2022-08-23 07:43:20 -04:00
|
|
|
name: Build CLI and prepare release
|
|
|
|
|
|
|
|
on:
|
|
|
|
workflow_dispatch:
|
2023-01-06 05:49:55 -05:00
|
|
|
inputs:
|
2023-09-07 02:47:01 -04:00
|
|
|
versionName:
|
|
|
|
type: string
|
|
|
|
description: "Version to use for the release (e.g. v1.2.3)"
|
|
|
|
required: true
|
2023-01-06 05:49:55 -05:00
|
|
|
ref:
|
|
|
|
type: string
|
|
|
|
description: "Git ref to checkout"
|
|
|
|
required: false
|
2023-04-04 04:16:04 -04:00
|
|
|
pushContainers:
|
|
|
|
type: boolean
|
|
|
|
description: "Push containers pinned in the cli to container registry"
|
|
|
|
required: false
|
|
|
|
default: false
|
|
|
|
registry:
|
|
|
|
description: "Container registry to use"
|
|
|
|
type: string
|
|
|
|
default: ghcr.io
|
2023-06-14 03:56:11 -04:00
|
|
|
key:
|
|
|
|
description: "Key to use for signing. Set to 'release' to use release key, set to 'dev' to use the dev key."
|
|
|
|
type: string
|
|
|
|
required: true
|
2023-01-06 05:49:55 -05:00
|
|
|
workflow_call:
|
|
|
|
inputs:
|
2023-09-07 02:47:01 -04:00
|
|
|
versionName:
|
|
|
|
type: string
|
|
|
|
description: "Version to use for the release (e.g. v1.2.3)"
|
|
|
|
required: true
|
2023-01-06 05:49:55 -05:00
|
|
|
ref:
|
|
|
|
type: string
|
|
|
|
description: "Git ref to checkout"
|
|
|
|
required: true
|
2023-04-04 04:16:04 -04:00
|
|
|
pushContainers:
|
|
|
|
type: boolean
|
|
|
|
description: "Push containers pinned in the cli to container registry"
|
|
|
|
required: false
|
|
|
|
default: false
|
|
|
|
registry:
|
|
|
|
description: "Container registry to use"
|
|
|
|
type: string
|
|
|
|
default: ghcr.io
|
2023-06-14 03:56:11 -04:00
|
|
|
key:
|
|
|
|
description: "Key to use for signing. Set to 'release' to use release key, set to 'dev' to use the dev key."
|
|
|
|
type: string
|
|
|
|
required: true
|
2022-08-23 07:43:20 -04:00
|
|
|
|
|
|
|
jobs:
|
|
|
|
build-cli:
|
2022-11-10 10:55:24 -05:00
|
|
|
runs-on: ubuntu-22.04
|
2022-11-25 10:13:20 -05:00
|
|
|
strategy:
|
|
|
|
fail-fast: false
|
|
|
|
matrix:
|
2023-07-10 04:21:48 -04:00
|
|
|
include:
|
|
|
|
- arch: amd64
|
|
|
|
os: linux
|
|
|
|
|
|
|
|
- arch: amd64
|
|
|
|
os: darwin
|
|
|
|
|
|
|
|
- arch: amd64
|
|
|
|
os: windows
|
|
|
|
|
|
|
|
- arch: arm64
|
|
|
|
os: linux
|
|
|
|
|
|
|
|
- arch: arm64
|
|
|
|
os: darwin
|
2022-08-23 07:43:20 -04:00
|
|
|
steps:
|
|
|
|
- name: Checkout
|
|
|
|
id: checkout
|
2023-10-11 07:49:50 -04:00
|
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
2022-11-10 11:22:26 -05:00
|
|
|
with:
|
2023-01-06 05:49:55 -05:00
|
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2023-03-20 11:05:08 -04:00
|
|
|
- name: Setup bazel
|
2023-10-04 07:55:38 -04:00
|
|
|
uses: ./.github/actions/setup_bazel_nix
|
2023-03-20 11:05:08 -04:00
|
|
|
with:
|
|
|
|
useCache: "false"
|
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Build CLI
|
2022-08-23 07:43:20 -04:00
|
|
|
uses: ./.github/actions/build_cli
|
|
|
|
with:
|
2022-11-25 10:13:20 -05:00
|
|
|
targetOS: ${{ matrix.os }}
|
|
|
|
targetArch: ${{ matrix.arch }}
|
2022-09-13 08:27:38 -04:00
|
|
|
enterpriseCLI: true
|
2023-06-14 03:56:11 -04:00
