Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/workflows/reusable-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ jobs:
id-token: write # For cosign
packages: write # For GHCR
contents: read # Not required for public repositories, but for clarity
attestations: write # For build provenance attestations
steps:
- name: Cosign install
uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
Expand Down Expand Up @@ -115,6 +116,12 @@ jobs:
ghcr.io/aquasecurity/trivy:canary
public.ecr.aws/aquasecurity/trivy:canary

- name: Generate build provenance attestations
if: ${{ inputs.goreleaser_config != 'goreleaser-canary.yml' }}
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
with:
subject-checksums: dist/checksums.txt

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an issue with the install script. It currently expects a versioned filename:

trivy/contrib/install.sh

Lines 393 to 394 in 75c4dc0

CHECKSUM=${PROJECT_NAME}_${VERSION}_checksums.txt
CHECKSUM_URL=${GITHUB_DOWNLOAD}/${TAG}/${CHECKSUM}

Because of this, http_download will fail when trying to fetch trivy_X.Y.Z_checksums.txt (instead of checksums.txt).

We either need to update the install script, or, alternatively, we can just specify the correct filename right here:

Suggested change
subject-checksums: dist/checksums.txt
subject-checksums: dist/trivy_${{ github.ref_name }}_checksums.txt

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. Fixed in 88eb9d2

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you test this?
I understand now that we don't trim the v prefix for github.ref_name.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're right, I hadn't tested after changing to dist/trivy_${{ github.ref_name }}_checksums.txt. The v prefix needed to be stripped since GoReleaser's {{ .Version }} doesn't include it.

I've fixed this by using fromJSON(steps.goreleaser.outputs.metadata).version instead, which gives the version without the v prefix directly from GoReleaser's output.

Confirmed working: https://github.com/knqyf263/trivy/actions/runs/22934149686/job/66561715834


- name: Cache Trivy binaries
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
Expand Down
3 changes: 3 additions & 0 deletions goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,9 @@ nfpms:
signature:
key_file: '{{ .Env.GPG_FILE }}'

checksum:
name_template: checksums.txt

archives:
- id: archive
format: tar.gz
Expand Down