bekk · larsore · May 29, 2024 · May 29, 2024
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,210 +1,76 @@
-name: Release
+name: Build and Release
 
 on:
   push:
-    tags: [ 'v*' ]
-
-permissions:
-  contents: read
+    tags:
+      - 'v*'
 
 jobs:
-  release:
+  build:
     runs-on: ubuntu-latest
-
-    permissions:
-      contents: write # For creating the GitHub release.
-      id-token: write # For creating OIDC tokens for signing.
-      packages: write # For pushing and signing container images.
-
-    outputs:
-      version: "${{ steps.release-metadata.outputs.version }}"
-      artifact-subjects: "${{ steps.artifact-hashes.outputs.subjects }}"
-      package-subjects: "${{ steps.package-hashes.outputs.subjects }}"
-      sbom-subjects: "${{ steps.sbom-hashes.outputs.subjects }}"
-      container-subjects: "${{ steps.container-metadata.outputs.subjects }}"
-
+    strategy:
+      matrix:
+        os: [ linux, darwin ]
+        arch: [ amd64, arm64 ]
+
     steps:
-      - name: Checkout
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-        with:
-          fetch-depth: 0
-
+      - name: Checkout code
+        uses: actions/checkout@v2
+
       - name: Setup Go
-        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v4.0.1
+        uses: actions/setup-go@v4
         with:
           go-version: 1.21.x
-          cache: false
-
-      - name: Setup Syft
-        uses: anchore/sbom-action/download-syft@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0.15.8
-
-      - name: Setup Cosign
-        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
-
-      - name: Setup QEMU
-        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
-
-      - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Login to Quay.io
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
-        with:
-          registry: quay.io
-          username: ${{ secrets.QUAY_BOT_USERNAME }}
-          password: ${{ secrets.QUAY_BOT_TOKEN }}
-
-      - name: Run GoReleaser
-        id: goreleaser
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
-        with:
-          version: 1.21.x
-          args: release --clean --timeout 1h
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Extract release metadata
-        id: release-metadata
-        env:
-          METADATA: "${{ steps.goreleaser.outputs.metadata }}"
-        run: |
-          set -euo pipefail
-          echo "version=$(echo -E $METADATA | jq -r '.version')" >> "$GITHUB_OUTPUT"
-
-      - name: Extract artifact subjects
-        id: artifact-hashes
-        env:
-          ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
-        run: |
-          set -euo pipefail
-          sum_file=$(echo -E $ARTIFACTS | jq -r '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^(.*?):";"")')
-          echo "subjects=$(echo "$sum_file" | base64 -w0)" >> "$GITHUB_OUTPUT"
-
-      - name: Extract package subjects
-        id: package-hashes
-        env:
-          ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
-        run: |
-          set -euo pipefail
-
-          sum_file="$(mktemp)"
-
-          mapfile -t file_paths < <(echo -E "$ARTIFACTS" | jq -r '.[] | select(.type=="Linux Package") | .path')
-          for f in "${file_paths[@]}"; do
-            file_name=$(basename "$f")
-            file_sum=$(sha256sum "$f" | awk '{print $1}')
-            echo "$file_sum  $file_name" >> "$sum_file"
-          done
-
-          echo "subjects=$(base64 -w0 < "$sum_file")" >> "$GITHUB_OUTPUT"
-
-      - name: Extract SBOM subjects
-        id: sbom-hashes
-        env:
-          ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
+
+      - name: Build for ${{ matrix.os }} ${{ matrix.arch }}
+        working-directory: cmd/sops
         run: |
-          set -euo pipefail
-
-          sum_file="$(mktemp)"
-
-          mapfile -t file_paths < <(echo -E "$ARTIFACTS" | jq -r '.[] | select(.type=="SBOM") | .path')
-          for f in "${file_paths[@]}"; do
-            file_name=$(basename "$f")
-            file_sum=$(sha256sum "$f" | awk '{print $1}')
-            echo "$file_sum  $file_name" >> "$sum_file"
-          done
-
-          echo "subjects=$(base64 -w0 < "$sum_file")" >> "$GITHUB_OUTPUT"
-
-      - name: Extract container image subjects
-        id: container-metadata
-        env:
-          ARTIFACTS: "${{ steps.goreleaser.outputs.artifacts }}"
-        run: |
-          image_list=$(echo -e "$ARTIFACTS" | jq -r '.[] | select(.type=="Docker Manifest") | {"image": (.name | sub("^.*?/"; "") | sub(":(.*)"; "")), "digest": .extra.Digest}')
-          echo "subjects=$(echo $image_list | jq -c -s 'unique_by(.digest) | {"include": .}')" >> "$GITHUB_OUTPUT"
-
-  combine-subjects:
+          env GOOS=${{ matrix.os }} GOARCH=${{ matrix.arch }} go build -v -o sops-${{ github.ref_name }}.${{ matrix.os }}.${{ matrix.arch }}
+
+      - name: Upload artifact ${{ matrix.os }}-${{ matrix.arch }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: sops-${{ github.ref_name }}.${{ matrix.os }}.${{ matrix.arch }}
+          path: cmd/sops/sops-${{ github.ref_name }}.${{ matrix.os }}.${{ matrix.arch }}
+
+  prepare_release:
     runs-on: ubuntu-latest
-
-    needs: [ release ]
-
+    permissions: write-all
     outputs:
-      all-subjects: "${{ steps.combine-subjects.outputs.subjects }}"
-
+      upload_url: ${{ steps.create_release.outputs.upload_url }}
     steps:
-      - name: Combine subjects
-        id: combine-subjects
+      - name: Create release
+        id: create_release
+        uses: actions/create-release@v1
         env:
-          ARTIFACT_SUBJECTS: "${{ needs.release.outputs.artifact-subjects }}"
-          PACKAGE_SUBJECTS: "${{ needs.release.outputs.package-subjects }}"
-          SBOM_SUBJECTS: "${{ needs.release.outputs.sbom-subjects }}"
-        run: |
-          set -euo pipefail
-
-          artifact_subjects=$(echo "$ARTIFACT_SUBJECTS" | base64 -d)
-          package_subjects=$(echo "$PACKAGE_SUBJECTS" | base64 -d)
-          sbom_subjects=$(echo "$SBOM_SUBJECTS" | base64 -d)
-
-          all_subjects=$(echo -e "${artifact_subjects}\n${package_subjects}\n${sbom_subjects}\n" | sed '/^$/d')
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: ${{ github.ref_name }}
+          release_name: Release ${{ github.ref_name }}
+          draft: false
+          prerelease: false
 
