Skip to content

Use cosign bundle for release checksum signing (#169) #32

Use cosign bundle for release checksum signing (#169)

Use cosign bundle for release checksum signing (#169) #32

Workflow file for this run

name: Release
on:
push:
tags:
- "v*"
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
permissions: {}
jobs:
test:
uses: ./.github/workflows/test.yml
permissions:
contents: read
security:
uses: ./.github/workflows/security.yml
permissions:
contents: read
security-events: write
release:
name: Release
needs: [test, security]
runs-on: ubuntu-latest
timeout-minutes: 45
environment: release
permissions:
contents: write
id-token: write
attestations: write
pull-requests: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- name: Set up Go
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0 # zizmor: ignore[cache-poisoning] -- cache is branch-isolated; fork PRs cannot write to this cache
with:
go-version-file: go.mod
- name: Verify tag is on default branch
env:
DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
GIT_REF: ${{ github.ref }}
REF_NAME: ${{ github.ref_name }}
run: |
TAG_COMMIT=$(git rev-list -n 1 "$GIT_REF")
if ! git branch -r --contains "$TAG_COMMIT" | grep -q "origin/${DEFAULT_BRANCH}$"; then
echo "ERROR: Tag $REF_NAME is not on ${DEFAULT_BRANCH}"
exit 1
fi
- name: Verify macOS signing secrets
env:
MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
run: |
missing=()
for var in MACOS_SIGN_P12 MACOS_SIGN_PASSWORD MACOS_NOTARY_KEY MACOS_NOTARY_KEY_ID MACOS_NOTARY_ISSUER_ID; do
if [ -z "${!var}" ]; then
missing+=("$var")
fi
done
if [ ${#missing[@]} -gt 0 ]; then
echo "ERROR: Missing required macOS signing secrets: ${missing[*]}"
echo "Notarization is mandatory. Configure all MACOS_* secrets before releasing."
exit 1
fi
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ vars.RELEASE_CLIENT_ID }}
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
repositories: homebrew-tap
permission-contents: write
- name: Install cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
- name: Install Syft
uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
- name: Generate shell completions
run: |
go build -o fizzy-tmp ./cmd/fizzy
mkdir -p completions
./fizzy-tmp completion bash > completions/fizzy.bash
./fizzy-tmp completion zsh > completions/fizzy.zsh
./fizzy-tmp completion fish > completions/fizzy.fish
rm fizzy-tmp
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
with:
version: 'v2.14.1'
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
HOMEBREW_TAP_TOKEN: ${{ steps.app-token.outputs.token }}
MACOS_SIGN_P12: ${{ secrets.MACOS_SIGN_P12 }}
MACOS_SIGN_PASSWORD: ${{ secrets.MACOS_SIGN_PASSWORD }}
MACOS_NOTARY_KEY: ${{ secrets.MACOS_NOTARY_KEY }}
MACOS_NOTARY_KEY_ID: ${{ secrets.MACOS_NOTARY_KEY_ID }}
MACOS_NOTARY_ISSUER_ID: ${{ secrets.MACOS_NOTARY_ISSUER_ID }}
- name: Attest build provenance
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-checksums-file: ./dist/checksums.txt
aur-publish:
runs-on: ubuntu-latest
needs: release
environment: release
permissions:
contents: read
# Only publish the normal AUR package for stable tags. Prereleases stay on GitHub Releases.
if: startsWith(github.ref, 'refs/tags/v') && !contains(github.ref_name, '-')
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Check AUR secret
id: check
env:
AUR_KEY: ${{ secrets.AUR_KEY }}
run: |
if [ -n "$AUR_KEY" ]; then
echo "available=true" >> "$GITHUB_OUTPUT"
fi
- name: Publish to AUR
if: steps.check.outputs.available == 'true'
run: |
scripts/publish-aur.sh
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AUR_KEY: ${{ secrets.AUR_KEY }}