mirror of
https://github.com/ossf/scorecard.git
synced 2024-10-06 05:37:42 +03:00
c7e362d682
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.1.0 to 2.2.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](18bf8ad2ca...c8454efe5d
)
---
updated-dependencies:
- dependency-name: step-security/harden-runner
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
86 lines
3.0 KiB
YAML
86 lines
3.0 KiB
YAML
# Copyright 2021 OpenSSF Scorecard Authors
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
name: goreleaser
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- "*" # triggers only if push new tag version, like `0.8.4` or else
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
goreleaser:
|
|
outputs:
|
|
hashes: ${{ steps.hash.outputs.hashes }}
|
|
permissions:
|
|
contents: write # for goreleaser/goreleaser-action to create a GitHub release
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@c8454efe5d0bdefd25384362fe217428ca277d57 # v1
|
|
with:
|
|
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v2.3.4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Set up Go
|
|
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v2.2.0
|
|
with:
|
|
go-version: 1.19
|
|
check-latest: true
|
|
- name: Configure ldflags
|
|
id: ldflags
|
|
run: echo "version_flags=$(./scripts/version-ldflags)" >> "$GITHUB_OUTPUT"
|
|
- name: Import GPG key
|
|
id: import_gpg
|
|
uses: crazy-max/ghaction-import-gpg@111c56156bcc6918c056dbef52164cfa583dc549 # v5.2.0
|
|
with:
|
|
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
|
|
passphrase: ${{ secrets.PASSPHRASE }}
|
|
- name: Run GoReleaser
|
|
id: run-goreleaser
|
|
uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v2.5.0
|
|
with:
|
|
version: latest
|
|
args: release --rm-dist
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
|
|
VERSION_LDFLAGS: ${{ steps.ldflags.outputs.version_flags }}
|
|
- name: Generate subject
|
|
id: hash
|
|
env:
|
|
ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
|
|
echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
|
|
|
|
provenance:
|
|
needs: [goreleaser]
|
|
permissions:
|
|
actions: read # To read the workflow path.
|
|
id-token: write # To sign the provenance.
|
|
contents: write # To add assets to a release.
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
|
|
with:
|
|
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
|
|
upload-assets: true # upload to a new release
|