|
|
|
cosignPublicKey: ${{ inputs.key == 'release' && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
|
|
|
cosignPrivateKey: ${{ inputs.key == 'release' && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
|
|
|
cosignPassword: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2023-07-10 04:21:48 -04:00
|
|
|
- name: Upload CLI as artifact (unix)
|
2023-10-11 07:49:50 -04:00
|
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
2023-07-10 04:21:48 -04:00
|
|
|
if : ${{ matrix.os != 'windows' }}
|
2022-08-31 06:27:26 -04:00
|
|
|
with:
|
2022-11-25 10:13:20 -05:00
|
|
|
name: constellation-${{ matrix.os }}-${{ matrix.arch }}
|
2023-06-14 03:56:11 -04:00
|
|
|
path: |
|
|
|
|
build/constellation-${{ matrix.os }}-${{ matrix.arch }}
|
|
|
|
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.sig
|
2022-08-31 06:27:26 -04:00
|
|
|
|
2023-07-10 04:21:48 -04:00
|
|
|
- name: Upload CLI as artifact (windows)
|
2023-10-11 07:49:50 -04:00
|
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
2023-07-10 04:21:48 -04:00
|
|
|
if : ${{ matrix.os == 'windows' }}
|
|
|
|
with:
|
|
|
|
name: constellation-${{ matrix.os }}-${{ matrix.arch }}
|
|
|
|
path: |
|
|
|
|
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe
|
|
|
|
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe.sig
|
|
|
|
|
2023-11-13 12:46:20 -05:00
|
|
|
upload-terraform-module:
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
steps:
|
|
|
|
- name: Checkout
|
|
|
|
id: checkout
|
|
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
|
|
with:
|
|
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
|
|
|
|
- name: Upload Terraform module
|
|
|
|
uses: ./.github/actions/upload_terraform_module
|
|
|
|
with:
|
|
|
|
version: ${{ inputs.versionName }}
|
|
|
|
|
2023-04-04 04:16:04 -04:00
|
|
|
push-containers:
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
if: inputs.pushContainers
|
|
|
|
permissions:
|
|
|
|
actions: read
|
|
|
|
contents: write
|
|
|
|
id-token: write
|
|
|
|
packages: write
|
|
|
|
steps:
|
|
|
|
- name: Checkout
|
|
|
|
id: checkout
|
2023-10-11 07:49:50 -04:00
|
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
2023-04-04 04:16:04 -04:00
|
|
|
with:
|
|
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
|
|
|
|
- name: Setup bazel
|
2023-10-04 07:55:38 -04:00
|
|
|
uses: ./.github/actions/setup_bazel_nix
|
2023-04-04 04:16:04 -04:00
|
|
|
with:
|
|
|
|
useCache: "false"
|
|
|
|
|
|
|
|
- name: Log in to the Container registry
|
2023-06-06 06:20:09 -04:00
|
|
|
uses: ./.github/actions/container_registry_login
|
2023-04-04 04:16:04 -04:00
|
|
|
with:
|
|
|
|
registry: ${{ inputs.registry }}
|
|
|
|
username: ${{ github.actor }}
|
|
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
|
|
|
|
- name: Upload referenced container images
|
|
|
|
shell: bash
|
2023-04-28 03:26:15 -04:00
|
|
|
run: bazel run //bazel/release:push
|
2023-04-04 04:16:04 -04:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
provenance-subjects:
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
needs:
|
|
|
|
- build-cli
|
|
|
|
- signed-sbom
|
2023-11-13 12:46:20 -05:00
|
|
|
