Release #1
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| workflow_dispatch: | |
| permissions: {} | |
| jobs: | |
| release: | |
| name: Build, Sign & Release | |
| runs-on: ubuntu-latest | |
| environment: release | |
| permissions: | |
| contents: write # create tag, release, and upload assets | |
| id-token: write # Sigstore OIDC keyless signing | |
| attestations: write # SLSA build provenance | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Extract version from script | |
| id: version | |
| run: | | |
| version=$(grep -m1 '^AGENT_VERSION=' stepsecurity-dev-machine-guard.sh | sed 's/AGENT_VERSION="//;s/"//') | |
| if [ -z "$version" ]; then | |
| echo "::error::Could not extract AGENT_VERSION from script" | |
| exit 1 | |
| fi | |
| tag="v${version}" | |
| echo "version=${version}" >> "$GITHUB_OUTPUT" | |
| echo "tag=${tag}" >> "$GITHUB_OUTPUT" | |
| echo "Detected version: ${version} (tag: ${tag})" | |
| - name: Check tag does not already exist | |
| run: | | |
| if git rev-parse "refs/tags/${{ steps.version.outputs.tag }}" >/dev/null 2>&1; then | |
| echo "::error::Tag ${{ steps.version.outputs.tag }} already exists. Bump AGENT_VERSION in the script before releasing." | |
| exit 1 | |
| fi | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - name: Sign script with Sigstore (keyless) | |
| run: | | |
| cosign sign-blob stepsecurity-dev-machine-guard.sh \ | |
| --bundle stepsecurity-dev-machine-guard.sh.bundle \ | |
| --yes | |
| - name: Verify signature | |
| run: | | |
| cosign verify-blob stepsecurity-dev-machine-guard.sh \ | |
| --bundle stepsecurity-dev-machine-guard.sh.bundle \ | |
| --certificate-identity-regexp "github.com/step-security/dev-machine-guard" \ | |
| --certificate-oidc-issuer "https://token.actions.githubusercontent.com" | |
| - name: Generate checksums | |
| run: | | |
| sha256sum stepsecurity-dev-machine-guard.sh > checksums.txt | |
| sha256sum stepsecurity-dev-machine-guard.sh.bundle >> checksums.txt | |
| echo "Checksums:" | |
| cat checksums.txt | |
| - name: Create tag | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git tag -a "${{ steps.version.outputs.tag }}" -m "Release ${{ steps.version.outputs.tag }}" | |
| git push origin "${{ steps.version.outputs.tag }}" | |
| - name: Create GitHub Release | |
| uses: step-security/action-gh-release@d45511d7589f080cf54961ff056b9705a74fd160 # v2.5.0 | |
| with: | |
| tag_name: ${{ steps.version.outputs.tag }} | |
| name: ${{ steps.version.outputs.tag }} | |
| generate_release_notes: true | |
| files: | | |
| stepsecurity-dev-machine-guard.sh | |
| stepsecurity-dev-machine-guard.sh.bundle | |
| checksums.txt | |
| - name: Attest build provenance | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| with: | |
| subject-path: stepsecurity-dev-machine-guard.sh |