Skip to content

Merge pull request #102 from uselagoon/simple-sbom #46

Merge pull request #102 from uselagoon/simple-sbom

Merge pull request #102 from uselagoon/simple-sbom #46

Workflow file for this run

name: release
on:
push:
branches:
- main
permissions: {}
jobs:
release-tag:
permissions:
# create tag
contents: write
runs-on: ubuntu-latest
outputs:
new-tag: ${{ steps.bump-tag.outputs.new }}
new-tag-version: ${{ steps.bump-tag.outputs.new_tag_version }}
steps:
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
fetch-depth: 0
- name: Configure git
run: |
git config --global user.name "$GITHUB_ACTOR"
git config --global user.email "[email protected]"
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: stable
- name: Install ccv
run: >
curl -sSL https://github.com/smlx/ccv/releases/download/v0.3.2/ccv_0.3.2_linux_amd64.tar.gz
| sudo tar -xz -C /usr/local/bin ccv
- name: Bump tag if necessary
id: bump-tag
run: |
if [ -z "$(git tag -l "$(ccv)")" ]; then
git tag "$(ccv)"
git push --tags
echo "new=true" >> "$GITHUB_OUTPUT"
echo "new_tag_version=$(git tag --points-at HEAD)" >> "$GITHUB_OUTPUT"
fi
release-build:
permissions:
# create release
contents: write
# push docker images to regsitry
packages: write
# use OIDC token for signing
id-token: write
needs: release-tag
if: needs.release-tag.outputs.new-tag == 'true'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
fetch-depth: 0
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: stable
- name: Login to GHCR
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up environment
run: echo "GOVERSION=$(go version)" >> "$GITHUB_ENV"
- uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
- uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1
id: sbom
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Move sbom to avoid dirty git
run: mv "$GITHUB_SBOM_PATH" ./sbom.spdx.json
env:
GITHUB_SBOM_PATH: ${{ steps.sbom.outputs.fileName }}
- uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
with:
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_SBOM_PATH: ./sbom.spdx.json