mirror of
https://github.com/PrivateBin/PrivateBin.git
synced 2026-07-17 16:39:40 +00:00
- restrict all default permissions - content: read is not necessary for public repos - security-events: write is needed for CodeQL uploads of SARIF reports - persist-credentials: false prevents any github token to remain configured in the checked out repo (not necessary when not intending to push from the action)
55 lines
1.5 KiB
YAML
55 lines
1.5 KiB
YAML
name: Draft Release
|
|
|
|
on:
|
|
push:
|
|
tags: '[0-9]+.[0-9]?[0-9]?[0-9]?.?[0-9]+'
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
draft:
|
|
permissions:
|
|
contents: write
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Fetch changelog from tag
|
|
uses: actions/checkout@v6
|
|
with:
|
|
persist-credentials: false
|
|
sparse-checkout: CHANGELOG.md
|
|
sparse-checkout-cone-mode: false
|
|
|
|
- name: Extract latest changelog entry and attach it to draft
|
|
uses: taiki-e/create-gh-release-action@v1
|
|
with:
|
|
changelog: CHANGELOG.md
|
|
draft: true
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
release:
|
|
outputs:
|
|
hashes: ${{ steps.hash.outputs.hashes }}
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Collect artifacts
|
|
run: |
|
|
wget -q "https://github.com/PrivateBin/PrivateBin/archive/refs/tags/${GITHUB_REF_NAME}.tar.gz"
|
|
wget -q "https://github.com/PrivateBin/PrivateBin/archive/refs/tags/${GITHUB_REF_NAME}.zip"
|
|
|
|
- name: Generate hashes
|
|
shell: bash
|
|
id: hash
|
|
run: echo "hashes=$(sha256sum ${GITHUB_REF_NAME}.* | base64 -w0)" >> "$GITHUB_OUTPUT"
|
|
|
|
provenance:
|
|
needs:
|
|
- release
|
|
permissions:
|
|
actions: read
|
|
id-token: write
|
|
contents: write
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
|
|
with:
|
|
base64-subjects: "${{ needs.release.outputs.hashes }}"
|
|
draft-release: true
|
|
upload-assets: true
|