From 35ab2264abc37a564d1f06ffeabf379b6667325e Mon Sep 17 00:00:00 2001 From: Julian Einhaus Date: Tue, 2 Apr 2024 10:43:51 +0200 Subject: [PATCH] ci: use latest cosign and release steps --- .github/workflows/docker-publish.yml | 12 ++++++++---- .github/workflows/release.yml | 11 ++++++++--- .releaserc.json | 17 +++++------------ 3 files changed, 21 insertions(+), 19 deletions(-) diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 534d5da..6254c34 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -34,8 +34,6 @@ jobs: - name: Install cosign if: github.event_name != 'pull_request' uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 - with: - cosign-release: 'v1.13.1' # Workaround: https://github.com/docker/build-push-action/issues/461 - name: Setup Docker buildx uses: docker/setup-buildx-action@v3 @@ -75,7 +73,13 @@ jobs: - name: Sign the published Docker image if: ${{ github.event_name != 'pull_request' }} env: - COSIGN_EXPERIMENTAL: "true" + DIGEST: ${{ steps.build-and-push.outputs.digest }} + TAGS: ${{ steps.meta.outputs.tags }} # This step uses the identity token to provision an ephemeral certificate # against the sigstore community Fulcio instance. - run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign {}@${{ steps.build-and-push.outputs.digest }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0be810a..02cc0f3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,19 +18,24 @@ jobs: uses: actions/checkout@v4 with: fetch-depth: 0 - - name: Generate a token + - name: "🪙 Generate a token" id: generate-token uses: tibdex/github-app-token@v2 with: app_id: ${{ secrets.SEMANTIC_RELEASE_APP_ID }} private_key: ${{ secrets.SEMANTIC_RELEASE_KEY_PEM }} + - name: "☁️ Checkout repository" + uses: actions/checkout@v4 + with: + persist-credentials: false + fetch-depth: 0 - name: "🚀 Release 🎉" uses: cycjimmy/semantic-release-action@v4 with: semantic_version: 22.0.5 + branches: | + ["main"] extra_plugins: | @semantic-release/changelog@6.0.3 - @semantic-release/git@10.0.1 - conventional-changelog-conventionalcommits@7.0.2 env: GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }} diff --git a/.releaserc.json b/.releaserc.json index f15ecf5..7bf05ec 100644 --- a/.releaserc.json +++ b/.releaserc.json @@ -1,15 +1,8 @@ { "branches": ["main"], - "plugins": - [ - [ - "@semantic-release/commit-analyzer", - { "preset": "conventionalcommits" } - ], - [ - "@semantic-release/release-notes-generator", - { "preset": "conventionalcommits" } - ], - "@semantic-release/github" - ] + "plugins": [ + "@semantic-release/commit-analyzer", + "@semantic-release/release-notes-generator", + "@semantic-release/github" + ] }