openplatform-kubewarden-policies/.github/workflows/release.yaml at 1d1e037634702b31f88b0d6a59c5aff93075b4dd · SUSE/openplatform-kubewarden-policies · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
on:
  workflow_dispatch:
  push:
    tags:
      - "*/v*"

name: Release policy

jobs:
  calculate-policy-from-tag:
    runs-on: ubuntu-latest
    outputs:
      policy-working-dir: ${{ steps.calculate-policy.outputs.policy_working_dir }}
      policy-version: ${{ steps.policy-info.outputs.policy-version }}
      policy-id: ${{ steps.policy-info.outputs.policy-id }}
      policy-name: ${{ steps.policy-info.outputs.policy-basename }}
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Calculate Policy
        id: calculate-policy
        shell: bash
        run: |
          policy_name=$( echo ${{ github.ref_name }} | sed 's/\(.*\)\/\(.*\)$/\1/' )
          policy_working_dir=$( find policies -type d -name "$policy_name")
          echo "policy_working_dir=$policy_working_dir" >> $GITHUB_OUTPUT
      - name: Get policy metadata
        id: policy-info
        uses: ./.github/actions/get-policy-metadata
        with:
          policy-working-dir: "${{ steps.calculate-policy.outputs.policy_working_dir }}"

  ci:
    uses: ./.github/workflows/reusable-ci.yaml
    needs: calculate-policy-from-tag
    with:
      policy-working-dir: ${{ needs.calculate-policy-from-tag.outputs.policy-working-dir }}

  pre-release-checks:
    name: "Pre release checks"
    runs-on: ubuntu-latest
    needs: [calculate-policy-from-tag]
    steps:
      - name: Checkout code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Check that `io.kubewarden.policy.version` annotation is up-to-date
        shell: bash
        working-directory: ${{ needs.calculate-policy-from-tag.outputs.policy-working-dir }}
        run: |
          VERSION=$(grep 'io.kubewarden.policy.version' metadata.yml | awk '{print $2}' | tr -d '"')
          if [ "$VERSION" != "${{ needs.calculate-policy-from-tag.outputs.policy-version  }}" ]; then
            echo "The value of io.kubewarden.policy.version annotation is not in sync with the expected version: '${VERSION}' != '${{  needs.calculate-policy-from-tag.outputs.policy-version  }}'"
            exit 1
          fi

  release:
    runs-on: ubuntu-latest
    needs: [calculate-policy-from-tag, pre-release-checks, ci]
    permissions:
      # Required to create GH releases
      contents: write
      # Required to push to GHCR
      packages: write
      # Required by cosign keyless signing
      id-token: write
    steps:
      - name: Checkout code
        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Install dependencies
        uses: ./.github/actions/install-dependencies

      - name: Build Wasm module
        shell: bash
        run: make -C ${{ needs.calculate-policy-from-tag.outputs.policy-working-dir }} policy.wasm

      - name: Annotate Wasm module
        shell: bash
        run: |
          make -C ${{ needs.calculate-policy-from-tag.outputs.policy-working-dir }} annotated-policy.wasm

      - name: Generate the SBOM files
        shell: bash
        working-directory: ${{ needs.calculate-policy-from-tag.outputs.policy-working-dir }}
        run: |
          # SBOM files should have "sbom" in the name due the CLO monitor
          # https://clomonitor.io/docs/topics/checks/#software-bill-of-materials-sbom
          syft scan --output spdx-json=policy-sbom.spdx.json \
            --source-name $(yq '.annotations["io.kubewarden.policy.title"] + "-" + .annotations["io.kubewarden.policy.version"]' metadata.yml) \
            --source-version ${{ github.sha }} \
            -vv dir:.

