search

rog-golang-buddies / golang-template-repository

Kickstarter repository for a golang service
Apache License 2.0
17 stars 7 forks source link

Release should trigger a binary build #27

Closed haani-niyaz closed 2 years ago

haani-niyaz commented 2 years ago

so my limited knowledge of gitlab actions tells me that this should have created a binary:

name: SLSA Go releaser
on:
  workflow_dispatch:
  release:
    types: [created]

from https://github.com/rog-golang-buddies/golang-template-repository/blob/main/.github/workflows/go-ossf-slsa3-publish.yml#L17

there is a release but this workflow didn't get triggered. I suspect for this to fire, the release type needs to be published as shown below:

on:
  release:
    types: [published]

Without testing I can't be sure.

On a slightly different note, I'm also not familiar with SLSA Go releaser and that makes me hesitant to provide it as a solution to our user base, as we should have some level of authoritative knowledge to support it. In contrast goreleaser appears to be easy to adopt, well documented and is widely used (https://goreleaser.com/users/).

From a security posture perspective slsa-go might be well worth exploring but I wonder if it is suitable for our first release? perhaps it should be an improvement story. Happy to be corrected but this is my sentiment atm.

CC: @shukra-in-spirit , @pallasite99

pallasite99 commented 2 years ago

Understood @haani-niyaz My understanding was that this would readily publish a go package here which seems to not be the case.

I will be returning from a short trip on Sunday and I’ll create a new PR with the original intended workflow planned.

pallasite99 commented 2 years ago

@haani-niyaz I've created this PR to delete the SLSA releaser and instead introduce the original intended workflow:

https://github.com/rog-golang-buddies/golang-template-repository/pull/31