Release #2

Workflow file for this run

.github/workflows/release.yml at 24c0dff

	name: Release

	on:
	release:
	types: [published]
	workflow_dispatch:
	inputs:
	tag:
	description: 'Release tag (e.g., v0.1.0)'
	required: true
	type: string

	env:
	REGISTRY: ghcr.io
	IMAGE_NAME: pulseengine/bazel-file-ops-component

	jobs:
	build-and-release:
	name: Build & Release WASM Component
	runs-on: ubuntu-latest
	permissions:
	contents: write
	packages: write
	id-token: write # For Cosign keyless signing

	steps:
	- name: Checkout code
	uses: actions/checkout@v5

	- name: Setup Bazel
	uses: bazel-contrib/[email protected]
	with:
	bazelisk-cache: true
	disk-cache: ${{ github.workflow }}
	repository-cache: true

	- name: Setup Go
	uses: actions/setup-go@v5
	with:
	go-version: '1.23'

	- name: Setup TinyGo
	uses: acifani/setup-tinygo@v2
	with:
	tinygo-version: '0.38.0'

	- name: Install Cosign
	uses: sigstore/cosign-installer@v3

	- name: Build TinyGo WASM Component
	run: \|
	echo "Building TinyGo WebAssembly component..."
	bazel build //tinygo:file_ops_component

	# Copy to a predictable location
	cp bazel-bin/tinygo/file_ops_component.wasm ./file_ops_component.wasm

	# Verify it's a valid WebAssembly module
	file ./file_ops_component.wasm
	ls -lh ./file_ops_component.wasm

	- name: Create SHA256 checksums
	run: \|
	sha256sum file_ops_component.wasm > file_ops_component.wasm.sha256
	cat file_ops_component.wasm.sha256

	- name: Log in to Container Registry
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Create OCI Image with WASM Component
	run: \|
	# Create an OCI artifact containing the WASM file
	# Using oras which is designed for OCI artifacts

	# Install oras
	VERSION="1.2.2"
	curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
	mkdir -p oras-install/
	tar -zxf "oras_${VERSION}_linux_amd64.tar.gz" -C oras-install/
	sudo mv oras-install/oras /usr/local/bin/
	rm -rf "oras_${VERSION}_linux_amd64.tar.gz" oras-install/

	# Determine tag
	if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
	TAG="${{ inputs.tag }}"
	else
	TAG="${{ github.event.release.tag_name }}"
	fi

	# Create OCI artifact references
	IMAGE_TAG="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${TAG}"
	IMAGE_LATEST="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"

	# Push WASM file as OCI artifact
	oras push "${IMAGE_TAG}" \
	--artifact-type application/vnd.wasm.component.layer.v1+wasm \
	file_ops_component.wasm:application/vnd.wasm.component.layer.v1+wasm

	# Tag as latest
	oras tag "${IMAGE_TAG}" latest

	echo "Published OCI artifact: ${IMAGE_TAG}"
	echo "Published OCI artifact: ${IMAGE_LATEST}"
	echo "IMAGE_TAG=${IMAGE_TAG}" >> $GITHUB_ENV
	echo "IMAGE_LATEST=${IMAGE_LATEST}" >> $GITHUB_ENV

	- name: Sign OCI Image with Cosign
	run: \|
	# Sign using keyless signing with GitHub OIDC
	cosign sign --yes "${IMAGE_TAG}"
	cosign sign --yes "${IMAGE_LATEST}"

	echo "✅ OCI images signed with Cosign (keyless)"

	- name: Generate SLSA Provenance
	run: \|
	# Create provenance attestation
	cat > provenance.json <<EOF
	{
	"buildType": "https://github.com/pulseengine/bazel-file-ops-component/release@v1",
	"builder": {
	"id": "https://github.com/actions/runner"
	},
	"invocation": {
	"configSource": {
	"uri": "${{ github.server_url }}/${{ github.repository }}",
	"digest": {
	"sha1": "${{ github.sha }}"
	}
	}
	},
	"metadata": {
	"buildStartedOn": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
	"completeness": {
	"parameters": true,
	"environment": false,
	"materials": false
	}
	},
	"materials": [
	{
	"uri": "${{ github.server_url }}/${{ github.repository }}",
	"digest": {
	"sha1": "${{ github.sha }}"
	}
	}
	]
	}
	EOF

