BigfootDev/flatbuffers
1
0
Fork 1
mirror of https://github.com/google/flatbuffers.git synced 2026-06-02 04:04:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

Generate SLSA signatures for Released zip files (#7450)

Browse Source 
* update

* update

* update

* update

* update

* update

* update
This commit is contained in:
laurentsimon
2022-08-16 16:30:37 -07:00
committed by GitHub
parent 1e0f75a647
commit 9610a666b1
2 changed files with 126 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
.github/workflows/build.yml vendored
View File

@@ -2,7 +2,11 @@ name: CI
permissions: read-all
on:
# For manual tests.
workflow_dispatch:
push:
tags:
- "*" # new tag version, like `0.8.4` or else
branches:
- master
pull_request:
@@ -11,6 +15,11 @@ on:
jobs:
build-linux:
permissions:
contents: write
outputs:
digests-gcc: ${{ steps.hash-gcc.outputs.hashes }}
digests-clang: ${{ steps.hash-clang.outputs.hashes }}
name: Build Linux
runs-on: ubuntu-latest
strategy:
@@ -36,8 +45,29 @@ jobs:
with:
name: Linux flatc binary ${{ matrix.cxx }}
path: flatc
# Below if only for release.
- name: Zip file
if: startsWith(github.ref, 'refs/tags/')
run: zip Linux.flatc.binary.${{ matrix.cxx }}.zip flatc
- name: Release zip file
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: Linux.flatc.binary.${{ matrix.cxx }}.zip
- name: Generate SLSA subjects - clang
if: matrix.cxx == 'clang++-12' && startsWith(github.ref, 'refs/tags/')
id: hash-clang
run: echo "::set-output name=hashes::$(sha256sum Linux.flatc.binary.${{ matrix.cxx }}.zip | base64 -w0)"
- name: Generate SLSA subjects - gcc
if: matrix.cxx == 'g++-10' && startsWith(github.ref, 'refs/tags/')
id: hash-gcc
run: echo "::set-output name=hashes::$(sha256sum Linux.flatc.binary.${{ matrix.cxx }}.zip | base64 -w0)"
build-windows:
permissions:
contents: write
outputs:
digests: ${{ steps.hash.outputs.hashes }}
name: Build Windows 2019
runs-on: windows-2019
steps:
@@ -55,6 +85,20 @@ jobs:
with:
name: Windows flatc binary
path: Release\flatc.exe
# Below if only for release.
- name: Zip file
if: startsWith(github.ref, 'refs/tags/')
run: move Release/flatc.exe . && Compress-Archive flatc.exe Windows.flatc.binary.zip
- name: Release binary
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: Windows.flatc.binary.zip
- name: Generate SLSA subjects
if: startsWith(github.ref, 'refs/tags/')
id: hash
shell: bash
run: echo "::set-output name=hashes::$(sha256sum Windows.flatc.binary.zip | base64 -w0)"
build-windows-2017:
name: Build Windows 2017
@@ -113,6 +157,10 @@ jobs:
out\FlatBuffers.Core.Test.exe
build-mac-intel:
permissions:
contents: write
outputs:
digests: ${{ steps.hash.outputs.hashes }}
name: Build Mac (for Intel)
runs-on: macos-latest
steps:
@@ -138,8 +186,25 @@ jobs:
with:
name: Mac flatc binary
path: _build/Release/flatc
# Below if only for release.
- name: Zip file
if: startsWith(github.ref, 'refs/tags/')
run: mv _build/Release/flatc . && zip MacIntel.flatc.binary.zip flatc
- name: Release binary
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: MacIntel.flatc.binary.zip
- name: Generate SLSA subjects
if: startsWith(github.ref, 'refs/tags/')
id: hash
run: echo "::set-output name=hashes::$(shasum -a 256 MacIntel.flatc.binary.zip | base64)"
build-mac-universal:
permissions:
contents: write
outputs:
digests: ${{ steps.hash.outputs.hashes }}
name: Build Mac (universal build)
runs-on: macos-latest
steps:
@@ -165,6 +230,19 @@ jobs:
with:
name: Mac flatc binary
path: _build/Release/flatc
# Below if only for release.
- name: Zip file
if: startsWith(github.ref, 'refs/tags/')
run: mv _build/Release/flatc . && zip Mac.flatc.binary.zip flatc
- name: Release binary
uses: softprops/action-gh-release@v1
if: startsWith(github.ref, 'refs/tags/')
with:
files: Mac.flatc.binary.zip
- name: Generate SLSA subjects
if: startsWith(github.ref, 'refs/tags/')
id: hash
run: echo "::set-output name=hashes::$(shasum -a 256 Mac.flatc.binary.zip | base64)"
build-android:
name: Build Android (on Linux)
@@ -339,3 +417,39 @@ jobs:
- name: test
working-directory: tests
run: bash DartTest.sh
release-digests:
if: startsWith(github.ref, 'refs/tags/')
needs: [build-linux, build-windows, build-mac-intel, build-mac-universal]
outputs:
digests: ${{ steps.hash.outputs.digests }}
runs-on: ubuntu-latest
steps:
- name: Merge results
id: hash
env:
LINUXGCC_DIGESTS: "${{ needs.build-linux.outputs.digests-gcc }}"
LINUXCLANG_DIGESTS: "${{ needs.build-linux.outputs.digests-clang }}"
MAC_DIGESTS: "${{ needs.build-mac-universal.outputs.digests }}"
MACINTEL_DIGESTS: "${{ needs.build-mac-intel.outputs.digests }}"
WINDOWS_DIGESTS: "${{ needs.build-windows.outputs.digests }}"
run: |
set -euo pipefail
echo "$LINUXGCC_DIGESTS" | base64 -d > checksums.txt
echo "$LINUXCLANG_DIGESTS" | base64 -d >> checksums.txt
echo "$MAC_DIGESTS" | base64 -d >> checksums.txt
echo "$MACINTEL_DIGESTS" | base64 -d >> checksums.txt
echo "$WINDOWS_DIGESTS" | base64 -d >> checksums.txt
echo "::set-output name=digests::$(cat checksums.txt | base64 -w0)"
provenance:
if: startsWith(github.ref, 'refs/tags/')
needs: [release-digests]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
with:
base64-subjects: "${{ needs.release-digests.outputs.digests }}"
upload-assets: true # Optional: Upload to a new release