feat(build): publish OpenVEX documents for new releases

npdgm · npdgm · commit 1ed09e50a2be · 2024-12-16T17:29:36.000+01:00
diff --git a/.github/workflows/openvex.yml b/.github/workflows/openvex.yml
@@ -0,0 +1,37 @@
+name: OpenVEX
+
+on:
+  workflow_dispatch:
+  release:
+    types:
+      - released
+
+permissions:
+  contents: read
+
+jobs:
+  vexctl:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set environment variables
+        run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
+
+      - name: Run vexctl
+        uses: openvex/generate-vex@c59881b41451d7ccba5c3b74cd195382b8971fcd
+        # Refer: https://github.com/openvex/vexctl#operational-model
+        with:
+          product: pkg:golang/github.com/enix/x509-certificate-exporter/v3@${{ env.RELEASE_VERSION }}
+          file: x509-certificate-exporter.openvex.json
+
+      - name: Upload OpenVEX document to GitHub Release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release upload ${{ env.RELEASE_VERSION }} x509-certificate-exporter.openvex.json
