github.com/grpc-ecosystem/grpc-gateway/v2@v2.19.1/.github/workflows/release.yml (about) 1 on: 2 push: 3 tags: 4 - v2.[0-9]+.[0-9]+ 5 # For testing the workflow before pushing a tag 6 # This will run goreleaser with --snapshot and test the 7 # SLSA generator. 8 workflow_dispatch: 9 permissions: 10 contents: read 11 name: release 12 jobs: 13 goreleaser: 14 outputs: 15 hashes: ${{ steps.hash.outputs.hashes }} 16 runs-on: ubuntu-latest 17 permissions: 18 contents: write 19 steps: 20 - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 21 with: 22 fetch-depth: 0 23 - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5 24 with: 25 check-latest: true 26 - name: Generate goreleaser args 27 id: args 28 run: | 29 set -euo pipefail 30 args='release --clean' 31 if [[ "$GITHUB_REF" != refs/tags/* ]]; then 32 args+=' --snapshot' 33 fi 34 echo "args=$args" >> $GITHUB_OUTPUT 35 - uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5 36 id: run-goreleaser 37 with: 38 args: ${{ steps.args.outputs.args }} 39 env: 40 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 41 - name: Generate subject 42 id: hash 43 env: 44 ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" 45 run: | 46 set -euo pipefail 47 48 checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') 49 echo "hashes=$(cat $checksum_file | base64 -w0)" >> $GITHUB_OUTPUT 50 provenance: 51 needs: [goreleaser] 52 permissions: 53 actions: read # To read the workflow path. 54 id-token: write # To sign the provenance. 55 contents: write # To add assets to a release. 56 uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 57 with: 58 compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163 59 base64-subjects: "${{ needs.goreleaser.outputs.hashes }}" 60 upload-assets: ${{ github.event_name == 'push' }} # upload to a new release when pushing via tag