-
Notifications
You must be signed in to change notification settings - Fork 7
144 lines (140 loc) · 6.43 KB
/
release-build.yml
File metadata and controls
144 lines (140 loc) · 6.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
---
name: Release Build
on:
push:
# This workflow should only run on tags, it will trigger when release-please
# kicks-off the release process.
tags: ["v*.*.*"]
workflow_dispatch:
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
cancel-in-progress: true
permissions: {}
jobs:
build-push-test:
name: Build, Push and Test (🍨 ${{ matrix.flavor }})
strategy:
matrix:
flavor: [cpp, rust]
uses: ./.github/workflows/wc-build-push-test.yml
secrets:
TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
permissions:
actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
attestations: write # is needed by actions/attest-build-provenance to push attestations
contents: write # is needed by anchore/sbom-action for artifact uploads
id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
packages: write # is needed to push image manifest when using GitHub Container Registry
pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
with:
devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
image-name: ${{ github.repository }}-${{ matrix.flavor }}
integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats
acceptance-test-path: ${{ matrix.flavor == 'cpp' && 'test/cpp/features' || '' }}
test-devcontainer-file: ${{ matrix.flavor == 'cpp' && '.devcontainer/cpp-test/devcontainer.json' || '' }}
apply-release-notes-template:
name: 📝 Apply Release Template
runs-on: ubuntu-latest
permissions:
# Please note that this is an overly broad scope, but GitHub does not
# currently provide a more fine-grained permission for release modification.
contents: write # is needed to modify a release
steps:
- uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
disable-sudo-and-containers: true
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Amend release description
run: |
set -Eeuo pipefail
CURRENT_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body')
HEADER=$(echo "$CURRENT_NOTES" | awk '/^## / {print; exit}')
TEMPLATE=$(cat "$GITHUB_WORKSPACE/.github/RELEASE_TEMPLATE.md")
BODY=$(echo "$CURRENT_NOTES" | sed "0,/^## /d")
gh release edit "${REF_NAME}" --notes "${HEADER}${TEMPLATE}${BODY}"
env:
GH_TOKEN: ${{ github.token }}
REF_NAME: ${{ github.ref_name }}
update-release-notes:
name: Update Release Notes (🍨 ${{ matrix.flavor }})
strategy:
matrix:
flavor: [cpp, rust]
runs-on: ubuntu-latest
permissions:
# Please note that this is an overly broad scope, but GitHub does not
# currently provide a more fine-grained permission for release modification.
contents: write # is needed to modify a release
needs: [build-push-test, apply-release-notes-template]
env:
CONTAINER_FLAVOR: ${{ matrix.flavor }}
REF_NAME: ${{ github.ref_name }}
REGISTRY: ghcr.io
steps:
- uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
disable-sudo-and-containers: true
egress-policy: audit
- name: Inspect manifest and extract digest
id: inspect-manifest
run: |
set -Eeuo pipefail
output=$(docker buildx imagetools inspect "${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}:${REF_NAME}" --format '{{json .}}')
echo "digest=$(echo "$output" | jq -r '.manifest.digest // .manifests[0].digest')" >> "$GITHUB_OUTPUT"
env:
GH_REPO: ${{ github.repository }}
- name: Upload provenance to release
run: |
set -Eeuo pipefail
FORMATTED_DIGEST=${DIGEST//:/_}
gh attestation verify --repo "${GH_REPO}" "oci://${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}@${DIGEST}" --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${REPOSITORY_OWNER}-${REPOSITORY_NAME}-${CONTAINER_FLAVOR}_${FORMATTED_DIGEST}.intoto.jsonl"
gh release upload "${REF_NAME}" ./*.intoto.jsonl
env:
DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
REPOSITORY_OWNER: ${{ github.repository_owner }}
REPOSITORY_NAME: ${{ github.event.repository.name }}
- name: Update package details in release
run: |
set -Eeuo pipefail
UPDATED_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body')
UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-version }}"/"${REF_NAME}"}
UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-sha }}"/"${DIGEST}"}
gh release edit "${REF_NAME}" --notes "${UPDATED_NOTES}"
env:
DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
generate-documents:
name: 📄 Documentation
uses: ./.github/workflows/wc-document-generation.yml
permissions:
contents: read
upload-documents:
name: 📄 Upload Documents
runs-on: ubuntu-latest
permissions:
# Please note that this is an overly broad scope, but GitHub does not
# currently provide a more fine-grained permission for release modification.
contents: write # is needed to modify a release
needs: [generate-documents]
steps:
- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
with:
pattern: documents
- name: Upload documents to release
run: |
set -Eeuo pipefail
gh release upload "${REF_NAME}" ./*.pdf
env:
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
REF_NAME: ${{ github.ref_name }}