-          echo "subjects=$(echo "$all_subjects" | base64 -w0)" >> "$GITHUB_OUTPUT"
-
-  assets-provenance:
-    needs: [ release, combine-subjects ]
-
-    permissions:
-      actions: read # For detecting the GitHub Actions environment.
-      id-token: write # For creating OIDC tokens for signing.
-      contents: write # For adding assets to a release.
-
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      base64-subjects: "${{ needs.combine-subjects.outputs.all-subjects }}"
-      upload-assets: true
-      provenance-name: "sops-v${{ needs.release.outputs.version }}.intoto.jsonl"
-
-  ghcr-container-provenance:
-    needs: [ release ]
-
-    permissions:
-      actions: read # For detecting the Github Actions environment.
-      id-token: write # For creating OIDC tokens for signing.
-      packages: write # For uploading attestations.
-
-    strategy:
-      matrix: ${{ fromJSON(needs.release.outputs.container-subjects) }}
-
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      image: ghcr.io/${{ matrix.image }}
-      digest: ${{ matrix.digest }}
-      registry-username: ${{ github.actor }}
-    secrets:
-      registry-password: ${{ secrets.GITHUB_TOKEN }}
-
-  quay-container-provenance:
-    needs: [ release ]
-
-    permissions:
-      actions: read # For detecting the Github Actions environment.
-      id-token: write # For creating OIDC tokens for signing.
-      packages: write # For uploading attestations.
-
+  release:
+    needs: [ build, prepare_release ]
+    runs-on: ubuntu-latest
+    permissions: write-all
     strategy:
-      matrix: ${{ fromJSON(needs.release.outputs.container-subjects) }}
-
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      image: quay.io/${{ matrix.image }}
-      digest: ${{ matrix.digest }}
-    secrets:
-      registry-username: ${{ secrets.QUAY_BOT_USERNAME }}
-      registry-password: ${{ secrets.QUAY_BOT_TOKEN }}
+      matrix:
+        os: [ linux, darwin ]
+        arch: [ amd64, arm64 ]
+
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v2
+        with:
+          name: sops-${{ github.ref_name }}.${{ matrix.os }}.${{ matrix.arch }}
+
+      - name: Upload assets
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.prepare_release.outputs.upload_url }}
+          asset_path: ./sops-${{ github.ref_name }}.${{ matrix.os }}.${{ matrix.arch }}
+          asset_name: sops-${{ github.ref_name }}.${{ matrix.os }}.${{ matrix.arch }}
+          asset_content_type: application/octet-stream