- upload-terraform-module
|
2022-11-25 10:13:20 -05:00
|
|
|
outputs:
|
|
|
|
provenance-subjects: ${{ steps.provenance-subjects.outputs.provenance-subjects }}
|
|
|
|
steps:
|
|
|
|
- name: Download CLI binaries darwin-amd64
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-08-23 07:43:20 -04:00
|
|
|
with:
|
2022-11-25 10:13:20 -05:00
|
|
|
name: constellation-darwin-amd64
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download CLI binaries darwin-arm64
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation-darwin-arm64
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download CLI binaries linux-amd64
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation-linux-amd64
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download CLI binaries linux-arm64
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation-linux-arm64
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2023-07-10 04:21:48 -04:00
|
|
|
- name: Download CLI binaries windows-amd64
|
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
|
|
with:
|
|
|
|
name: constellation-windows-amd64
|
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download CLI SBOM
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation.spdx.sbom
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2023-11-10 07:32:18 -05:00
|
|
|
- name: Download Terraform module
|
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
|
|
with:
|
|
|
|
name: terraform-module
|
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Generate provenance subjects
|
|
|
|
id: provenance-subjects
|
|
|
|
run: |
|
2023-05-02 03:59:55 -04:00
|
|
|
HASHES=$(sha256sum \
|
2022-11-25 10:13:20 -05:00
|
|
|
constellation-darwin-amd64 \
|
|
|
|
constellation-darwin-arm64 \
|
|
|
|
constellation-linux-amd64 \
|
|
|
|
constellation-linux-arm64 \
|
2023-07-10 04:21:48 -04:00
|
|
|
constellation-windows-amd64.exe \
|
2023-11-10 07:32:18 -05:00
|
|
|
constellation.spdx.sbom \
|
|
|
|
terraform-module.zip)
|
2022-11-25 10:13:20 -05:00
|
|
|
HASHESB64=$(echo "${HASHES}" | base64 -w0)
|
|
|
|
echo "${HASHES}"
|
|
|
|
echo "${HASHESB64}"
|
|
|
|
echo provenance-subjects="${HASHESB64}" >> "$GITHUB_OUTPUT"
|
2022-08-23 07:43:20 -04:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
signed-sbom:
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
steps:
|
2023-01-18 11:33:10 -05:00
|
|
|
- name: Checkout
|
|
|
|
id: checkout
|
2023-10-11 07:49:50 -04:00
|
|
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
2023-01-18 11:33:10 -05:00
|
|
|
with:
|
|
|
|
ref: ${{ inputs.ref || github.head_ref }}
|
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Install Cosign
|
2023-07-03 02:19:10 -04:00
|
|
|
uses: sigstore/cosign-installer@c85d0e205a72a294fe064f618a87dbac13084086 # v2.8.1
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2023-02-22 08:17:02 -05:00
|
|
|
- name: Download Syft & Grype
|
|
|
|
uses: ./.github/actions/install_syft_grype
|
|
|
|
|
2023-03-20 11:05:08 -04:00
|
|
|
- name: Setup bazel
|
2023-10-04 07:55:38 -04:00
|
|
|
uses: ./.github/actions/setup_bazel_nix
|
2023-03-20 11:05:08 -04:00
|
|
|
with:
|
|
|
|
useCache: "false"
