chore(ci): Add ovs scanner (#4810) #2528
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release build | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - v1 | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| jobs: | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # for release-please-action to create releases and update changelogs | |
| actions: write # for release-please-action to trigger other workflows | |
| id-token: write # for actions/attest-build-provenance to generate attestations | |
| attestations: write # for actions/attest-build-provenance to write attestations | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 | |
| with: | |
| node-version: 22 | |
| package-manager-cache: false | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Build dist | |
| working-directory: lambdas | |
| run: yarn install --frozen-lockfile && yarn run test && yarn dist | |
| - name: Get installation token | |
| uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4 | |
| id: token | |
| with: | |
| app-id: ${{ vars.RELEASER_APP_ID }} | |
| private-key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }} | |
| - name: Extract branch name | |
| id: branch | |
| shell: bash | |
| run: echo "name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT | |
| - name: Release | |
| id: release | |
| uses: googleapis/release-please-action@c2a5a2bd6a758a0937f1ddb1e8950609867ed15c # v4.3.0 | |
| with: | |
| target-branch: ${{ steps.branch.outputs.name }} | |
| release-type: terraform-module | |
| token: ${{ steps.token.outputs.token }} | |
| - name: Attest | |
| if: ${{ steps.release.outputs.releases_created == 'true' }} | |
| id: attest | |
| uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0 | |
| with: | |
| subject-path: '${{ github.workspace }}/lambdas/functions/**/*.zip' | |
| - name: Update release notes with attestation | |
| if: ${{ steps.release.outputs.releases_created == 'true' }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| VERSION: ${{ github.event.inputs.version }} | |
| TAG_NAME: ${{ steps.release.outputs.tag_name }} | |
| ATTESTATION_URL: ${{ steps.attest.outputs.attestation-url }} | |
| REPOSITORY: ${{ github.repository }} | |
| run: | | |
| version="${VERSION}" | |
| tag_name="${TAG_NAME}" | |
| attestation_url="${ATTESTATION_URL}" | |
| repository="${REPOSITORY}" | |
| gh release view $version --json body -q '.body' > new-release-notes.md | |
| echo "## Attestation" >> new-release-notes.md | |
| echo "Attestation url: $attestation_url" >> new-release-notes.md | |
| echo "Verify the artifacts by running \`gh attestation verify <name_of_artifact> --repo ${repository}\`" >> new-release-notes.md | |
| gh release edit $tag_name -F new-release-notes.md -t $tag_name | |
| - name: Upload release assets | |
| if: ${{ steps.release.outputs.releases_created == 'true' }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAG_NAME: ${{ steps.release.outputs.tag_name }} | |
| run: | | |
| tag_name="${TAG_NAME}" | |
| for f in $(find . -name '*.zip'); do | |
| gh release upload $tag_name $f | |
| done | |
| - name: Attach attestation | |
| if: ${{ steps.release.outputs.releases_created == 'true' }} | |
| env: | |
| ATTESTATION_BUNDLE: ${{ steps.attest.outputs.bundle-path }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| TAG_NAME: ${{ steps.release.outputs.tag_name }} | |
| ATTESTATION_ID: ${{ steps.attest.outputs.attestation-id }} | |
| run: | | |
| # rename attest bundle to github-aws-runners-terraform-aws-github-runner-attestation-$attestation-id.sigstore | |
| # OpenSSF expects the attestation bundle to be named in this format (*.sigstore) | |
| SIGSTORE_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.sigstore | |
| INTOTO_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.intoto.jsonl | |
| mv ${ATTESTATION_BUNDLE} $SIGSTORE_BUNDLE | |
| if [ -z "$SIGSTORE_BUNDLE" ]; then | |
| echo "No attestation bundle found, skipping attachment." | |
| exit 0 | |
| fi | |
| gh release upload $TAG_NAME "$SIGSTORE_BUNDLE" | |
| cat ${SIGSTORE_BUNDLE} | jq -r '.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq .> ${INTOTO_BUNDLE} | |
| gh release upload $TAG_NAME "${INTOTO_BUNDLE}" |