oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 16:33:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

provide signed checksums

Browse Source
This commit is contained in:
Alex Goodman 2020-07-25 07:47:14 -04:00
parent c814379c80
commit 1ba0678cf6
No known key found for this signature in database
GPG Key ID: 86E2870463D5E890
4 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.github/workflows/acceptance-test.yaml vendored
View File

@ -42,8 +42,25 @@ jobs:
if: steps.cache.outputs.cache-hit != 'true' if: steps.cache.outputs.cache-hit != 'true'
run: make ci-bootstrap run: make ci-bootstrap
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@v2
env:
GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }}
- name: GPG signing info
run: |
echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}"
echo "keyid: ${{ steps.import_gpg.outputs.keyid }}"
echo "name: ${{ steps.import_gpg.outputs.name }}"
echo "email: ${{ steps.import_gpg.outputs.email }}"
- name: Build snapshot artifacts - name: Build snapshot artifacts
run: make snapshot run: make snapshot
env:
GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }}
- uses: actions/upload-artifact@v2 - uses: actions/upload-artifact@v2
with: with:

16
.github/workflows/release.yaml vendored
View File

@ -91,10 +91,26 @@ jobs:
if: steps.cache.outputs.cache-hit != 'true' if: steps.cache.outputs.cache-hit != 'true'
run: make ci-bootstrap run: make ci-bootstrap
- name: Import GPG key
id: import_gpg
uses: crazy-max/ghaction-import-gpg@v2
env:
GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }}
- name: GPG signing info
run: |
echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}"
echo "keyid: ${{ steps.import_gpg.outputs.keyid }}"
echo "name: ${{ steps.import_gpg.outputs.name }}"
echo "email: ${{ steps.import_gpg.outputs.email }}"
- name: Build & publish release artifacts - name: Build & publish release artifacts
run: make release run: make release
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }}
PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }}
- uses: actions/upload-artifact@v2 - uses: actions/upload-artifact@v2
with: with:

4
.goreleaser.yaml
View File

@ -4,6 +4,10 @@ release:
# If set to true, will mark the release as not ready for production. # If set to true, will mark the release as not ready for production.
prerelease: auto prerelease: auto
signs:
- artifacts: checksum
args: ["--output", "${signature}", "--detach-sign", "${artifact}"]
builds: builds:
- binary: syft - binary: syft
env: env:

6
Makefile
View File

@ -159,6 +159,9 @@ $(SNAPSHOTDIR): ## Build snapshot release binaries and packages
BUILD_GIT_TREE_STATE=$(GITTREESTATE) \ BUILD_GIT_TREE_STATE=$(GITTREESTATE) \
$(TEMPDIR)/goreleaser release --skip-publish --rm-dist --snapshot --config $(TEMPDIR)/goreleaser.yaml $(TEMPDIR)/goreleaser release --skip-publish --rm-dist --snapshot --config $(TEMPDIR)/goreleaser.yaml
# verify checksum signatures
gpg --verify $(SNAPSHOTDIR)/*checksums.txt.sig $(SNAPSHOTDIR)/*checksums.txt
.PHONY: acceptance-mac .PHONY: acceptance-mac
acceptance-mac: $(SNAPSHOTDIR) ## Run acceptance tests on build snapshot binaries and packages (Mac) acceptance-mac: $(SNAPSHOTDIR) ## Run acceptance tests on build snapshot binaries and packages (Mac)
$(call title,Running acceptance test: Run on Mac) $(call title,Running acceptance test: Run on Mac)
@ -201,6 +204,9 @@ release: clean-dist ## Build and publish final binaries and packages
BUILD_GIT_TREE_STATE=$(GITTREESTATE) \ BUILD_GIT_TREE_STATE=$(GITTREESTATE) \
$(TEMPDIR)/goreleaser --rm-dist --config $(TEMPDIR)/goreleaser.yaml $(TEMPDIR)/goreleaser --rm-dist --config $(TEMPDIR)/goreleaser.yaml
# verify checksum signatures
gpg --verify $(DISTDIR)/*checksums.txt.sig $(DISTDIR)/*checksums.txt
# create a version file for version-update checks # create a version file for version-update checks
echo "$(VERSION)" > $(DISTDIR)/VERSION echo "$(VERSION)" > $(DISTDIR)/VERSION
# TODO: add upload to bucket # TODO: add upload to bucket