Use cosign bundle for release checksum signing (#169) #32
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| concurrency: | |
| group: release-${{ github.ref }} | |
| cancel-in-progress: false | |
| permissions: {} | |
| jobs: | |
| test: | |
| uses: ./.github/workflows/test.yml | |
| permissions: | |
| contents: read | |
| security: | |
| uses: ./.github/workflows/security.yml | |
| permissions: | |
| contents: read | |
| security-events: write | |
| release: | |
| name: Release | |
| needs: [test, security] | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 45 | |
| environment: release | |
| permissions: | |
| contents: write | |
| id-token: write | |
| attestations: write | |
| pull-requests: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Set up Go | |
| uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache | |
| with: | |
| go-version-file: go.mod | |
| - name: Verify tag is on default branch | |
| env: | |
| DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
| GIT_REF: ${{ github.ref }} | |
| REF_NAME: ${{ github.ref_name }} | |
| run: | | |
| TAG_COMMIT=$(git rev-list -n 1 "$GIT_REF") | |
| if ! git branch -r --contains "$TAG_COMMIT" | grep -q "origin/${DEFAULT_BRANCH}$"; then | |
| echo "ERROR: Tag $REF_NAME is not on ${DEFAULT_BRANCH}" | |
| exit 1 | |
| fi | |
| - name: Verify macOS signing secrets | |
| env: | |
| MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }} | |
| MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }} | |
| MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }} | |
| MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }} | |
| MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }} | |
| run: | | |
| missing=() | |
| for var in MACOS_SIGN_P12 MACOS_SIGN_PASSWORD MACOS_NOTARY_KEY MACOS_NOTARY_KEY_ID MACOS_NOTARY_ISSUER_ID; do | |
| if [ -z "${!var}" ]; then | |
| missing+=("$var") | |
| fi | |
| done | |
| if [ ${#missing[@]} -gt 0 ]; then | |
| echo "ERROR: Missing required macOS signing secrets: ${missing[*]}" | |
| echo "Notarization is mandatory. Configure all MACOS_* secrets before releasing." | |
| exit 1 | |
| fi | |
| - name: Generate GitHub App token | |
| id: app-token | |
| uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 | |
| with: | |
| app-id: ${{ vars.RELEASE_CLIENT_ID }} | |
| private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }} | |
| repositories: homebrew-tap | |
| permission-contents: write | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 | |
| - name: Install Syft | |
| uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 | |
| - name: Generate shell completions | |
| run: | | |
| go build -o fizzy-tmp ./cmd/fizzy | |
| mkdir -p completions | |
| ./fizzy-tmp completion bash > completions/fizzy.bash | |
| ./fizzy-tmp completion zsh > completions/fizzy.zsh | |
| ./fizzy-tmp completion fish > completions/fizzy.fish | |
| rm fizzy-tmp | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2 | |
| with: | |
| version: 'v2.14.1' | |
| args: release --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| HOMEBREW_TAP_TOKEN: ${{ steps.app-token.outputs.token }} | |
| MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }} | |
| MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }} | |
| MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }} | |
| MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }} | |
| MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }} | |
| - name: Attest build provenance | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| with: | |
| subject-checksums-file: ./dist/checksums.txt | |
| aur-publish: | |
| runs-on: ubuntu-latest | |
| needs: release | |
| environment: release | |
| permissions: | |
| contents: read | |
| # Only publish the normal AUR package for stable tags. Prereleases stay on GitHub Releases. | |
| if: startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-') | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Check AUR secret | |
| id: check | |
| env: | |
| AUR_KEY: ${{ secrets.AUR_KEY }} | |
| run: | | |
| if [ -n "$AUR_KEY" ]; then | |
| echo "available=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Publish to AUR | |
| if: steps.check.outputs.available == 'true' | |
| run: | | |
| scripts/publish-aur.sh | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| AUR_KEY: ${{ secrets.AUR_KEY }} |