mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-27 14:13:48 +03:00
ci: generate SBOM and sign artifacts using cosign (#4910)
* ci: sign artifacts using cosign * include SBOM
This commit is contained in:
parent
66476d8c8f
commit
d6b3c7d262
2 changed files with 19 additions and 2 deletions
10
.github/workflows/release.yml
vendored
10
.github/workflows/release.yml
vendored
|
@ -99,7 +99,14 @@ jobs:
|
||||||
key: ${{ runner.os }}-go${{ matrix.go }}-release-${{ hashFiles('**/go.sum') }}
|
key: ${{ runner.os }}-go${{ matrix.go }}-release-${{ hashFiles('**/go.sum') }}
|
||||||
restore-keys: |
|
restore-keys: |
|
||||||
${{ runner.os }}-go${{ matrix.go }}-release
|
${{ runner.os }}-go${{ matrix.go }}-release
|
||||||
|
- name: Install Cosign
|
||||||
|
uses: sigstore/cosign-installer@main
|
||||||
|
- name: Cosign version
|
||||||
|
run: cosign version
|
||||||
|
- name: Install Syft
|
||||||
|
uses: anchore/sbom-action/download-syft@main
|
||||||
|
- name: Syft version
|
||||||
|
run: syft version
|
||||||
# GoReleaser will take care of publishing those artifacts into the release
|
# GoReleaser will take care of publishing those artifacts into the release
|
||||||
- name: Run GoReleaser
|
- name: Run GoReleaser
|
||||||
uses: goreleaser/goreleaser-action@v2
|
uses: goreleaser/goreleaser-action@v2
|
||||||
|
@ -109,6 +116,7 @@ jobs:
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
TAG: ${{ steps.vars.outputs.version_tag }}
|
TAG: ${{ steps.vars.outputs.version_tag }}
|
||||||
|
COSIGN_EXPERIMENTAL: 1
|
||||||
|
|
||||||
# Only publish on non-special tags (e.g. non-beta)
|
# Only publish on non-special tags (e.g. non-beta)
|
||||||
# We will continue to push to Gemfury for the foreseeable future, although
|
# We will continue to push to Gemfury for the foreseeable future, although
|
||||||
|
|
|
@ -62,9 +62,18 @@ builds:
|
||||||
goarm: "5"
|
goarm: "5"
|
||||||
flags:
|
flags:
|
||||||
- -trimpath
|
- -trimpath
|
||||||
|
- -mod=readonly
|
||||||
ldflags:
|
ldflags:
|
||||||
- -s -w
|
- -s -w
|
||||||
|
signs:
|
||||||
|
- cmd: cosign
|
||||||
|
signature: "${artifact}.sig"
|
||||||
|
args: ["sign-blob", "--oidc-issuer=https://token.actions.githubusercontent.com", "--output=${signature}", "${artifact}"]
|
||||||
|
artifacts: all
|
||||||
|
sboms:
|
||||||
|
- artifacts: binary
|
||||||
|
cmd: syft
|
||||||
|
args: ["$artifact", "--file", "$sbom", "--output", "cyclonedx-json"]
|
||||||
archives:
|
archives:
|
||||||
- format_overrides:
|
- format_overrides:
|
||||||
- goos: windows
|
- goos: windows
|
||||||
|
|
Loading…
Reference in a new issue