ci: Add integrate workflow

jalseth · jalseth · commit 6c30a530a59e · 2025-11-22T12:57:55.000-08:00
This ensures that conftest builds successfull on all of the supported
OSes, and that the provenance generation workflow is working.

It also provides a mechanism for users to obtain pre-release versions
of fixes and features they care about without having to build from
source.

Signed-off-by: James Alseth &lt;james@jalseth.me&gt;
diff --git a/.github/workflows/integrate.yaml b/.github/workflows/integrate.yaml
@@ -0,0 +1,59 @@
+name: 'integrate'
+on:
+  # TODO: Remove pull_request below after testing is done.
+  pull_request:
+  workflow_dispatch:
+  push:
+    branches:
+      - 'master'
+
+jobs:
+  goreleaser:
+    runs-on: 'ubuntu-latest'
+    permissions:
+      contents: 'write' # Needs write access for upload-artifact.
+    outputs:
+      hashes: '${{ steps.outputs.outputs.hashes }}'
+    steps:
+      - name: 'checkout'
+        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
+        with:
+          fetch-depth: 0 # So that goreleaser can determine the base version.
+      - name: 'build'
+        id: 'goreleaser'
+        uses: 'goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a' # ratchet:goreleaser/goreleaser-action@v6
+        with:
+          args: 'release --snapshot --clean --skip docker --skip publish'
+          version: '~> v1'
+      - name: 'get version'
+        id: 'version'
+        shell: 'bash'
+        run: |
+          echo "version=$(jq -r .version dist/metadata.json)" >> "$GITHUB_OUTPUT"
+      - name: 'upload'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # ratchet:actions/upload-artifact@v4
+        with:
+          name: 'conftest_${{ steps.version.outputs.version }}'
+          path: 'dist/*.*'
+          retention-days: 30
+      - name: 'generate outputs'
+        id: 'outputs'
+        env:
+          GORELEASER_ARTIFACTS: '${{ steps.goreleaser.outputs.artifacts }}'
+        shell: 'bash'
+        run: |
+          set -euo pipefail
+
+          checksum_file=$(echo "${GORELEASER_ARTIFACTS}" | jq -r '.[] | select (.type == "Checksum") | .path' | tr -d '\n')
+          echo "hashes=$(cat ${checksum_file} | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  provenance:
+    needs: ['goreleaser']
+    permissions:
+      contents: 'write' # Needs write access for upload-artifact even when upload-assets is false.
+      actions: 'read' # To read the workflow path.
+      id-token: 'write' # To sign the provenance.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 # ratchet:exclude
+    with:
+      base64-subjects: '${{ needs.goreleaser.outputs.hashes }}'
+      upload-assets: false