|
|
|
|
|
2023-01-18 05:36:39 -05:00
|
|
|
# Build one CLI since Syft's go-module catalog will default to binary parsing.
|
|
|
|
# Binary parsing has the advantage that it will not include other dependencies from our repo not included in the CLI.
|
|
|
|
# This seems to work fine for one OS & one arch as long as we don't have OS specific imports.
|
|
|
|
# Luckily, so far this does not seem to be the case.
|
|
|
|
# As of v2.4.0, all SBOMs seem to have the same packages for [linux|darwin] & [amd64|arm64].
|
|
|
|
# If this changes, this should be split up into multiple builds & multiple SBOMs.
|
|
|
|
- name: Build CLI (amd64, linux)
|
|
|
|
uses: ./.github/actions/build_cli
|
|
|
|
with:
|
|
|
|
targetOS: "linux"
|
|
|
|
targetArch: "amd64"
|
2023-05-30 03:08:12 -04:00
|
|
|
enterpriseCLI: true
|
2023-01-18 05:36:39 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Build signed SBOM
|
2023-01-18 05:36:39 -05:00
|
|
|
run: |
|
|
|
|
syft build/constellation-linux-amd64 --catalogers go-module --file constellation.spdx.sbom -o spdx-json
|
|
|
|
cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
|
|
|
|
grype constellation.spdx.sbom --fail-on high --only-fixed --add-cpes-if-none
|
2022-10-21 09:19:51 -04:00
|
|
|
env:
|
|
|
|
COSIGN_EXPERIMENTAL: 1
|
2023-09-01 10:40:09 -04:00
|
|
|
COSIGN_PUBLIC_KEY: ${{ inputs.key == 'release' && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
|
|
|
COSIGN_PRIVATE_KEY: ${{ inputs.key == 'release' && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
|
|
|
COSIGN_PASSWORD: ${{ inputs.key == 'release' && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Upload Constellation CLI SBOM
|
2023-10-11 07:49:50 -04:00
|
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation.spdx.sbom
|
|
|
|
path: constellation.spdx.sbom
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Upload Constellation CLI SBOM's signature
|
2023-10-11 07:49:50 -04:00
|
|
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation.spdx.sbom.sig
|
|
|
|
path: constellation.spdx.sbom.sig
|
|
|
|
|
|
|
|
provenance:
|
|
|
|
permissions:
|
|
|
|
actions: read
|
|
|
|
contents: write
|
|
|
|
id-token: write
|
|
|
|
needs:
|
|
|
|
- provenance-subjects
|
|
|
|
# This must not be pinned to digest. See:
|
|
|
|
# https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
|
2023-10-11 07:49:50 -04:00
|
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
base64-subjects: "${{ needs.provenance-subjects.outputs.provenance-subjects }}"
|
2022-09-02 10:49:59 -04:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
provenance-verify:
|
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
env:
|
2022-12-15 03:45:46 -05:00
|
|
|
SLSA_VERIFIER_VERSION: "2.0.1"
|
2022-11-25 10:13:20 -05:00
|
|
|
needs:
|
|
|
|
- build-cli
|
|
|
|
- provenance
|
2023-11-13 12:46:20 -05:00
|
|
|
- upload-terraform-module
|
2022-11-25 10:13:20 -05:00
|
|
|
steps:
|
|
|
|
- name: Download CLI binaries darwin-amd64
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation-darwin-amd64
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download CLI binaries darwin-arm64
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation-darwin-arm64
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download CLI binaries linux-amd64
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation-linux-amd64
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download CLI binaries linux-arm64
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation-linux-arm64
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2023-07-10 04:21:48 -04:00
|
|
|
- name: Download CLI binaries windows-amd64
|
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
|
|
with:
|
|
|
|
name: constellation-windows-amd64
|
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download CLI SBOM
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation.spdx.sbom
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2023-11-10 07:32:18 -05:00
|
|
|
- name: Download Terraform module
|
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
|
|
with:
|
|
|
|
name: terraform-module
|
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download provenance
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: ${{ needs.provenance.outputs.provenance-name }}
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Install slsa-verifier
|
|
|
|
run: |
|
2023-01-19 05:22:31 -05:00
|
|
|
curl -fsSLO https://github.com/slsa-framework/slsa-verifier/releases/download/v${{ env.SLSA_VERIFIER_VERSION }}/slsa-verifier-linux-amd64
|
2022-11-25 10:13:20 -05:00
|
|
|
install slsa-verifier-linux-amd64 /usr/local/bin/slsa-verifier
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Verify provenance
|
|
|
|
run: |
|
|
|
|
slsa-verifier verify-artifact constellation-darwin-amd64 \
|
|
|
|
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
|
|
|
--source-uri github.com/edgelesssys/constellation
|
|
|
|
slsa-verifier verify-artifact constellation-darwin-arm64 \
|
|
|
|
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
|
|
|
--source-uri github.com/edgelesssys/constellation
|
|
|
|
slsa-verifier verify-artifact constellation-linux-amd64 \
|
|
|
|
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
|
|
|
--source-uri github.com/edgelesssys/constellation
|
|
|
|
slsa-verifier verify-artifact constellation-linux-arm64 \
|
|
|
|
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
|
|
|
--source-uri github.com/edgelesssys/constellation
|
2023-07-10 04:21:48 -04:00
|
|
|
slsa-verifier verify-artifact constellation-windows-amd64.exe \
|
|
|
|
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
|
|
|
--source-uri github.com/edgelesssys/constellation
|
2022-11-25 10:13:20 -05:00
|
|
|
slsa-verifier verify-artifact constellation.spdx.sbom \
|
|
|
|
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
|
|
|
--source-uri github.com/edgelesssys/constellation
|
2023-11-10 07:32:18 -05:00
|
|
|
slsa-verifier verify-artifact terraform-module.zip \
|
|
|
|
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
|
|
|
--source-uri github.com/edgelesssys/constellation
|
2022-11-25 10:13:20 -05:00
|
|
|
|
|
|
|
release:
|
2023-06-09 05:50:39 -04:00
|
|
|
permissions:
|
|
|
|
contents: write
|
2022-11-25 10:13:20 -05:00
|
|
|
runs-on: ubuntu-22.04
|
|
|
|
needs:
|
|
|
|
- build-cli
|
|
|
|
- provenance
|
|
|
|
- signed-sbom
|
2023-11-13 12:46:20 -05:00
|
|
|
- upload-terraform-module
|
2022-11-25 10:13:20 -05:00
|
|
|
steps:
|
|
|
|
- name: Write cosign public key
|
|
|
|
run: echo "$COSIGN_PUBLIC_KEY" > cosign.pub
|
|
|
|
env:
|
2023-09-01 10:40:09 -04:00
|
|
|
COSIGN_PUBLIC_KEY: ${{ inputs.key == 'release' && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download CLI binaries darwin-amd64
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation-darwin-amd64
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download CLI binaries darwin-arm64
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation-darwin-arm64
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download CLI binaries linux-amd64
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation-linux-amd64
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download CLI binaries linux-arm64
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation-linux-arm64
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2023-07-10 04:21:48 -04:00
|
|
|
- name: Download CLI binaries windows-amd64
|
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
|
|
with:
|
|
|
|
name: constellation-windows-amd64
|
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download Constellation CLI SBOM
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation.spdx.sbom
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download Constellation CLI SBOM's signature
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: constellation.spdx.sbom.sig
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Download Constellation provenance
|
2023-01-06 11:35:54 -05:00
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
2022-11-25 10:13:20 -05:00
|
|
|
with:
|
|
|
|
name: ${{ needs.provenance.outputs.provenance-name }}
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2023-11-10 07:32:18 -05:00
|
|
|
- name: Download Terraform module
|
|
|
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
|
|
with:
|
|
|
|
name: terraform-module
|
|
|
|
|
2022-11-25 10:13:20 -05:00
|
|
|
- name: Rename provenance file
|
|
|
|
run: |
|
|
|
|
mv ${{ needs.provenance.outputs.provenance-name }} constellation.intoto.jsonl
|
2023-01-18 04:15:58 -05:00
|
|
|
|
2022-09-02 10:49:59 -04:00
|
|
|
- name: Create release with artifacts
|
2022-08-23 07:43:20 -04:00
|
|
|
# GitHub endorsed release project. See: https://github.com/actions/create-release
|
2022-11-21 09:08:53 -05:00
|
|
|
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
|
2022-08-23 07:43:20 -04:00
|
|
|
with:
|
|
|
|
draft: true
|
2023-01-12 07:15:43 -05:00
|
|
|
generate_release_notes: true
|
2023-09-07 02:47:01 -04:00
|
|
|
tag_name: ${{ inputs.versionName || inputs.ref || github.head_ref }}
|
2022-08-23 07:43:20 -04:00
|
|
|
files: |
|
2022-11-25 10:13:20 -05:00
|
|
|
constellation-*
|
|
|
|
cosign.pub
|
2022-10-21 09:19:51 -04:00
|
|
|
constellation.spdx.sbom
|
|
|
|
constellation.spdx.sbom.sig
|
2022-11-25 10:13:20 -05:00
|
|
|
constellation.intoto.jsonl
|
2023-11-10 07:32:18 -05:00
|
|
|
terraform-module.zip
|