-
Notifications
You must be signed in to change notification settings - Fork 7
142 lines (138 loc) · 5.93 KB
/
release-build.yml
File metadata and controls
142 lines (138 loc) · 5.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
---
name: Release Build
on:
push:
# This workflow should only run on tags, it will trigger when release-please
# kicks-off the release process.
tags: ["v*.*.*"]
workflow_dispatch:
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
cancel-in-progress: true
permissions: {}
jobs:
build-push-test:
name: Build, Push and Test (🍨 ${{ matrix.flavor }})
strategy:
matrix:
flavor: [cpp, rust]
uses: ./.github/workflows/wc-build-push-test.yml
secrets:
TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
permissions:
actions: read
attestations: write
checks: write
contents: write
id-token: write
packages: write
pull-requests: write
with:
devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
image-name: ${{ github.repository }}-${{ matrix.flavor }}
integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats
acceptance-test-path: ${{ matrix.flavor == 'cpp' && 'test/cpp/features' || '' }}
test-devcontainer-file: ${{ matrix.flavor == 'cpp' && '.devcontainer/cpp-test/devcontainer.json' || '' }}
apply-release-notes-template:
name: 📝 Apply Release Template
runs-on: ubuntu-latest
permissions:
# `contents: write` is needed to modify a release.
# Please note that this is an overly broad scope, but GitHub does not
# currently provide a more fine-grained permission for release modification.
contents: write
steps:
- uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
disable-sudo-and-containers: true
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Amend release description
run: |
set -Eeuo pipefail
CURRENT_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body')
HEADER=$(echo "$CURRENT_NOTES" | awk '/^## / {print; exit}')
TEMPLATE=$(cat "$GITHUB_WORKSPACE/.github/RELEASE_TEMPLATE.md")
BODY=$(echo "$CURRENT_NOTES" | sed "0,/^## /d")
gh release edit "${REF_NAME}" --notes "${HEADER}${TEMPLATE}${BODY}"
env:
GH_TOKEN: ${{ github.token }}
REF_NAME: ${{ github.ref_name }}
update-release-notes:
name: Update Release Notes (🍨 ${{ matrix.flavor }})
strategy:
matrix:
flavor: [cpp, rust]
runs-on: ubuntu-latest
permissions:
# `contents: write` is needed to modify a release.
# Please note that this is an overly broad scope, but GitHub does not
# currently provide a more fine-grained permission for release modification.
contents: write
needs: [build-push-test, apply-release-notes-template]
env:
CONTAINER_FLAVOR: ${{ matrix.flavor }}
REF_NAME: ${{ github.ref_name }}
REGISTRY: ghcr.io
steps:
- uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
disable-sudo-and-containers: true
egress-policy: audit
- name: Inspect manifest and extract digest
id: inspect-manifest
run: |
set -Eeuo pipefail
output=$(docker buildx imagetools inspect "${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}:${REF_NAME}" --format '{{json .}}')
echo "digest=$(echo "$output" | jq -r '.manifest.digest // .manifests[0].digest')" >> "$GITHUB_OUTPUT"
env:
GH_REPO: ${{ github.repository }}
- name: Upload provenance to release
run: |
set -Eeuo pipefail
FORMATTED_DIGEST=${DIGEST//:/_}
gh attestation verify --repo "${GH_REPO}" "oci://${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}@${DIGEST}" --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${REPOSITORY_OWNER}-${REPOSITORY_NAME}-${CONTAINER_FLAVOR}_${FORMATTED_DIGEST}.intoto.jsonl"
gh release upload "${REF_NAME}" ./*.intoto.jsonl
env:
DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
REPOSITORY_OWNER: ${{ github.repository_owner }}
REPOSITORY_NAME: ${{ github.event.repository.name }}
- name: Update package details in release
run: |
set -Eeuo pipefail
UPDATED_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body')
UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-version }}"/"${REF_NAME}"}
UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-sha }}"/"${DIGEST}"}
gh release edit "${REF_NAME}" --notes "${UPDATED_NOTES}"
env:
DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
upload-documents:
name: 📄 Upload Documents
runs-on: ubuntu-latest
permissions:
# Please note that this is an overly broad scope, but GitHub does not
# currently provide a more fine-grained permission for release modification.
contents: write # is needed to modify a release
needs: [build-push-test]
steps:
- uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
with:
pattern: documents
- name: Upload documents to release
run: |
set -Eeuo pipefail
gh release upload "${REF_NAME}" ./*.pdf
env:
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
REF_NAME: ${{ github.ref_name }}