feat(workflows): Integrate GitHub Release reusable workflow (#851)

javirln · web-flow · commit b92d97f360ec · 2024-05-30T12:55:11.000+02:00
Signed-off-by: Javier Rodriguez &lt;javier@chainloop.dev&gt;
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -2,100 +2,20 @@ name: Release
 
 on:
   release:
+    types: [published]
 
 permissions:
-  contents: read
+  contents: write
 
 jobs:
-  # This reusable workflow inspects if the given workflow_name exists on Chainloop. If the Workflow does not exist
-  # it will create one with an empty contract ready for operators to be filled. Otherwise, if found, it will just
-  # be ignored and the process will continue. For this to work it's using a pre-created API Token
-  onboard_workflow:
-    name: Onboard Chainloop Workflow
-    uses: chainloop-dev/labs/.github/workflows/chainloop_onboard.yml@4173e015dbd5dc2a8802555c268da63d57bbe576
+  release:
+    name: Attest GitHub Release
+    uses: chainloop-dev/labs/.github/workflows/chainloop_github_release.yml@417bad33ca08beaa785ae6a6b933406cd7b935cb
     with:
       project: "chainloop"
       workflow_name: "chainloop-vault-release"
+      additional_materials: "ghcr.io/chainloop-dev/chainloop/control-plane:${{ github.ref_name }},ghcr.io/chainloop-dev/chainloop/artifact-cas:${{ github.ref_name }},ghcr.io/chainloop-dev/chainloop/cli:${{ github.ref_name }}"
     secrets:
       api_token: ${{ secrets.CHAINLOOP_API_TOKEN }}
-
-  release:
-    name: Record release from GitHub
-    runs-on: ubuntu-latest
-    needs: onboard_workflow
-    permissions:
-      packages: write
-    env:
-      CHAINLOOP_VERSION: 0.89.0
-      CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_API_TOKEN }}
-      CHAINLOOP_WORKFLOW_NAME: ${{ needs.onboard_workflow.outputs.workflow_name }}
-      GH_TOKEN: ${{ github.token }}
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-
-      - name: Install Chainloop
-        run: |
-          curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s -- --version v${{ env.CHAINLOOP_VERSION }}
-
-      - name: Initialize Attestation
-        run: |
-          chainloop attestation init --workflow-name ${CHAINLOOP_WORKFLOW_NAME}
-
-      - name: Attest all assets
-        run: |
-          tag=$(echo -n ${{github.ref}} | cut -d / -f3)
-          gh release download $tag -D /tmp/github-release
-          for entry in $(ls /tmp/github-release); do
-            chainloop attestation add --value "/tmp/github-release/$entry"
-          done
-          
-          # Include source code
-          version=$(echo -n $tag | sed 's/v//g')
-          gh release download $tag -A tar.gz -D /tmp
-          chainloop attestation add --value "/tmp/chainloop-$version.tar.gz"
-          
-           # Include control-plane image
-           chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/control-plane:$tag"
-          
-           # Include cas image
-           chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/artifact-cas:$tag"
-
-           # Include cli image
-           chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/cli:$tag"
-
-      - name: Finish and Record Attestation
-        id: attestation-push
-        if: ${{ success() }}
-        run: |
-          chainloop attestation status --full
-          attestation_sha=$(chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY -o json | jq -r '.digest')
-          echo "attestation_sha=$attestation_sha" >> $GITHUB_OUTPUT
-        env:
-          CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-          CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_KEY }}
-
-      - name: Mark attestation as failed
-        if: ${{ failure() }}
-        run: |
-          chainloop attestation reset
-
-      - name: Mark attestation as cancelled
-        if: ${{ cancelled() }}
-        run: |
-          chainloop attestation reset --trigger cancellation
-
-      - name: Add attestation link to release notes
-        if: ${{ success() }}
-        run: |
-          chainloop_release_url="## Chainloop Attestation"$'\n'"[View the attestation of this release](https://app.chainloop.dev/attestation/${{ steps.attestation-push.outputs.attestation_sha }})"
-          current_notes=$(gh release view ${{ github.ref }} --json body -q '.body')
-          
-          if echo "$current_notes" | grep -q "## Chainloop Attestation"; then
-            # Replace the existing Chainloop Attestation section with the new URL
-            modified_notes=$(echo "$current_notes" | sed -E "s|## Chainloop Attestation[^\n]*\n\[View the attestation of this release\]\(https://app\.chainloop\.dev/attestation/[^\)]*\)|$chainloop_release_url|")
-          else
-            # Add the Chainloop Attestation section to the top
-            modified_notes="$chainloop_release_url"$'\n\n'"$current_notes"
-          fi
-          
-          gh release edit ${{ github.ref }} -n "$modified_notes"
+      cosign_key: ${{ secrets.COSIGN_KEY }}
+      cosign_password: ${{ secrets.COSIGN_PASSWORD }}