	# Attest the provenance
	cosign attest --yes \
	--predicate provenance.json \
	--type slsaprovenance \
	"${IMAGE_TAG}"

	echo "✅ SLSA provenance attestation created"

	- name: Verify Signatures
	run: \|
	# Verify the signature
	cosign verify \
	--certificate-identity-regexp="https://github.com/${{ github.repository }}" \
	--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
	"${IMAGE_TAG}" \|\| echo "Note: Signature verification may require specific conditions"

	echo "✅ Signature verification completed"

	- name: Upload Release Assets
	uses: softprops/action-gh-release@v2
	with:
	files: \|
	file_ops_component.wasm
	file_ops_component.wasm.sha256
	body: \|
	## 🎉 Bazel File Operations Component Release

	### 📦 What's Included

	- Unsigned WASM Component (`file_ops_component.wasm`) - Ready to use
	- SHA256 Checksum - For integrity verification
	- Signed OCI Artifact - Available at `${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${TAG}`

	### 🔐 Security Features

	- ✅ OCI Artifact Signing - Signed with Cosign using GitHub OIDC (keyless)
	- ✅ SLSA Provenance - Build attestation included
	- ✅ SHA256 Checksums - For download verification

	### 🚀 Usage

	#### Download WASM Component
	```bash
	# Download and verify checksum
	wget https://github.com/${{ github.repository }}/releases/download/${TAG}/file_ops_component.wasm
	wget https://github.com/${{ github.repository }}/releases/download/${TAG}/file_ops_component.wasm.sha256
	sha256sum -c file_ops_component.wasm.sha256
	```

	#### Pull Signed OCI Artifact
	```bash
	# Pull the signed OCI artifact with oras
	oras pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${TAG}

	# Verify signature with Cosign
	cosign verify \
	--certificate-identity-regexp="https://github.com/${{ github.repository }}" \
	--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${TAG}

	# Verify SLSA provenance
	cosign verify-attestation \
	--type slsaprovenance \
	--certificate-identity-regexp="https://github.com/${{ github.repository }}" \
	--certificate-oidc-issuer="https://token.actions.githubusercontent.com" \
	${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${TAG}
	```

	### 📋 Integration with rules_wasm_component

	See [INTEGRATION.md](https://github.com/${{ github.repository }}/blob/main/INTEGRATION.md) for details on using this component.

	### 🔍 Verification

	All releases are:
	- Built in GitHub Actions with full transparency
	- Signed with Cosign using keyless signing (GitHub OIDC)
	- Attested with SLSA provenance
	- Checksummed with SHA256
	tag_name: ${{ github.event_name == 'workflow_dispatch' && inputs.tag \|\| github.event.release.tag_name }}

	- name: Create Release Summary
	run: \|
	echo "## 🚀 Release Summary" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "### 📦 Published Artifacts" >> $GITHUB_STEP_SUMMARY
	echo "- WASM Component: \`file_ops_component.wasm\` ($(ls -lh file_ops_component.wasm \| awk '{print $5}'))" >> $GITHUB_STEP_SUMMARY
	echo "- OCI Artifact: \`${IMAGE_TAG}\`" >> $GITHUB_STEP_SUMMARY
	echo "- OCI Artifact (latest): \`${IMAGE_LATEST}\`" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "### 🔐 Security" >> $GITHUB_STEP_SUMMARY
	echo "- ✅ OCI artifact signed with Cosign (keyless OIDC)" >> $GITHUB_STEP_SUMMARY
	echo "- ✅ SLSA provenance attestation" >> $GITHUB_STEP_SUMMARY
	echo "- ✅ SHA256 checksums provided" >> $GITHUB_STEP_SUMMARY
	echo "" >> $GITHUB_STEP_SUMMARY
	echo "### 🔗 Links" >> $GITHUB_STEP_SUMMARY
	echo "- [Download WASM](https://github.com/${{ github.repository }}/releases/tag/${TAG})" >> $GITHUB_STEP_SUMMARY
	echo "- [Pull OCI Artifact](${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${TAG})" >> $GITHUB_STEP_SUMMARY

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Release #2

Workflow file

Release #2

Uh oh!

Jobs

Run details

Workflow file for this run