mudhorn/oh-my-posh
1
0
Fork 0
mirror of https://github.com/JanDeDobbeleer/oh-my-posh.git synced 2025-01-12 11:47:25 -08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

feat: sign releases with cosign

Browse source
This commit is contained in:
Jan De Dobbeleer 2021-12-02 22:42:38 +01:00 committed by Jan De Dobbeleer
parent 8f412dba7e
commit 6b02ae47f7
5 changed files with 27 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/workflows/build_code.yml vendored
View file

@ -24,5 +24,5 @@ jobs:
with: with:
distribution: goreleaser distribution: goreleaser
version: latest version: latest
args: build --rm-dist --snapshot args: build --rm-dist --snapshot --skip-post-hooks
workdir: src workdir: src

16
.github/workflows/release.yml vendored
View file

@ -33,8 +33,11 @@ jobs:
needs: changelog needs: changelog
if: ${{ needs.changelog.outputs.skipped == 'false' }} if: ${{ needs.changelog.outputs.skipped == 'false' }}
runs-on: ubuntu-latest runs-on: ubuntu-latest
env:
COSIGN_KEY_LOCATION: "/tmp/cosign.key"
defaults: defaults:
run: run:
shell: pwsh
working-directory: ${{ github.workspace }}/src working-directory: ${{ github.workspace }}/src
steps: steps:
- name: Install Go 🗳 - name: Install Go 🗳
@ -45,6 +48,16 @@ jobs:
uses: actions/checkout@v2 uses: actions/checkout@v2
- name: Tag HEAD 😸 - name: Tag HEAD 😸
run: git tag ${{ needs.changelog.outputs.tag }} run: git tag ${{ needs.changelog.outputs.tag }}
- name: Install cosign 🔑
uses: sigstore/cosign-installer@main
with:
cosign-release: 'v1.3.1'
- name: Private Key 🔐
run: |
$PSDefaultParameterValues['Out-File:Encoding']='UTF8'
$env:COSIGN_KEY > $env:COSIGN_KEY_LOCATION
env:
COSIGN_KEY: ${{secrets.COSIGN_KEY}}
- name: Run GoReleaser 🚀 - name: Run GoReleaser 🚀
uses: goreleaser/goreleaser-action@v2 uses: goreleaser/goreleaser-action@v2
with: with:
@ -52,6 +65,8 @@ jobs:
version: latest version: latest
args: build --rm-dist args: build --rm-dist
workdir: src workdir: src
env:
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Zip theme files 🤐 - name: Zip theme files 🤐
run: | run: |
$compress = @{ $compress = @{
@ -60,7 +75,6 @@ jobs:
DestinationPath = "./dist/themes.zip" DestinationPath = "./dist/themes.zip"
} }
Compress-Archive @compress Compress-Archive @compress
shell: pwsh
- name: Add hashes 🤫 - name: Add hashes 🤫
run: | run: |
Get-ChildItem ./dist -Exclude *.yaml | Get-Unique | Get-ChildItem ./dist -Exclude *.yaml | Get-Unique |

4
.gitignore vendored
View file

@ -237,3 +237,7 @@ $RECYCLE.BIN/
*.lnk *.lnk
# End of https://www.toptal.com/developers/gitignore/api/windows,linux,macos # End of https://www.toptal.com/developers/gitignore/api/windows,linux,macos
# Keys
cosign.key

4
cosign.pub Normal file
View file

@ -0,0 +1,4 @@
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnLQ9sj71/ignxPXEa072vezEZf5D
X1fO3KuoFCtzYTLc/c3rwVGtIdzc02qUoXABysJ0Ok8lsmWvwKvC7yWblg==
-----END PUBLIC KEY-----

3
src/.goreleaser.yml
View file

@ -31,6 +31,9 @@ builds:
goarch: arm goarch: arm
- goos: darwin - goos: darwin
goarch: arm64 goarch: arm64
hooks:
post:
- sh -c "cosign sign-blob --key $COSIGN_KEY_LOCATION {{ .Path }} > dist/{{ .Name }}.sig"
archives: archives:
- id: oh-my-posh - id: oh-my-posh
format: binary format: binary