diff --git a/.github/workflows/go-ossf-slsa3-publish.yml b/.github/workflows/go-ossf-slsa3-publish.yml index b357cc0..f481caf 100644 --- a/.github/workflows/go-ossf-slsa3-publish.yml +++ b/.github/workflows/go-ossf-slsa3-publish.yml @@ -1,38 +1,43 @@ -# This workflow uses actions that are not certified by GitHub. -# They are provided by a third-party and are governed by -# separate terms of service, privacy policy, and support -# documentation. - -# This workflow lets you compile your Go project using a SLSA3 compliant builder. -# This workflow will generate a so-called "provenance" file describing the steps -# that were performed to generate the final binary. -# The project is an initiative of the OpenSSF (openssf.org) and is developed at -# https://github.com/slsa-framework/slsa-github-generator. -# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. -# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. - -name: SLSA Go releaser +name: SLSA go releaser on: workflow_dispatch: - release: - types: [created] + push: + tags: + - "*" permissions: read-all jobs: - # ======================================================================================================================================== - # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. - # See format in https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/go/README.md#configuration-file - #========================================================================================================================================= + # Generate ldflags dynamically. + # Optional: only needed for ldflags. + args: + runs-on: ubuntu-latest + outputs: + commit-date: ${{ steps.ldflags.outputs.commit-date }} + commit: ${{ steps.ldflags.outputs.commit }} + version: ${{ steps.ldflags.outputs.version }} + tree-state: ${{ steps.ldflags.outputs.tree-state }} + steps: + - id: checkout + uses: actions/checkout@ec3a7ce113134d7a93b817d10a8272cb61118579 # tag=v2.3.4 + with: + fetch-depth: 0 + - id: ldflags + run: | + echo "commit-date=$(git log --date=iso8601-strict -1 --pretty=%ct)" >> "$GITHUB_OUTPUT" + echo "commit=$GITHUB_SHA" >> "$GITHUB_OUTPUT" + echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> "$GITHUB_OUTPUT" + echo "tree-state=$(if git diff --quiet; then echo "clean"; else echo "dirty"; fi)" >> "$GITHUB_OUTPUT" + + # Trusted builder. build: permissions: - id-token: write # To sign. - contents: write # To upload release assets. - actions: read # To read workflow path. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.0 + id-token: write # To sign the provenance. + contents: write # To upload assets to release. + actions: read # To read the workflow path. + needs: args + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.2 with: - go-version: 1.17 - # ============================================================================================================= - # Optional: For more options, see https://github.com/slsa-framework/slsa-github-generator#golang-projects - # ============================================================================================================= - + go-version: 1.19 + # Optional: only needed if using ldflags. + evaluated-envs: "COMMIT_DATE:${{needs.args.outputs.commit-date}}, COMMIT:${{needs.args.outputs.commit}}, VERSION:${{needs.args.outputs.version}}, TREE_STATE:${{needs.args.outputs.tree-state}}" \ No newline at end of file