Skip to content

Commit

Permalink
Update codeql and releases.yml
Browse files Browse the repository at this point in the history
Codeql is updated to include go 1.21.X so it works right. This is
due to changes in the go.mod parsing in go > 1.21. By default
Codeql has Go 1.20 but I was informed that is just by coincidence
and the version of Go included should not be relied on.

Releases is updated with correct token permissions where needed.
Releases still doesn't work 100% yet and is being worked on.
  • Loading branch information
mlieberman85 committed Mar 2, 2024
1 parent a6c53a7 commit ffb13ae
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 0 deletions.
2 changes: 2 additions & 0 deletions shell.nix
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@
# Replace llvmPackages with llvmPackages_X, where X is the latest LLVM version (at the time of writing, 16)
llvmPackages.bintools
rustup
bunyan-rs
go
];
RUSTC_VERSION = pkgs.lib.readFile ./rust-toolchain;
# https://github.com/rust-lang/rust-bindgen#environment-variables
Expand Down
4 changes: 4 additions & 0 deletions skootrs-lib/templates/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,10 @@ jobs:
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
# queries: security-extended,security-and-quality

- name: Set up Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version: "1.21"

# Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
# If this step fails, then you should remove it and run the build manually (see below)
Expand Down
11 changes: 11 additions & 0 deletions skootrs-lib/templates/go.releases.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ on:

permissions:
actions: read # for detecting the Github Actions environment.
contents: read

jobs:
goreleaser:
Expand Down Expand Up @@ -138,6 +139,11 @@ jobs:
IMAGE_URI_DIGEST: ${{ needs.goreleaser.outputs.image }}@${{ needs.goreleaser.outputs.digest }}

provenance-bins:
permissions:
id-token: write
actions: read
contents: write
packages: write
name: generate provenance for binaries
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
Expand All @@ -148,6 +154,11 @@ jobs:

provenance-container:
name: generate provenance for container
permissions:
id-token: write
actions: read
contents: write
packages: write
needs: [goreleaser]
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # must use semver here
Expand Down

0 comments on commit ffb13ae

Please sign in to comment.