
actions: read # To read the workflow path. | |
id-token: write # To sign the provenance. | |
contents: write # To add assets to a release. | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
base64-subjects: "${{ needs.macos_sign.outputs.hashes }}" | |
upload-assets: true # upload to a new release |