chore(ci): Rename build and package to release (#1783)

Signed-off-by: Javier Rodriguez <[email protected]>

Author: javirln

.github/workflows/build_and_package.yaml

@@ -0,0 +1,103 @@
+name: Release
+
+on:
+  workflow_call:
+    inputs:
+      tag:
+        type: string
+        required: true
+    secrets:
+      chainloop_token:
+        required: true
+      cosign_key:
+        required: true
+      cosign_pass:
+        required: true
+
+permissions: {}
+
+jobs:
+  # This reusable workflow inspects if the given workflow_name exists on Chainloop. If the Workflow does not exist
+  # it will create one with an empty contract ready for operators to be filled. Otherwise, if found, it will just
+  # be ignored and the process will continue. For this to work it's using a pre-created API Token
+  release:
+    name: Record release from GitHub
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: write
+    env:
+      CHAINLOOP_TOKEN: ${{ secrets.chainloop_token }}
+      CHAINLOOP_WORKFLOW_NAME: chainloop-vault-release
+      CHAINLOOP_PROJECT: chainloop
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install Chainloop
+        run: |
+          curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s
+
+      - name: Initialize Attestation
+        run: |
+          tag=$(echo -n ${{inputs.tag}} | cut -d / -f3)
+          chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT} --version "$tag"
+
+      - name: Attest all assets
+        run: |
+          tag=$(echo -n ${{inputs.tag}} | cut -d / -f3)
+          gh release download $tag -D /tmp/github-release
+          for entry in $(ls /tmp/github-release); do
+            # If the name is cas.cyclonedx.json, controlplane.cyclonedx.json or cli.cyclonedx.json, we need to add the attestation with the correct name
+            if [[ $entry =~ ^(cas|controlplane|cli)\.cyclonedx\.json$ ]]; then
+              name=$(echo -n "${entry%.json}" | sed 's/\./-/g')
+              chainloop attestation add --value "/tmp/github-release/$entry" --name "$name"
+              continue
+            fi
+            chainloop attestation add --value "/tmp/github-release/$entry"
+          done
+
+          # Include source code
+          version=$(echo -n $tag | sed 's/v//g')
+          gh release download $tag -A tar.gz -D /tmp
+          chainloop attestation add --value "/tmp/chainloop-$version.tar.gz"
+
+      - name: Finish and Record Attestation
+        id: attestation-push
+        if: ${{ success() }}
+        run: |
+          chainloop attestation status --full
+          attestation_sha=$(chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY -o json | jq -r '.digest')
+          # check that the command succeeded
+          [ -n "${attestation_sha}" ] || exit 1
+          echo "attestation_sha=$attestation_sha" >> $GITHUB_OUTPUT
+        env:
+          CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.cosign_pass }}
+          CHAINLOOP_SIGNING_KEY: ${{ secrets.cosign_key }}
+
+      - name: Mark attestation as failed
+        if: ${{ failure() }}
+        run: |
+          chainloop attestation reset
+
+      - name: Mark attestation as cancelled
+        if: ${{ cancelled() }}
+        run: |
+          chainloop attestation reset --trigger cancellation
+
+      - name: Add attestation link to release notes
+        if: ${{ success() }}
+        run: |
+          chainloop_release_url="## Chainloop Attestation"$'\n'"[View the attestation of this release](https://app.chainloop.dev/attestation/${{ steps.attestation-push.outputs.attestation_sha }})"
+          current_notes=$(gh release view ${{inputs.tag}} --json body -q '.body')
+
+          if echo "$current_notes" | grep -q "## Chainloop Attestation"; then
+            # Replace the existing Chainloop Attestation section with the new URL
+            modified_notes=$(echo "$current_notes" | sed -E "s|## Chainloop Attestation[^\n]*\n\[View the attestation of this release\]\(https://app\.chainloop\.dev/attestation/[^\)]*\)|$chainloop_release_url|")
+          else
+            # Add the Chainloop Attestation section to the top
+            modified_notes="$chainloop_release_url"$'\n\n'"$current_notes"
+          fi
+
+          # Update the release notes and ignore if it fails since we might be lacking permissions to update the release notes
+          gh release edit ${{inputs.tag}} -n "$modified_notes" || echo -n "Not enough permissions to edit the release notes. Skipping..."