diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4adf561..5057c9e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,12 +8,13 @@ name: release on: push: tags: - - 'v*' + - "v*" permissions: contents: write # needed to write releases id-token: write # needed for keyless signing packages: write # needed for ghcr access + attestations: write # needed for attestations jobs: release: @@ -26,18 +27,26 @@ jobs: with: go-version: 1.25 cache: true - - uses: sigstore/cosign-installer@v3.9.2 # installs cosign + - uses: sigstore/cosign-installer@v3.9.2 # installs cosign - uses: anchore/sbom-action/download-syft@v0.20.5 # installs syft - name: Set up QEMU uses: docker/setup-qemu-action@v3 - - uses: docker/login-action@v3 # login to ghcr + - uses: docker/login-action@v3 # login to ghcr with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - uses: goreleaser/goreleaser-action@v6 # run goreleaser + - uses: goreleaser/goreleaser-action@v6 # run goreleaser with: - version: latest + version: v2.12.0-nightly args: release --clean env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # After GoReleaser runs, attest all the files in ./dist/checksums.txt: + - uses: actions/attest-build-provenance@v2 + with: + subject-checksums: ./dist/checksums.txt + # After GoReleaser runs, attest all the images in ./dist/digests.txt: + - uses: actions/attest-build-provenance@v2 + with: + subject-checksums: ./dist/digests.txt diff --git a/.goreleaser.yml b/.goreleaser.yml index 50c9cba..ddd4d9d 100644 --- a/.goreleaser.yml +++ b/.goreleaser.yml @@ -48,6 +48,9 @@ builds: # https://goreleaser.com/customization/checksum checksum: name_template: "checksums.txt" +# Change the digests filename: +docker_digests: + name_template: "digests.txt" # create a source tarball # https://goreleaser.com/customization/source/ source: