chainloop-dev
diff --git a/‎.gitattributes‎
Lines changed: 1 addition & 0 deletions b/‎.gitattributes‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/contracts/build-and-test.cue‎
Lines changed: 2 additions & 0 deletions b/‎.github/workflows/contracts/build-and-test.cue‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎.github/workflows/contracts/releases.cue‎
Lines changed: 14 additions & 0 deletions b/‎.github/workflows/contracts/releases.cue‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎.github/workflows/cosign.pub‎
Lines changed: 4 additions & 0 deletions b/‎.github/workflows/cosign.pub‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.github/workflows/lint.yml‎
Lines changed: 49 additions & 0 deletions b/‎.github/workflows/lint.yml‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎.github/workflows/release.yaml‎
Lines changed: 200 additions & 0 deletions b/‎.github/workflows/release.yaml‎
Lines changed: 200 additions & 0 deletions
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 84 additions & 0 deletions b/‎.github/workflows/test.yml‎
Lines changed: 84 additions & 0 deletions
@@ -0,0 +1 @@
+app/frontend/gen linguist-generated=true
@@ -0,0 +1,2 @@
+schemaVersion: "v1"
+runner: type: "GITHUB_ACTION"
@@ -0,0 +1,14 @@
+schemaVersion: "v1"
+materials: [
+	// Binaries
+	{type: "ARTIFACT", name: "cli-linux-amd64", output:           true},
+	{type: "ARTIFACT", name: "control-plane-linux-amd64", output: true},
+	{type: "ARTIFACT", name: "artifact-cas-linux-amd64", output:  true},
+	// Container images
+	{type: "CONTAINER_IMAGE", name: "control-plane-image", output: true},
+	{type: "CONTAINER_IMAGE", name: "artifact-cas-image", output:  true},
+	// SBOMS for those container images
+	{type: "SBOM_CYCLONEDX_JSON", name: "sbom-control-plane"},
+	{type: "SBOM_CYCLONEDX_JSON", name: "sbom-artifact-cas"},
+]
+runner: type: "GITHUB_ACTION"
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMBSJAtPWo4hhThSBJXF9pfheP1x7
+JQRD2meyc92McFO96WlRB1yW11kC24gVdxOyZvOz+qk8CR+/2GuQYleKsQ==
+-----END PUBLIC KEY-----
@@ -0,0 +1,49 @@
+name: Lint
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+permissions:
+  contents: read
+  # Optional: allow read access to pull request. Use with `only-new-issues` option.
+  pull-requests: read
+jobs:
+  golangci:
+    name: lint
+    strategy:
+      fail-fast: false
+      matrix:
+        app:
+          - main-module
+          - cli
+          - controlplane
+          - artifact-cas
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "1.20"
+
+      - uses: actions/checkout@v3
+
+      - name: Lint main module
+        uses: golangci/golangci-lint-action@v3
+        if: ${{ matrix.app == 'main-module' }}
+
+      - name: Lint ${{ matrix.app }}
+        uses: golangci/golangci-lint-action@v3
+        if: ${{ matrix.app != 'main-module' }}
+        with:
+          working-directory: app/${{ matrix.app }}
+
+  lint-protos:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: bufbuild/buf-setup-action@v1
+        with:
+          buf_user: ${{ secrets.buf_user }}
+          buf_api_token: ${{ secrets.buf_api_token }}
+      - uses: bufbuild/buf-lint-action@v1
@@ -0,0 +1,200 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - "v*.*.*"
+
+jobs:
+  test:
+    uses: chainloop-dev/bedrock-old/.github/workflows/test.yml@main
+    # secrets required to run the attestation on the testing job, otherwise the chainloop token is not available
+    secrets: inherit
+
+  release:
+    name: Release CLI and control-plane/artifact-cas container images
+    needs: test
+    runs-on: ubuntu-latest
+    if: github.ref_type == 'tag' # Guard to make sure we are releasing once
+    permissions:
+      id-token: write # required to use OIDC and retrieve Google Cloud Credentials
+      contents: write # required for goreleaser
+    env:
+      CHAINLOOP_VERSION: 0.8.89
+      CHAINLOOP_ROBOT_ACCOUNT: ${{ secrets.CHAINLOOP_WF_RELEASE }}
+      CONTAINER_IMAGE_CP: us-east1-docker.pkg.dev/bedrock-371810/chainloop/control-plane:${{ github.ref_name }}
+      CONTAINER_IMAGE_CAS: us-east1-docker.pkg.dev/bedrock-371810/chainloop/artifact-cas:${{ github.ref_name }}
+    steps:
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+
+      - name: Install ChainLoop
+        run: |
