Merge pull request #131 from marcransome/slsa-provenance-release-into… #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
release: | |
types: [published] | |
workflow_dispatch: | |
permissions: read-all | |
jobs: | |
build: | |
strategy: | |
matrix: | |
os: [macos-13, macos-14] | |
runs-on: ${{ matrix.os }} | |
outputs: | |
hash-darwin-x86_64: ${{ steps.hash.outputs.hash-darwin-x86_64 }} | |
hash-darwin-arm64: ${{ steps.hash.outputs.hash-darwin-arm64 }} | |
checksum-darwin-x86_64: ${{ steps.hash.outputs.checksum-darwin-x86_64 }} | |
checksum-darwin-arm64: ${{ steps.hash.outputs.checksum-darwin-arm64 }} | |
archive-darwin-x86_64: ${{ steps.archive.outputs.archive-darwin-x86_64 }} | |
archive-darwin-arm64: ${{ steps.archive.outputs.archive-darwin-arm64 }} | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
- name: Install dependencies | |
run: brew install popt | |
- id: arch | |
name: Get machine hardware name | |
run: | | |
arch=$(uname -m) | |
if [[ "${arch}" != "x86_64" && "${arch}" != "arm64" ]]; then | |
echo "Unexpected machine hardware name: ${arch}" | |
exit 1 | |
fi | |
echo "name=${arch}" >> "$GITHUB_OUTPUT" | |
- id: artifact | |
name: Generate build artifact | |
run: | | |
cmake -S . -B build | |
cmake --build build | |
output_dir="build/src" | |
artifact="flog" | |
if [[ ! -f "${output_dir}/${artifact}" ]]; then | |
echo "Failed to generate build artifact: ${output_dir}/${artifact}" | |
exit 1 | |
fi | |
echo "dir=${output_dir}" >> "$GITHUB_OUTPUT" | |
echo "name=${artifact}" >> "$GITHUB_OUTPUT" | |
- id: archive | |
name: Compress build artifact | |
run: | | |
archive="flog-${GITHUB_REF_NAME}-darwin-${{ steps.arch.outputs.name }}.tar.xz" | |
tar -cvJf "${archive}" -C "${{ steps.artifact.outputs.dir }}" "${{ steps.artifact.outputs.name }}" | |
echo "name=${archive}" >> "$GITHUB_OUTPUT" | |
echo "archive-darwin-${{ steps.arch.outputs.name }}=${archive}" >> "$GITHUB_OUTPUT" | |
- id: hash | |
name: Generate build artifact hash | |
run: | | |
set -o pipefail | |
shasum -a 256 "${{ steps.archive.outputs.name }}" > "${{ steps.archive.outputs.name }}.sha256" | |
b64_hash=$(cat "${{ steps.archive.outputs.name }}.sha256" | base64) | |
echo "hash-darwin-${{ steps.arch.outputs.name }}=${b64_hash}" >> "$GITHUB_OUTPUT" | |
echo "checksum-darwin-${{ steps.arch.outputs.name }}=${{ steps.archive.outputs.name }}.sha256" >> "$GITHUB_OUTPUT" | |
- name: Upload build artifact | |
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
with: | |
name: ${{ steps.archive.outputs.name }} | |
path: ${{ steps.archive.outputs.name }} | |
if-no-files-found: error | |
retention-days: 7 | |
- name: Upload SHA-256 checksum file | |
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
with: | |
name: ${{ steps.archive.outputs.name }}.sha256 | |
path: ${{ steps.archive.outputs.name }}.sha256 | |
if-no-files-found: error | |
retention-days: 7 | |
combine-hashes: | |
needs: [build] | |
runs-on: ubuntu-latest | |
outputs: | |
hashes: ${{ steps.hashes.outputs.hashes }} | |
env: | |
HASHES: ${{ toJSON(needs.build.outputs) }} | |
steps: | |
- id: hashes | |
run: | | |
echo "$HASHES" | jq -r 'with_entries(select(.key | match("hash-.*-.*")))[] | @base64d' | sed "/^$/d" > hashes.txt | |
echo "hashes=$(cat hashes.txt | base64 -w0)" >> "$GITHUB_OUTPUT" | |
provenance: | |
needs: [build, combine-hashes] | |
permissions: | |
actions: read | |
id-token: write | |
contents: write | |
runs-on: ubuntu-latest | |
steps: | |
- if: startsWith(github.ref, 'refs/tags/v') | |
name: Generate and upload SLSA provenance to release | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # Must specify version tag; see https://github.com/slsa-framework/slsa-verifier/issues/12 | |
with: | |
base64-subjects: ${{ needs.combine-hashes.outputs.hashes }} | |
provenance-name: flog.multiple.intoto.jsonl | |
upload-assets: true | |
- if: ${{ !startsWith(github.ref, 'refs/tags/v') }} | |
name: Generate SLSA provenance | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # Must specify version tag; see https://github.com/slsa-framework/slsa-verifier/issues/12 | |
with: | |
base64-subjects: ${{ needs.combine-hashes.outputs.hashes }} | |
provenance-name: flog.multiple.intoto.jsonl | |
upload-assets: false | |
release: | |
needs: [build, combine-hashes, provenance] | |
permissions: | |
contents: write | |
runs-on: ubuntu-latest | |
if: startsWith(github.ref, 'refs/tags/v') | |
steps: | |
- name: Download x86_64 build artifact | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: ${{ needs.build.outputs.archive-darwin-x86_64 }} | |
- name: Download x86_64 SHA-256 checksum file | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: ${{ needs.build.outputs.checksum-darwin-x86_64 }} | |
- name: Download arm64 build artifact | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: ${{ needs.build.outputs.archive-darwin-arm64 }} | |
- name: Download arm64 SHA-256 checksum file | |
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4 | |
with: | |
name: ${{ needs.build.outputs.checksum-darwin-arm64 }} | |
- name: Upload release assets | |
uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4 | |
with: | |
files: | | |
${{ needs.build.outputs.archive-darwin-x86_64 }} | |
${{ needs.build.outputs.checksum-darwin-x86_64 }} | |
${{ needs.build.outputs.archive-darwin-arm64 }} | |
${{ needs.build.outputs.checksum-darwin-arm64 }} |