      - name: Sign BOM file
        shell: bash
        working-directory: ${{ needs.calculate-policy-from-tag.outputs.policy-working-dir }}
        run: |
          cosign sign-blob --yes \
            --bundle policy-sbom.spdx.jsonl.bundle.sigstore \
            policy-sbom.spdx.json

      - name: Upload policy SBOM files
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: policy-sbom
          path: |
            ${{ needs.calculate-policy-from-tag.outputs.policy-working-dir }}/policy-sbom.spdx.json
            ${{ needs.calculate-policy-from-tag.outputs.policy-working-dir }}/policy-sbom.spdx.jsonl.bundle.sigstore

      - name: Login to GitHub Container Registry
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Publish Wasm policy artifact to OCI registry with the 'latest' tag
        shell: bash
        if: ${{ startsWith(github.ref, 'refs/heads/') }}
        run: |
          set -ex
          echo Pushing :latest policy to OCI container registry
          IMMUTABLE_REF=$(kwctl push -o json annotated-policy.wasm ghcr.io/${{ github.repository_owner }}/openplatform-kubewarden-policies/${{ needs.calculate-policy-from-tag.outputs.policy-id }}:latest | jq -r .immutable_ref)

          echo Keyless signing of policy using cosign
          cosign sign --yes ${IMMUTABLE_REF}

      - name: Publish Wasm policy artifact to OCI registry with the version tag and 'latest'
        shell: bash
        if: ${{ ! startsWith(github.ref, 'refs/heads/') }}
        working-directory: ${{ needs.calculate-policy-from-tag.outputs.policy-working-dir }}
        run: |
          set -ex
          export OCI_TAG="v${{ needs.calculate-policy-from-tag.outputs.policy-version }}"

          echo Pushing tagged policy to OCI container registry
          IMMUTABLE_REF=$(kwctl push -o json annotated-policy.wasm ghcr.io/${{ github.repository_owner }}/openplatform-kubewarden-policies/${{ needs.calculate-policy-from-tag.outputs.policy-id }}:${OCI_TAG} | jq -r .immutable_ref)

          echo Keyless signing of policy using cosign
          cosign sign --yes ${IMMUTABLE_REF}

      - name: Create release
        id: create-release
        uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
        with:
          config-name: "release-drafter-${{ needs.calculate-policy-from-tag.outputs.policy-name }}.yml"
          disable-autolabeler: true
          prerelease: ${{ contains(needs.calculate-policy-from-tag.outputs.policy-version, '-alpha') || contains(needs.calculate-policy-from-tag.outputs.policy-version, '-beta') || contains(needs.calculate-policy-from-tag.outputs.policy-version, '-rc') }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Upload release assets
        if: ${{ ! startsWith(github.ref, 'refs/heads/') }}
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          POLICY_WORKING_DIR: ${{ needs.calculate-policy-from-tag.outputs.policy-working-dir }}
          RELEASE_ID: ${{ steps.create-release.outputs.id }}
        with:
          script: |
            let fs = require('fs');
            let path = require('path');
            let workingDir = process.env.POLICY_WORKING_DIR || '.';

            let files = [
            `${workingDir}/policy.wasm`,
            `${workingDir}/policy-sbom.spdx.json`,
            `${workingDir}/policy-sbom.spdx.jsonl.bundle.sigstore`,
            ]
            const {RELEASE_ID} = process.env

            for (const file of files) {
              let file_data = fs.readFileSync(file);

              let response = await github.rest.repos.uploadReleaseAsset({
                owner: context.repo.owner,
                repo: context.repo.repo,
                release_id: `${RELEASE_ID}`,
                name: path.basename(file),
                data: file_data,
              });
            }
      - name: Publish release
        # if we are on a single repo, we obtain the last draft release as it contains the changelog
        # and edit it by adding the artifacts. Then we mark the release as latest
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
        env:
          RELEASE_ID: ${{ steps.create-release.outputs.id }}
        with:
          script: |
            const {RELEASE_ID} = process.env
            const TAG_NAME = "${{ github.ref_name }}";
            isPreRelease = ${{ contains(github.ref_name, '-alpha') || contains(github.ref_name, '-beta') || contains(github.ref_name, '-rc') }}
            github.rest.repos.updateRelease({
              owner: context.repo.owner,
              repo: context.repo.repo,
              release_id: `${RELEASE_ID}`,
              draft: false,
              tag_name: TAG_NAME,
              name: TAG_NAME,
              prerelease: isPreRelease,
              make_latest: !isPreRelease
            });

      - name: Publish to ArtifactHub
        uses: ./.github/actions/push-artifacthub
        with:
          policy-working-dir: "${{ needs.calculate-policy-from-tag.outputs.policy-working-dir }}"
          version: "${{ needs.calculate-policy-from-tag.outputs.policy-version }}"