+          curl -sfL https://chainloop.dev/install.sh | bash -s -- --version v${{ env.CHAINLOOP_VERSION }}
+
+      - name: Download jq
+        run: |
+          sudo wget -q https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 -O /usr/local/bin/jq
+          sudo chmod u+x /usr/local/bin/jq
+
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Initialize Attestation
+        run: |
+          chainloop attestation init
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: "1.20"
+
+      - name: "Configure Google Cloud credentials"
+        id: "auth-google"
+        uses: "google-github-actions/auth@v0"
+        with:
+          token_format: "access_token"
+          workload_identity_provider: projects/1044976554810/locations/global/workloadIdentityPools/chainloop-github-pool/providers/github-provider
+          service_account: [email protected]
+
+      - name: Login to GAR
+        uses: docker/login-action@v2
+        with:
+          registry: us-east1-docker.pkg.dev
+          username: oauth2accesstoken
+          password: ${{ steps.auth-google.outputs.access_token }}
+
+      - name: Run GoReleaser
+        id: release
+        uses: goreleaser/goreleaser-action@v3
+        with:
+          distribution: goreleaser
+          version: latest
+          args: release --rm-dist
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
+
+      - uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.CONTAINER_IMAGE_CP }}
+          format: cyclonedx-json
+          artifact-name: controlplane.cyclonedx.json
+          output-file: /tmp/sbom.cp.cyclonedx.json
+
+      - uses: anchore/sbom-action@v0
+        with:
+          image: ${{ env.CONTAINER_IMAGE_CAS }}
+          format: cyclonedx-json
+          artifact-name: cas.cyclonedx.json
+          output-file: /tmp/sbom.cas.cyclonedx.json
+
+      - name: Add Attestation Artifacts (SBOM)
+        run: |
+          chainloop attestation add --name sbom-control-plane --value /tmp/sbom.cp.cyclonedx.json
+          chainloop attestation add --name sbom-artifact-cas --value /tmp/sbom.cas.cyclonedx.json
+
+      - name: Add Attestation Artifacts (container images)
+        run: |
+          # Control plane image
+          chainloop attestation add --name control-plane-image --value ${{ env.CONTAINER_IMAGE_CP }}
+          # CAS image
+          chainloop attestation add --name artifact-cas-image --value ${{ env.CONTAINER_IMAGE_CAS }}
+
+      - name: Add Attestation Artifacts (binaries)
+        run: |
+          # Binaries x86_64
+          # TODO: add the rest of binaries
+          echo -n '${{ steps.release.outputs.artifacts }}' | jq -r '.[] | select(.type=="Binary" and .goos=="linux" and .goarch=="amd64") | { "name": "\(.extra.ID)-\(.goos)-\(.goarch)", "path":"\(.path)"} | @base64' | while read i; do
+              BINARY_NAME=$(echo "${i}" | base64 --decode | jq -r ${1} .name)
+              BINARY_PATH=$(echo "${i}" | base64 --decode | jq -r ${1} .path)
+              chainloop attestation add --name ${BINARY_NAME} --value ${BINARY_PATH} 
+            done
+
+      - name: Finish and Record Attestation
+        if: ${{ success() }}
+        run: |
+          chainloop attestation status --full
+          chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY
+        env:
+          CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_KEY }}
+
+      - name: Mark attestation as failed
+        if: ${{ failure() }}
+        run: |
+          chainloop attestation reset
+      - name: Mark attestation as cancelled
+        if: ${{ cancelled() }}
+        run: |
+          chainloop attestation reset --trigger cancellation
+
+  deploy:
+    name: Deploy to Kubernetes
+    runs-on: ubuntu-latest
+    needs: release
+    strategy:
+      fail-fast: false
+      matrix:
+        app:
+          - controlplane
+          - frontend
+          - artifact-cas
+    if: github.ref_type == 'tag' # Guard to make sure we are releasing once
+    permissions:
+      id-token: write
+      contents: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: "Configure Google Cloud credentials"
+        id: "auth-google"
+        uses: "google-github-actions/auth@v0"
+        with:
+          token_format: "access_token"
+          workload_identity_provider: projects/1044976554810/locations/global/workloadIdentityPools/chainloop-github-pool/providers/github-provider
