forked from chainloop-dev/chainloop
-
Notifications
You must be signed in to change notification settings - Fork 0
204 lines (177 loc) · 8.32 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
name: Build, Package and Release
on:
push:
tags:
- "v*.*.*"
# https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions
permissions:
contents: read
jobs:
test:
uses: chainloop-dev/chainloop/.github/workflows/test.yml@main
init_attestation:
runs-on: ubuntu-latest
needs: test
if: github.ref_type == 'tag' # Guard to make sure we are releasing once
outputs:
attestation_id: ${{ steps.init_attestation.outputs.attestation_id }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Install Chainloop
run: |
curl -sfL https://docs.chainloop.dev/install.sh | bash -s
- name: Initialize Attestation
id: init_attestation
run: |
attestation_id=$(chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT_NAME} --release --remote-state -o json | jq -r .attestationID)
echo "attestation_id=$attestation_id" >> $GITHUB_OUTPUT
env:
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
CHAINLOOP_WORKFLOW_NAME: "release"
CHAINLOOP_PROJECT_NAME: "chainloop"
release:
name: Release CLI and control-plane/artifact-cas container images
needs: init_attestation
runs-on: ubuntu-latest
if: github.ref_type == 'tag' # Guard to make sure we are releasing once
permissions:
contents: write # required for goreleaser to upload the release assets
packages: write # to push container images
pull-requests: write
env:
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
ATTESTATION_ID: ${{ needs.init_attestation.outputs.attestation_id }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
outputs:
attestation_hash: ${{ steps.attest_goreleaser.outputs.attestation_hash }}
steps:
- name: Install Cosign
uses: sigstore/cosign-installer@ef6a6b364bbad08abd36a5f8af60b595d12702f8 # main
with:
cosign-release: "v2.2.3"
- name: Install Chainloop
run: |
curl -sfL https://docs.chainloop.dev/install.sh | bash -s
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Docker login to Github Packages
uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: "1.23.6"
# install qemu binaries for multiarch builds (needed by goreleaser/buildx)
- name: Setup qemu
id: qemu
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
- name: Install Syft
run: |
# Install Syft
wget --no-verbose https://raw.githubusercontent.com/anchore/syft/c43f4fb416c34c1c4b3997373689d8d4c0fb9b36/install.sh -O - | sh -s -- -b /usr/local/bin
- name: Run GoReleaser
id: release
uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # v3.2.0
with:
distribution: goreleaser
version: latest
args: release --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}
- name: Generate SBOMs, upload to release and attest
id: attest_goreleaser
run: |
# goreleaser output resides in dist/artifacts.json
# Attest all built containers and manifests
images=$(cat dist/artifacts.json | jq -r '.[] | select(.type=="Docker Image" or .type=="Docker Manifest") | .path')
for entry in $images; do
# exclude latest tag
if [[ $entry != *latest ]]; then
material_name="$(echo $entry | sed 's#.*/##')"
syft -o cyclonedx-json=/tmp/sbom-$material_name.cyclonedx.json --select-catalogers -file $entry
chainloop attestation add --value $entry --kind CONTAINER_IMAGE --attestation-id ${{ env.ATTESTATION_ID }}
chainloop attestation add --value /tmp/sbom-$material_name.cyclonedx.json --kind SBOM_CYCLONEDX_JSON --attestation-id ${{ env.ATTESTATION_ID }}
# Upload the SBOM to the release
gh release upload ${{ github.ref_name }} /tmp/sbom-$material_name.cyclonedx.json --clobber
fi
done
- name: Bump Chart and Dagger Version
run: .github/workflows/utils/bump-chart-and-dagger-version.sh deployment/chainloop extras/dagger ${{ github.ref_name }}
- name: Bump Project Version
run: .github/workflows/utils/bump-project-version.sh
- name: Create Pull Request
uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
with:
commit-message: Bump Chart and Dagger Version ${{ github.ref_name }}
signoff: true
base: main
title: Bump Helm Chart and Dagger Version => ${{ github.ref_name }}
body: |
A new Chainloop release is available! Bumping Helm Chart reference and Dagger version to ${{ github.ref_name }}
labels: |
automated
helm
finish_attestation:
name: Finish Attestation
runs-on: ubuntu-latest
needs:
- init_attestation
- release
env:
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
outputs:
attestation_hash: ${{ steps.attestation_push.attestation_sha }}
steps:
- name: Install Chainloop
run: |
curl -sfL https://docs.chainloop.dev/install.sh | bash -s
- name: Finish and Record Attestation
id: attestation_push
if: ${{ success() }}
run: |
chainloop attestation push --attestation-id ${{ needs.init_attestation.outputs.attestation_id }}
attestation_sha=$(chainloop wf run describe --id ${{ needs.init_attestation.outputs.attestation_id }} -o json | jq -r '.digest')
# check that the command succeeded
[ -n "$attestation_sha" ] || exit 1
echo "attestation_sha=$attestation_sha" >> $GITHUB_OUTPUT
- name: Mark attestation as failed
if: ${{ failure() }}
run: |
chainloop attestation reset --attestation-id ${{ needs.init_attestation.outputs.attestation_id }}
- name: Mark attestation as cancelled
if: ${{ cancelled() }}
run: |
chainloop attestation reset --trigger cancellation --attestation-id ${{ needs.init_attestation.outputs.attestation_id }}
modify_release_notes:
if: ${{ success() }}
needs: finish_attestation
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Add attestation link to release notes
if: ${{ success() }}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ATTESTATION_SHA: ${{ needs.finish_attestation.outputs.attestation_hash }}
run: |
chainloop_release_url="## Chainloop Attestation"$'\n'"[View the attestation of this release](https://app.chainloop.dev/attestation/${{ env.ATTESTATION_SHA }})"
current_notes=$(gh release view ${{github.ref_name}} --json body -q '.body')
if echo "$current_notes" | grep -q "## Chainloop Attestation"; then
# Replace the existing Chainloop Attestation section with the new URL
modified_notes=$(echo "$current_notes" | sed -E "s|## Chainloop Attestation[^\n]*\n\[View the attestation of this release\]\(https://app\.chainloop\.dev/attestation/[^\)]*\)|$chainloop_release_url|")
else
# Add the Chainloop Attestation section to the top
modified_notes="$chainloop_release_url"$'\n\n'"$current_notes"
fi
# Update the release notes and ignore if it fails since we might be lacking permissions to update the release notes
gh release edit ${{github.ref_name}} -n "$modified_notes" || echo -n "Not enough permissions to edit the release notes. Skipping..."