armis-cli/.github/workflows/release.yml at main · ArmisSecurity/armis-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Release

on:
  push:
    tags:
      - "v*"

permissions:
  contents: read

jobs:
  test:
    name: Test & Coverage
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout
        uses: actions/checkout@v6

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: "1.24"
          cache: true

      - name: Install gotestsum
        run: go install gotest.tools/gotestsum@v1.13.0

      - name: Run tests with coverage
        shell: bash
        run: |
          gotestsum --format testdox -- $(go list ./... | grep -v -e '/testutil$' -e '/test$') -race -coverprofile=coverage.out -covermode=atomic

      - name: Coverage summary
        shell: bash
        run: |
          go tool cover -func=coverage.out | tee coverage.txt
          total=$(go tool cover -func=coverage.out | awk '/total:/ {print $3}')
          echo "Total coverage: ${total}"

  lint:
    uses: ./.github/workflows/reusable-lint.yml

  goreleaser:
    needs: [test, lint]
    runs-on: ubuntu-latest
    permissions:
      contents: write
      packages: write
      id-token: write
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Fetch all tags
        run: git fetch --force --tags

      - name: Set up Go
        uses: actions/setup-go@v6
        with:
          go-version: "1.24"
          cache: true

      - name: Install Syft
        uses: anchore/sbom-action/download-syft@v0.24.0

      - name: Install cosign
        uses: sigstore/cosign-installer@v3
        with:
          cosign-release: "v2.6.3"

      - name: Run GoReleaser
        uses: goreleaser/goreleaser-action@v7
        with:
          distribution: goreleaser
          version: "~> v2.15"
          args: release --clean
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          COSIGN_YES: "true"
          COSIGN_EXPERIMENTAL: "1"

      - name: Generate artifact hashes for SLSA
        id: hash
        run: |
          cd dist
          # List files for debugging
          echo "Files in dist:"
          ls -la

          # Generate hashes only for the binary archives (not checksums or SBOMs)
          echo "Generating hashes..."
          sha256sum armis-cli-*.tar.gz armis-cli-*.zip > hashes-raw.txt 2>&1 || true
          cat hashes-raw.txt

          # Base64 encode the hashes
          if [ -s hashes-raw.txt ]; then
            base64 -w0 < hashes-raw.txt > hashes.txt
            echo "Base64 encoded hashes:"
            cat hashes.txt
            echo "hashes=$(cat hashes.txt)" >> "$GITHUB_OUTPUT"
          else
            echo "ERROR: No hashes generated!"
            exit 1
          fi

      - name: Upload artifacts
        uses: actions/upload-artifact@v7
        if: always()
        with:
          name: release-artifacts
          path: |
            dist/*.tar.gz
            dist/*.zip
            dist/*checksums.txt
            dist/*.sbom.cdx.json
          retention-days: 7

  provenance:
    needs: [test, lint, goreleaser]
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
    with:
      base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
      upload-assets: true
      private-repository: true