2022-08-23 07:43:20 -04:00
|
|
|
name: Build CLI and prepare release
|
|
|
|
|
|
|
|
on:
|
|
|
|
workflow_dispatch:
|
|
|
|
|
|
|
|
jobs:
|
|
|
|
build-cli:
|
2022-11-10 10:55:24 -05:00
|
|
|
runs-on: ubuntu-22.04
|
2022-08-23 07:43:20 -04:00
|
|
|
steps:
|
|
|
|
- name: Checkout
|
|
|
|
id: checkout
|
2022-10-12 12:05:58 -04:00
|
|
|
uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # tag=v3.1.0
|
2022-11-10 11:22:26 -05:00
|
|
|
with:
|
|
|
|
ref: ${{ github.head_ref }}
|
2022-08-23 07:43:20 -04:00
|
|
|
|
2022-09-14 09:14:26 -04:00
|
|
|
- name: Setup Go environment
|
2022-10-18 07:54:53 -04:00
|
|
|
uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f # tag=v3.3.1
|
2022-09-14 09:14:26 -04:00
|
|
|
with:
|
2022-11-02 06:17:29 -04:00
|
|
|
go-version: "1.19.3"
|
2022-09-14 09:14:26 -04:00
|
|
|
|
2022-08-23 07:43:20 -04:00
|
|
|
- name: Build cli-linux-amd64
|
|
|
|
uses: ./.github/actions/build_cli
|
|
|
|
with:
|
|
|
|
targetOS: linux
|
|
|
|
targetArch: amd64
|
2022-09-13 08:27:38 -04:00
|
|
|
enterpriseCLI: true
|
2022-10-20 09:59:17 -04:00
|
|
|
cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
|
|
|
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
|
|
|
cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
2022-08-23 07:43:20 -04:00
|
|
|
|
2022-08-31 06:27:26 -04:00
|
|
|
- name: Build cli-linux-arm64
|
|
|
|
uses: ./.github/actions/build_cli
|
|
|
|
with:
|
|
|
|
targetOS: linux
|
|
|
|
targetArch: arm64
|
2022-09-13 08:27:38 -04:00
|
|
|
enterpriseCLI: true
|
2022-10-20 09:59:17 -04:00
|
|
|
cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
|
|
|
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
|
|
|
cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
2022-08-31 06:27:26 -04:00
|
|
|
|
2022-08-23 07:43:20 -04:00
|
|
|
- name: Build cli-darwin-amd64
|
|
|
|
uses: ./.github/actions/build_cli
|
|
|
|
with:
|
|
|
|
targetOS: darwin
|
|
|
|
targetArch: amd64
|
2022-09-13 08:27:38 -04:00
|
|
|
enterpriseCLI: true
|
2022-10-20 09:59:17 -04:00
|
|
|
cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
|
|
|
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
|
|
|
cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
2022-08-23 07:43:20 -04:00
|
|
|
|
|
|
|
- name: Build cli-darwin-arm64
|
|
|
|
uses: ./.github/actions/build_cli
|
|
|
|
with:
|
|
|
|
targetOS: darwin
|
|
|
|
targetArch: arm64
|
2022-09-13 08:27:38 -04:00
|
|
|
enterpriseCLI: true
|
2022-10-20 09:59:17 -04:00
|
|
|
cosignPublicKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
|
|
|
cosignPrivateKey: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
|
|
|
cosignPassword: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
2022-08-23 07:43:20 -04:00
|
|
|
|
2022-08-30 09:54:35 -04:00
|
|
|
- name: Login to Azure
|
2022-11-08 10:13:10 -05:00
|
|
|
uses: ./.github/actions/login_azure
|
2022-08-30 09:54:35 -04:00
|
|
|
with:
|
|
|
|
azure_credentials: ${{ secrets.AZURE_CREDENTIALS }}
|
2022-11-08 10:43:17 -05:00
|
|
|
|
2022-08-30 09:54:35 -04:00
|
|
|
- name: Login to GCP
|
2022-11-08 10:13:10 -05:00
|
|
|
uses: ./.github/actions/login_gcp
|
2022-08-30 09:54:35 -04:00
|
|
|
with:
|
|
|
|
gcp_service_account_json: ${{ secrets.GCP_SERVICE_ACCOUNT }}
|
|
|
|
|
|
|
|
- name: Build version manifest
|
|
|
|
run: |
|
|
|
|
cd hack/build-manifest/
|
|
|
|
AZURE_SUBSCRIPTION_ID=0d202bbb-4fa7-4af8-8125-58c269a05435 go run . > versions-manifest.json
|
|
|
|
cat versions-manifest.json
|
|
|
|
|
2022-10-21 09:19:51 -04:00
|
|
|
- name: Download syft & grype
|
2022-09-02 10:49:59 -04:00
|
|
|
run: |
|
2022-10-21 09:19:51 -04:00
|
|
|
SYFT_VERSION=0.59.0
|
|
|
|
GRYPE_VERSION=0.50.2
|
2022-09-02 10:49:59 -04:00
|
|
|
curl -LO https://github.com/anchore/syft/releases/download/v${SYFT_VERSION}/syft_${SYFT_VERSION}_linux_amd64.tar.gz
|
|
|
|
tar -xzf syft_${SYFT_VERSION}_linux_amd64.tar.gz
|
|
|
|
./syft version
|
2022-10-21 09:19:51 -04:00
|
|
|
curl -LO https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz
|
|
|
|
tar -xzf grype_${GRYPE_VERSION}_linux_amd64.tar.gz
|
|
|
|
./grype version
|
2022-11-11 08:49:16 -05:00
|
|
|
pwd >> "$GITHUB_PATH"
|
2022-10-21 09:19:51 -04:00
|
|
|
shell: bash
|
|
|
|
|
|
|
|
- name: Build signed SBOMs
|
|
|
|
run: |
|
|
|
|
syft . --catalogers go-module --file constellation.spdx.sbom -o spdx-json
|
|
|
|
cosign sign-blob --key env://COSIGN_PRIVATE_KEY constellation.spdx.sbom > constellation.spdx.sbom.sig
|
|
|
|
grype constellation.spdx.sbom --fail-on high --only-fixed
|
|
|
|
env:
|
|
|
|
COSIGN_EXPERIMENTAL: 1
|
2022-11-08 12:32:59 -05:00
|
|
|
COSIGN_PUBLIC_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
|
|
|
COSIGN_PRIVATE_KEY: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PRIVATE_KEY || secrets.COSIGN_DEV_PRIVATE_KEY }}
|
|
|
|
COSIGN_PASSWORD: ${{ startsWith(github.ref, 'refs/tags/v') && secrets.COSIGN_PASSWORD || secrets.COSIGN_DEV_PASSWORD }}
|
2022-09-02 10:49:59 -04:00
|
|
|
|
|
|
|
- name: Create release with artifacts
|
2022-08-23 07:43:20 -04:00
|
|
|
# GitHub endorsed release project. See: https://github.com/actions/create-release
|
2022-10-12 12:05:58 -04:00
|
|
|
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5 # tag=v0.1.14
|
2022-08-23 07:43:20 -04:00
|
|
|
if: startsWith(github.ref, 'refs/tags/v')
|
|
|
|
with:
|
|
|
|
draft: true
|
|
|
|
files: |
|
|
|
|
build/constellation-*
|
|
|
|
build/cosign.pub
|
2022-08-30 09:54:35 -04:00
|
|
|
hack/build-manifest/versions-manifest.json
|
2022-10-21 09:19:51 -04:00
|
|
|
constellation.spdx.sbom
|
|
|
|
constellation.spdx.sbom.sig
|