Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

workflows: actions/attest-build-provenance #3225

Merged
merged 6 commits into from
Dec 29, 2024
+20 −1
Merged

workflows: actions/attest-build-provenance #3225

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
67cf80d
workflows: actions/attest-build-provenance
lectrical Dec 27, 2024
c5b380e
request: clarifiy step name
lectrical Dec 28, 2024
82af8d2
fix: artifacts downloading and defaul permission
lectrical Dec 28, 2024
1279459
removed: only required in test fork,
lectrical Dec 28, 2024
9e00ee4
request: change step names
lectrical Dec 28, 2024
d2762b7
consistency: make check the same as the rest in the job.
lectrical Dec 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 20 additions & 1 deletion .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -294,6 +294,9 @@ jobs:
docker:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
attestations: write
packages: write
needs: linux
steps:
Expand Down Expand Up @@ -329,7 +332,8 @@ jobs:
id: metadata
with:
images: ghcr.io/${{ github.repository }}
tags: ${{ startsWith(github.ref, 'refs/tags/jq-')
tags: >
${{ startsWith(github.ref, 'refs/tags/jq-')
&& format('type=match,pattern=jq-(.*),group=1,value={0}', github.ref_name)
|| 'type=sha,format=long' }}
- name: Set up QEMU
Expand All @@ -344,18 +348,28 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and release Docker image
uses: docker/build-push-action@v6
id: build-push
with:
context: .
push: ${{ startsWith(github.ref, 'refs/tags/jq-') }}
provenance: false
platforms: linux/386,linux/amd64,linux/arm64,linux/mips64le,linux/ppc64le,linux/riscv64,linux/s390x
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
- name: Generate signed attestations
if: startsWith(github.ref, 'refs/tags/jq-')
uses: actions/attest-build-provenance@v2
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.build-push.outputs.digest }}
push-to-registry: true

release:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
attestations: write
pull-requests: write
environment: release
needs: [linux, macos, windows, dist, docker]
Expand All @@ -366,6 +380,7 @@ jobs:
- name: Download artifacts
uses: actions/download-artifact@v4
with:
pattern: jq-*
merge-multiple: true
- name: Upload release
env:
Expand All @@ -378,6 +393,10 @@ jobs:
sha256sum jq-* > sha256sum.txt
gh release create "$TAG_NAME" --draft --title "jq ${TAG_NAME#jq-}" --generate-notes
gh release upload "$TAG_NAME" --clobber jq-* sha256sum.txt
- name: Generate signed attestations
uses: actions/attest-build-provenance@v2
with:
subject-path: jq-*
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
with:
Expand Down
Loading