Add Actions release and attest job (#147)

* update release workflow

Signed-off-by: Meredith Lancaster <[email protected]>

* Grab image digest for attestation step

Signed-off-by: Meredith Lancaster <[email protected]>

* comment

Signed-off-by: Meredith Lancaster <[email protected]>

* update workflow name

Signed-off-by: Meredith Lancaster <[email protected]>

* add release directions

Signed-off-by: Meredith Lancaster <[email protected]>

* undo ko config changes

Signed-off-by: Meredith Lancaster <[email protected]>

* add fork specific options to ko build call

Signed-off-by: Meredith Lancaster <[email protected]>

* Change version format

---------

Signed-off-by: Meredith Lancaster <[email protected]>
Co-authored-by: Cody Soyland <[email protected]>

Author: malancas

.github/workflows/release.yaml

@@ -1,110 +1,47 @@
-name: Cut Release
+name: Release
 
 on:
   push:
     tags:
       - "v*"
 
-concurrency: cut-release
-
-permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for pushing the images to ghcr.io
-
 jobs:
   release:
-    outputs:
-      hashes: ${{ steps.hash.outputs.hashes }}
-      tag_name: ${{ steps.tag.outputs.tag_name }}
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
+      packages: write
+    env:
+      KO_DOCKER_REPO: ghcr.io/github/policy-controller-webhook
+      KOCACHE: /tmp/ko
     steps:
-      - uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+      - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
         with:
-          android: true
-          dotnet: true
-          haskell: true
-          large-packages: true
-          docker-images: true
-          swap-storage: true
-
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-depth: 0
-
-      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+          ref: "release"
+      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version-file: './go.mod'
+          go-version-file: "./go.mod"
           check-latest: true
-
-      - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da
-
-      - uses: anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
-
-      - uses: ko-build/setup-ko@3aebd0597dc1e9d1a26bcfdb7cbeb19c131d3037 # v0.7
-
-      - name: Set up Cloud SDK
-        uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
-        with:
-          workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-policy-controller'
-          service_account: '[email protected]'
-
-      - name: 'Set up Cloud SDK'
-        uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2
-
-      - name: creds
-        run: gcloud auth configure-docker --quiet
-
-      - name: Set LDFLAGS
-        id: ldflags
+      - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
+      - name: Build and publish webhook to GHCR
+        id: build
         run: |
-           source ./release/ldflags.sh
-           goflags=$(ldflags)
-           echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV"
-
-      - name: Set tag output
-        id: tag
-        run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
-
-      - name: Run GoReleaser
-        id: run-goreleaser
-        uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
+          export GIT_HASH=`git rev-parse HEAD`
+          export GIT_VERSION=`git describe --tags --always --dirty`
+          export BUILD_DATE=`date +%Y-%m-%dT%H:%M:%SZ`
+          export LDFLAGS="-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$GIT_VERSION -X sigs.k8s.io/release-utils/version.gitCommit=$GIT_HASH -X sigs.k8s.io/release-utils/version.buildDate=$BUILD_DATE"
+
+          mkdir -p ${{ env.KOCACHE }}
+          # ko build should print ghcr.io/github/policy-controller-webhook@sha256:<digest>
+          # to standard out. Capture the image digest for the build provenance step
+          IMAGE_DIGEST=$(ko build --bare --tags $GIT_VERSION --tags $GIT_HASH --platform=linux/amd64 github.com/sigstore/policy-controller/cmd/webhook | cut -d'@' -f2)
+          echo "image_digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT
+      - name: Attest
+        uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1
+        id: attest
         with:
-          version: latest
-          args: release --clean --timeout 120m --parallelism 1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          LDFLAGS: ${{ env.GO_FLAGS }}
-
-      - name: Generate subject
-        id: hash
-        env:
-          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
-        run: |
-          set -euo pipefail
-          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
-          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
-
-      - name: build images
-        run: |
-          make build-sign-release-images
-        env:
-          LDFLAGS: ${{ env.GO_FLAGS }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: copy-signed-release-to-ghcr
-        run: make copy-signed-release-to-ghcr || true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  provenance:
-    needs: [release]
-    permissions:
-      actions: read # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write # To add assets to a release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      base64-subjects: "${{ needs.release.outputs.hashes }}"
-      upload-assets: true # upload to a new release
-      upload-tag-name: "${{ needs.release.outputs.tag_name }}"
+          subject-name: ${{ env.KO_DOCKER_REPO }}
+          subject-digest: ${{ steps.build.outputs.image_digest }}
+          push-to-registry: true

.ko.yaml

@@ -30,4 +30,3 @@ builds:
     ldflags:
       - -extldflags "-static"
       - "{{ .Env.LDFLAGS }}"
-

README.md

@@ -145,12 +145,16 @@ This policy-controller's versions are able to run in the following versions of K
 
 note: not fully tested yet, but can be installed
 
-## Release Cadence
+## Cutting a new release
 
-We are intending to move to a monthly cadence for minor releases.
-Minor releases will be published around the beginning of the month.
-We may cut a patch release instead, if the changes are small enough not to warrant a minor release.
-We will also cut patch releases periodically as needed to address bugs.
+The branch `release` on the private fork is used for customer-facing released code. 
+
+In order to push a new release, follow these steps:
+
+1. Merge any changes into the `release` branch.
+1. Tag as `v0.9.0+githubX` (incrementing the `X` as needed).
+1. Push the tag to the private fork.
+1. The [Release GitHub Action workflow](https://github.com/github/policy-controller/actions/workflows/release.yaml) will triggered automatically when the tag is pushed
 
 ## Security