+          service_account: [email protected]
+
+      - name: "Get Google Kubernetes Engine credentials"
+        uses: "google-github-actions/get-gke-credentials@v1"
+        with:
+          cluster_name: "bedrock"
+          location: "us-central1"
+
+      - name: Check kubectl
+        run: kubectl cluster-info
+
+      - name: Check Helm version
+        run: helm version
+
+      - name: Bump Helm Chart
+        if: ${{ matrix.app == 'controlplane' || matrix.app == 'artifact-cas' }}
+        run: cd deployment && ./bump-chart-app-version.sh ${{ matrix.app }}/chart/Chart.yaml ${{ github.ref_name }}
+
+      - name: Bump Helm Chart Frontend
+        if: ${{ matrix.app == 'frontend' }}
+        run: |
+          # The frontend follows upstream frontend version instead
+          LATEST_FRONTEND=$(gh api repos/chainloop-dev/frontend/tags -q ".[0].name")
+          cd deployment && ./bump-chart-app-version.sh ${{ matrix.app }}/chart/Chart.yaml ${LATEST_FRONTEND}
+        env:
+          # PAT token with permissions to access the frontend private repository
+          GITHUB_TOKEN: ${{ secrets.PAT_FRONTEND_TAGS_LIST }}
+
+      - name: Deploy to production
+        run: make -C deployment/${{ matrix.app }} upgrade-prod
+
+      - name: Commit new Helm Chart
+        uses: stefanzweifel/git-auto-commit-action@v4
+        with:
+          commit_message: Bump ${{ matrix.app }} Chart Version to ${{github.ref_name}}
+          skip_checkout: false
+          file_pattern: "*/*/chart/Chart.yaml"
+          branch: main
+          commit_author: Chainloop bot <[email protected]>
+          push_options: "--force"
@@ -0,0 +1,84 @@
+name: Test
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+  # We want to call this workflow during release too
+  workflow_call:
+
+jobs:
+  build_and_test:
+    name: Test
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        app:
+          - main-module
+          - cli
+          - controlplane
+          - artifact-cas
+    steps:
+      - name: Install Cosign
+        uses: sigstore/[email protected]
+      - name: Install ChainLoop
+        run: |
+          curl -sfL https://chainloop.dev/install.sh | bash -s -- --version v${{ env.CHAINLOOP_VERSION }}
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        if: ${{ matrix.app != 'main-module' }}
+        with:
+          go-version-file: app/${{ matrix.app }}/go.mod
+          cache: true
+          cache-dependency-path: app/${{ matrix.app }}/go.sum
+
+      - uses: actions/setup-go@v3
+        if: ${{ matrix.app == 'main-module' }}
+        with:
+          go-version-file: go.mod
+          cache: true
+          cache-dependency-path: go.sum
+
+      - name: Initialize Attestation
+        run: |
+          chainloop attestation init
+
+      # Check that the generated ent code is up to date
+      # see https://entgo.io/docs/ci/
+      - uses: ent/contrib/ci@master
+        name: "Check all generated code is checked in"
+        if: ${{ matrix.app != 'main-module' }}
+        with:
+          working-directory: app/${{ matrix.app }}
+
+      - name: Test
+        if: ${{ matrix.app != 'main-module' }}
+        run: make -C app/${{ matrix.app }} test
+
+      - name: Test top level modules
+        if: ${{ matrix.app == 'main-module' }}
+        run: make test
+
+      - name: Finish and Record Attestation
+        if: ${{ success() }}
+        run: |
+          chainloop attestation status --full
+          chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY
+        env:
+          CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_KEY }}
+
+      - name: Mark attestation as failed
+        if: ${{ failure() }}
+        run: |
+          chainloop attestation reset
+      - name: Mark attestation as cancelled
+        if: ${{ cancelled() }}
+        run: |
+          chainloop attestation reset --trigger cancellation
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      CHAINLOOP_VERSION: 0.8.89
+      CHAINLOOP_ROBOT_ACCOUNT: ${{ secrets.CHAINLOOP_WF_BUILD_AND_TEST }}
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+app/frontend/gen linguist-generated=true`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+schemaVersion: "v1"`
	`2`	`+runner: type: "GITHUB_ACTION"`