Merge branch 'main' into release-please--branches--main--components--amp-devcontainer

rjaegers · web-flow · commit 4f555b40f67e · 2025-04-18T08:10:22.000+02:00
diff --git a/.github/RELEASE_TEMPLATE.md b/.github/RELEASE_TEMPLATE.md
@@ -0,0 +1,15 @@
+<!-- markdownlint-disable MD041 -->
+
+### :clipboard: Summary
+
+<!-- Manually fill this summary, taking note of any changes relevant to the end user.
+     When a change requires action, or emphasis, use '> [!NOTE]' notation.
+-->
+
+#### :bookmark: Packages
+
+| Container             | Full identifier                                                                                                           |
+|-----------------------|---------------------------------------------------------------------------------------------------------------------------|
+| amp-devcontainer-cpp  | ghcr.io/philips-software/amp-devcontainer-cpp:{{ amp-devcontainer-cpp-version }}@sha256:{{ amp-devcontainer-cpp-sha }}    |
+| amp-devcontainer-rust | ghcr.io/philips-software/amp-devcontainer-rust:{{ amp-devcontainer-rust-version }}@sha256:{{ amp-devcontainer-rust-sha }} |
+
diff --git a/.github/workflows/build-push.yml b/.github/workflows/build-push.yml
@@ -130,6 +130,22 @@ jobs:
           GH_TOKEN: ${{ github.token }}
         run: |
           gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }}
+      - name: Upload provenance to release
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          gh attestation verify --repo ${{ github.repository }} oci://${{ env.REGISTRY }}/${{ github.repository }}-${{ matrix.flavor }}@${{ steps.build-and-push.outputs.digest }} --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > ${{ github.repository_owner }}-${{ github.event.repository.name }}-${{ matrix.flavor }}_sha256_${{ steps.build-and-push.outputs.digest }}.intoto.jsonl
+          gh release upload ${{ github.ref_name }} ./*.intoto.jsonl
+      - name: Update package details in release
+        if: startsWith(github.ref, 'refs/tags/')
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          UPDATED_NOTES=$(gh release view ${{ github.ref_name }} --json body -q '.body')
+          UPDATED_NOTES=${UPDATED_NOTES//'{{ amp-devcontainer-${{ matrix.flavor }}-version }}'/'${{ github.ref_name }}'}
+          UPDATED_NOTES=${UPDATED_NOTES//'{{ amp-devcontainer-${{ matrix.flavor }}-sha }}'/'${{ steps.build-and-push.outputs.digest }}'}
+          gh release edit ${{ github.ref_name }} --notes "${UPDATED_NOTES}"
   acceptance-test:
     if: github.event_name == 'pull_request'
     needs: build-push
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -22,5 +22,16 @@ jobs:
           app-id: ${{ vars.FOREST_RELEASER_APP_ID }}
           private-key: ${{ secrets.FOREST_RELEASER_APP_PRIVATE_KEY }}
       - uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.2.0
+        id: release
         with:
           token: ${{ steps.token.outputs.token }}
+      - name: Amend release description
+        if: ${{ steps.release.outputs.release_created }}
+        env:
+          GITHUB_TOKEN: ${{ steps.token.outputs.token }}
+        run: |
+          CURRENT_NOTES=$(gh release view ${{ steps.release.outputs.tag_name }} --json body -q '.body')
+          HEADER=$(echo "$CURRENT_NOTES" | awk '/^## / {print; exit}')
+          TEMPLATE=$(cat ../RELEASE_TEMPLATE.md)
+          BODY=$(echo "$CURRENT_NOTES" | sed "0,/^## /d")
+          gh release edit ${{ steps.release.outputs.tag_name }} --notes "${HEADER}${TEMPLATE}${BODY}"
