hazcod · hazcod · Jan 28, 2025 · Jan 28, 2025
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -2,54 +2,97 @@ name: release
 
 on:
   push:
-    branches:
-    - master
-    - main
+    branches: [main, master]
 
 jobs:
-
-  tag:
-    runs-on: ubuntu-latest
-    steps:
-    -
-      uses: actions/checkout@v4
-    -
-      uses: go-semantic-release/action@v1
-      with:
-        github-token: ${{ secrets.GITHUB_TOKEN }}
-
   goreleaser:
     runs-on: ubuntu-latest
-    needs: tag
+
+    outputs:
+      hashes: ${{ steps.hashes.outputs.hashes }}
+      version: ${{ steps.semrel.outputs.version }}
+
+    permissions:
+      contents: write
+      packages: write
+
     steps:
     -
       name: Checkout
       uses: actions/checkout@v4
+      with:
+        fetch-depth: 0
     -
-      name: Unshallow
-      run: git fetch --prune --unshallow
-    -
-      id: versions
+      id: vars
       run: |
-        echo ::set-output name=go::$(grep '^FROM go' .github/go/Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
-        echo "Using Go version ${{ steps.versions.outputs.go }}"
+        goVersion=$(grep '^FROM go' .github/go/Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2)
+        echo "go_version=${goVersion}" >> $GITHUB_OUTPUT
+        echo "Using Go version ${goVersion}"
     -
       name: Set up Go
       uses: actions/setup-go@v5
       with:
-        go-version: ${{ steps.versions.outputs.go }}
+        go-version: ${{ steps.vars.outputs.go_version }}
     -
-      name: Login to GitHub Container Registry
+      name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
+      uses: aquasecurity/trivy-action@master
+      with:
+        scan-type: 'fs'
+        format: 'github'
+        output: 'dependency-results.sbom.json'
+        image-ref: '.'
+        github-pat: ${{ secrets.GH_PRIVATEREPO_TOKEN }}
+    -
+      name: Remove SBOM result
+      run: |
+        rm dependency-results.sbom.json
+    -
+      name: Install syft
+      run: |
+        curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
+    -
+      name: Create release tag
+      uses: go-semantic-release/action@v1
+      id: semrel
+      with:
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+    -
+      run: git fetch -a
+      if: steps.semrel.outputs.version != ''
+    -
+      name: Login to GitHub Docker registry
+      if: steps.semrel.outputs.version != ''
       uses: docker/login-action@v3
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
     -
       name: Release
-      uses: goreleaser/goreleaser-action@v6
+      uses: goreleaser/[email protected]
+      if: steps.semrel.outputs.version != ''
       with:
         version: latest
         args: release --config=.github/goreleaser.yml --clean
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    -
+      name: Generate dist hashes
+      id: hashes
+      if: steps.semrel.outputs.version != ''
+      env:
+        ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
+      run: |
+        checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+        echo "hashes=$(cat $checksum_file | base64 -w0)" >> $GITHUB_OUTPUT
+
+  provenance:
+    needs: [goreleaser]
+    if: needs.goreleaser.outputs.hashes != ''
+    permissions:
+      actions: read # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"