Revert "feat(workflows): Integrate GitHub Release reusable workflow (#851) (#857)

javirln · web-flow · commit f81a43e7373d · 2024-05-30T19:59:55.000+02:00
Signed-off-by: Javier Rodriguez &lt;javier@chainloop.dev&gt;
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -2,20 +2,100 @@ name: Release
 
 on:
   release:
-    types: [published]
 
 permissions:
   contents: write
 
 jobs:
-  release:
-    name: Attest GitHub Release
-    uses: chainloop-dev/labs/.github/workflows/chainloop_github_release.yml@417bad33ca08beaa785ae6a6b933406cd7b935cb
+  # This reusable workflow inspects if the given workflow_name exists on Chainloop. If the Workflow does not exist
+  # it will create one with an empty contract ready for operators to be filled. Otherwise, if found, it will just
+  # be ignored and the process will continue. For this to work it's using a pre-created API Token
+  onboard_workflow:
+    name: Onboard Chainloop Workflow
+    uses: chainloop-dev/labs/.github/workflows/chainloop_onboard.yml@4173e015dbd5dc2a8802555c268da63d57bbe576
     with:
       project: "chainloop"
       workflow_name: "chainloop-vault-release"
-      additional_materials: "ghcr.io/chainloop-dev/chainloop/control-plane:${{ github.ref_name }},ghcr.io/chainloop-dev/chainloop/artifact-cas:${{ github.ref_name }},ghcr.io/chainloop-dev/chainloop/cli:${{ github.ref_name }}"
     secrets:
       api_token: ${{ secrets.CHAINLOOP_API_TOKEN }}
-      cosign_key: ${{ secrets.COSIGN_KEY }}
-      cosign_password: ${{ secrets.COSIGN_PASSWORD }}
+
+  release:
+    name: Record release from GitHub
+    runs-on: ubuntu-latest
+    needs: onboard_workflow
+    permissions:
+      packages: write
+    env:
+      CHAINLOOP_VERSION: 0.89.0
+      CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_API_TOKEN }}
+      CHAINLOOP_WORKFLOW_NAME: ${{ needs.onboard_workflow.outputs.workflow_name }}
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install Chainloop
+        run: |
+          curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s -- --version v${{ env.CHAINLOOP_VERSION }}
+
+      - name: Initialize Attestation
+        run: |
+          chainloop attestation init --workflow-name ${CHAINLOOP_WORKFLOW_NAME}
+
+      - name: Attest all assets
+        run: |
+          tag=$(echo -n ${{github.ref}} | cut -d / -f3)
+          gh release download $tag -D /tmp/github-release
+          for entry in $(ls /tmp/github-release); do
+            chainloop attestation add --value "/tmp/github-release/$entry"
+          done
+          
+          # Include source code
+          version=$(echo -n $tag | sed 's/v//g')
+          gh release download $tag -A tar.gz -D /tmp
+          chainloop attestation add --value "/tmp/chainloop-$version.tar.gz"
+          
+           # Include control-plane image
+           chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/control-plane:$tag"
+          
+           # Include cas image
+           chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/artifact-cas:$tag"
+
+           # Include cli image
+           chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/cli:$tag"
+
+      - name: Finish and Record Attestation
+        id: attestation-push
+        if: ${{ success() }}
+        run: |
+          chainloop attestation status --full
+          attestation_sha=$(chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY -o json | jq -r '.digest')
+          echo "attestation_sha=$attestation_sha" >> $GITHUB_OUTPUT
+        env:
+          CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
+          CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_KEY }}
+
+      - name: Mark attestation as failed
+        if: ${{ failure() }}
+        run: |
+          chainloop attestation reset
+
+      - name: Mark attestation as cancelled
+        if: ${{ cancelled() }}
+        run: |
+          chainloop attestation reset --trigger cancellation
+
+      - name: Add attestation link to release notes
+        if: ${{ success() }}
+        run: |
+          chainloop_release_url="## Chainloop Attestation"$'\n'"[View the attestation of this release](https://app.chainloop.dev/attestation/${{ steps.attestation-push.outputs.attestation_sha }})"
+          current_notes=$(gh release view ${{ github.ref_name }} --json body -q '.body')
+          
+          if echo "$current_notes" | grep -q "## Chainloop Attestation"; then
+            # Replace the existing Chainloop Attestation section with the new URL
+            modified_notes=$(echo "$current_notes" | sed -E "s|## Chainloop Attestation[^\n]*\n\[View the attestation of this release\]\(https://app\.chainloop\.dev/attestation/[^\)]*\)|$chainloop_release_url|")
+          else
+            # Add the Chainloop Attestation section to the top
+            modified_notes="$chainloop_release_url"$'\n\n'"$current_notes"
+          fi
+          
+          gh release edit ${{ github.ref_name }} -n "$modified_notes"
