Merge pull request #77 from cpanato/add-att

add attestation in the release job
kubernetes-sigs · Apr 18, 2023 · 6aa7062 · 6aa7062
2 parents dd657c9 + c2aef1b
commit 6aa7062
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -31,7 +31,7 @@ jobs:
         uses: sigstore/cosign-installer@9e9de2292db7abb3f51b7f4808d98f0d347a8919 # v3.0.2
 
       - name: Install bom
-        uses: puerco/release-actions/setup-bom@8d40ac756bb1e4cab06267d89141baa650623919 # main
+        uses: puerco/release-actions/setup-bom@6c88cda6495b4415966e61f20798fb96a9081397 # main
 
       - name: Install GoReleaser
         uses: goreleaser/goreleaser-action@f82d6c1c344bcacabba2c841718984797f664a6b # v4.2.0
@@ -49,3 +49,38 @@ jobs:
           args: buildBinaries
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  attestation:
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      contents: write
+
+    needs:
+      - release
+
+    steps:
+      - name: Check out code onto GOPATH
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        with:
+          fetch-depth: 1
+
+      - name: Set tag output
+        id: tag
+        run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
+
+      - name: Install tejolote
+        uses: puerco/release-actions/setup-tejolote@6c88cda6495b4415966e61f20798fb96a9081397 # main
+
+      - run: |
+          tejolote attest --artifacts github://kubernetes-sigs/tejolote/${{ steps.tag.outputs.tag_name }} github://kubernetes-sigs/tejolote/"${GITHUB_RUN_ID}" --output tejolote.intoto.json --sign
+
+      - name: Release
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
+        with:
+          files: tejolote.intoto.json
+          tag_name: "${{ steps.tag.outputs.tag_name }}"
+          token: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          GITHUB_REPOSITORY: kubernetes-sigs/tejolote
diff --git a/.github/workflows/snapshot.yml b/.github/workflows/snapshot.yml
@@ -25,7 +25,7 @@ jobs:
           install-only: true
 
       - name: Install bom
-        uses: puerco/release-actions/setup-bom@8d40ac756bb1e4cab06267d89141baa650623919 # main
+        uses: puerco/release-actions/setup-bom@6c88cda6495b4415966e61f20798fb96a9081397 # main
 
       - name: Run Mage
         uses: magefile/mage-action@3b833fb24c0d19eed3aa760b9eb285b4b84f420f # v2.3.0