Skip to content
release

release #6

Sign in to view logs

release

release #6

Workflow file for this run

.github/workflows/release.yml at 8e08985
name: release
# run only on tags
on:
push:
tags:
- 'v*'
permissions:
contents: write # needed to write releases
id-token: write # needed for keyless signing
packages: write # needed for push images
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
fetch-depth: 0 # this is important, otherwise it won't checkout the full tree (i.e. no previous tags)
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: '1.23'
check-latest: true
- uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
- uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- uses: anchore/sbom-action/download-syft@8d0a6505bf28ced3e85154d13dc6af83299e13f1 # v0.17.4
- name: Set env
run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> "$GITHUB_ENV"
- name: Login to GitHub Containers
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
with:
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
KO_DOCKER_REPO: ghcr.io/sigstore/gitsign
- name: get the digest
id: digest
run: |
digest=$(crane digest ghcr.io/sigstore/gitsign:${{ env.RELEASE_VERSION }})
echo "digest=${digest}" >> "$GITHUB_OUTPUT"
- name: sign image
run: |
cosign sign "ghcr.io/sigstore/gitsign@${{ steps.digest.outputs.digest }}"
env:
COSIGN_YES: true
- name: Generate build provenance attestation
uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
with:
subject-name: ghcr.io/sigstore/gitsign
subject-digest: ${{ steps.digest.outputs.digest }}
push-to-registry: true