diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 64347ea..9ca1cfa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,6 @@ jobs: runs-on: ubuntu-latest permissions: contents: write - id-token: write outputs: asset_version: ${{ steps.version.outputs.asset_version }} steps: @@ -35,29 +34,15 @@ jobs: - run: go test ./... - run: go build ./... - run: mkdir -p dist - - name: Generate SBOM - uses: anchore/sbom-action@v0 - with: - path: . - format: spdx-json - output-file: dist/dbxcli_${{ steps.version.outputs.asset_version }}_sbom.spdx.json - upload-artifact: false - upload-release-assets: false - run: ./build.sh env: VERSION: ${{ github.ref_name }} - run: ./packaging/package-release.sh env: VERSION: ${{ github.ref_name }} - - name: Install Cosign - uses: sigstore/cosign-installer@v4.1.0 - - name: Sign checksums - run: cosign sign-blob --yes --bundle dist/SHA256SUMS.sigstore.json dist/SHA256SUMS - uses: softprops/action-gh-release@v3 with: files: | dist/*.tar.gz dist/*.zip dist/SHA256SUMS - dist/SHA256SUMS.sigstore.json - dist/*_sbom.spdx.json diff --git a/CHANGELOG.md b/CHANGELOG.md index c0f1739..903a7e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,6 @@ - Added scheduled/manual OSSF Scorecard scanning without public Scorecard API publishing. - Replaced standalone Staticcheck workflow steps with a narrow `golangci-lint` configuration. - Added explicit `go.sum` cache dependency paths for `actions/setup-go`. -- Added SBOM generation and Cosign signatures to release artifacts. - Added race detector, workflow linting, and CodeQL security scanning to CI. - Hardened CI workflows with explicit read-only permissions. - Generate a non-constant OAuth2 `state` value to resolve the CodeQL `go/constant-oauth2-state` alert.