Bump hashicorp/vault from 4.4.0 to 4.5.0 in /example/vault/environments/local #854
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Go CI | |
on: | |
push: | |
pull_request: | |
types: [ opened, reopened ] | |
workflow_dispatch: | |
permissions: | |
contents: write | |
packages: write | |
jobs: | |
build: | |
runs-on: ubuntu-22.04 | |
name: Continuous Integration | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Set up Go | |
uses: actions/[email protected] | |
with: | |
go-version-file: go.mod | |
check-latest: true | |
- name: Get dependencies | |
run: go mod download | |
- name: Lint | |
run: | | |
result=$(make lint) | |
echo $result | |
[ -n "$(echo "$result" | grep 'diff -u')" ] && exit 1 || exit 0 | |
- name: Build | |
run: make build | |
- name: Test | |
run: make test | |
- name: Coverage | |
run: make coverage-out | |
- name: Upload Code Coverage | |
uses: codecov/[email protected] | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
files: ./coverage.out | |
flags: unittests | |
name: codecov-umbrella | |
fail_ci_if_error: true | |
verbose: true | |
release: | |
name: release | |
needs: [build] | |
runs-on: ubuntu-22.04 | |
outputs: | |
container_digest: ${{ steps.container_info.outputs.container_digest }} | |
container_tags: ${{ steps.container_info.outputs.container_tags }} | |
container_repos: ${{ steps.container_info.outputs.container_repos }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up Go | |
uses: actions/[email protected] | |
with: | |
go-version-file: go.mod | |
check-latest: true | |
- name: Install cosign | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: 'v2.4.1' | |
- name: Login to container registries | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io | |
- name: Set release variables | |
id: release-vars | |
run: | | |
make release-vars > /tmp/spiffe-vault-release-vars.env | |
source /tmp/spiffe-vault-release-vars.env | |
if [[ -n "$LDFLAGS" ]]; then | |
echo "ldflags=$LDFLAGS" >> $GITHUB_OUTPUT | |
fi | |
if [[ -n "$GIT_HASH" ]]; then | |
echo "git_hash=$GIT_HASH" >> $GITHUB_OUTPUT | |
fi | |
rm -f /tmp/spiffe-vault-release-vars.env | |
- name: Install signing key | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
- name: Buildx builder | |
run: make container-builder | |
- name: Release ${{ (!startsWith(github.ref, 'refs/tags/') && 'snapshot') || '' }} | |
uses: goreleaser/goreleaser-action@v6 | |
with: | |
version: latest | |
args: release --clean ${{ (!startsWith(github.ref, 'refs/tags/') && '--snapshot') || '' }} | |
env: | |
LDFLAGS: ${{ steps.release-vars.outputs.ldflags }} | |
GIT_HASH: ${{ steps.release-vars.outputs.git_hash }} | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Get container info | |
id: container_info | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
export CONTAINER_DIGEST=$(make container-digest GITHUB_REF=${{ github.ref_name }}) | |
echo "container_digest=$CONTAINER_DIGEST" >> $GITHUB_OUTPUT | |
echo "container_tags=$(make container-tags CONTAINER_DIGEST="${CONTAINER_DIGEST}" | paste -s -d ',' -)" >> $GITHUB_OUTPUT | |
echo "container_repos=$(make container-repos CONTAINER_DIGEST="${CONTAINER_DIGEST}" | jq --raw-input . | jq --slurp -c)" >> $GITHUB_OUTPUT | |
- name: Logout from container registries | |
if: ${{ always() }} | |
run: | | |
docker logout ghcr.io | |
- name: Cleanup signing keys | |
if: ${{ always() }} | |
run: rm -f cosign.key | |
provenance: | |
name: Generate provenance | |
runs-on: ubuntu-22.04 | |
needs: [release] | |
if: startsWith(github.ref, 'refs/tags/') | |
steps: | |
- name: Generate provenance for release | |
uses: philips-labs/[email protected] | |
with: | |
command: generate | |
subcommand: github-release | |
arguments: --artifact-path release-assets --output-path provenance.att --tag-name ${{ github.ref_name }} | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- name: Install cosign | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: 'v2.4.1' | |
- name: Sign provenance | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
cosign sign-blob --key cosign.key --output-signature "${SIGNATURE}" provenance.att | |
cat "${SIGNATURE}" | |
curl_args=(-s -H "Authorization: token ${GITHUB_TOKEN}") | |
curl_args+=(-H "Accept: application/vnd.github.v3+json") | |
release_id="$(curl "${curl_args[@]}" "${GITHUB_API_URL}/repos/${GITHUB_REPOSITORY}/releases?per_page=10" | jq "map(select(.name == \"${GITHUB_REF_NAME}\"))" | jq -r '.[0].id')" | |
echo "Upload ${SIGNATURE} to release with id ${release_id}…" | |
curl_args+=(-H "Content-Type: $(file -b --mime-type "${SIGNATURE}")") | |
curl "${curl_args[@]}" \ | |
--data-binary @"${SIGNATURE}" \ | |
"https://uploads.github.com/repos/${GITHUB_REPOSITORY}/releases/${release_id}/assets?name=${SIGNATURE}" | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
SIGNATURE: provenance.att.sig | |
container-provenance: | |
name: container-provenance | |
needs: [release] | |
if: startsWith(github.ref, 'refs/tags/') | |
runs-on: ubuntu-22.04 | |
strategy: | |
matrix: | |
repo: ${{ fromJSON(needs.release.outputs.container_repos) }} | |
steps: | |
- name: Install cosign | |
uses: sigstore/[email protected] | |
with: | |
cosign-release: 'v2.4.1' | |
- name: Generate provenance for ${{ matrix.repo }} | |
uses: philips-labs/[email protected] | |
with: | |
command: generate | |
subcommand: container | |
arguments: --repository ${{ matrix.repo }} --output-path provenance.att --digest ${{ needs.release.outputs.container_digest }} --tags ${{ needs.release.outputs.container_tags }} | |
env: | |
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" | |
- name: Get slsa-provenance predicate | |
run: | | |
cat provenance.att | jq .predicate > provenance-predicate.att | |
- name: Login to Container registries | |
if: startsWith(github.ref, 'refs/tags/') | |
run: | | |
echo "${{ secrets.GITHUB_TOKEN }}" | docker login -u ${{ github.actor }} --password-stdin ghcr.io | |
- name: Attach provenance to image | |
run: | | |
echo '${{ secrets.COSIGN_PRIVATE_KEY }}' > cosign.key | |
cosign attest --predicate provenance-predicate.att --type slsaprovenance --key cosign.key ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Verify attestation | |
run: | | |
echo '${{ secrets.COSIGN_PUBLIC_KEY }}' > cosign.pub | |
cosign verify-attestation --key cosign.pub ${{ matrix.repo }}@${{ needs.release.outputs.container_digest }} | |
- name: Logout from Container registries | |
if: ${{ always() }} | |
run: | | |
docker logout ghcr.io | |
rm -f cosign.key |