Skip to content
Release Build

chore(main): release 6.5.2 (#978) #11

Sign in to view logs

chore(main): release 6.5.2 (#978)

chore(main): release 6.5.2 (#978) #11

Workflow file for this run

.github/workflows/release-build.yml at c955537
---
name: Release Build
on:
push:
# This workflow should only run on tags, it will trigger when release-please
# kicks-off the release process.
tags: ["v*.*.*"]
workflow_dispatch:
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
cancel-in-progress: true
permissions: {}
jobs:
build-push-test:
name: Build, Push and Test (🍨 ${{ matrix.flavor }})
strategy:
matrix:
flavor: [cpp, rust]
uses: ./.github/workflows/wc-build-push-test.yml
secrets:
TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
permissions:
actions: read
attestations: write
checks: write
contents: write
id-token: write
packages: write
pull-requests: write
with:
devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json
dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile
image-name: ${{ github.repository }}-${{ matrix.flavor }}
integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats
acceptance-test-path: ${{ matrix.flavor == 'cpp' && 'test/cpp/features' || '' }}
test-devcontainer-file: ${{ matrix.flavor == 'cpp' && '.devcontainer/cpp-test/devcontainer.json' || '' }}
apply-release-notes-template:
name: 📝 Apply Release Template
runs-on: ubuntu-latest
permissions:
# `contents: write` is needed to modify a release.
# Please note that this is an overly broad scope, but GitHub does not
# currently provide a more fine-grained permission for release modification.
contents: write
steps:
- uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
disable-sudo-and-containers: true
egress-policy: audit
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Amend release description
run: |
set -Eeuo pipefail
CURRENT_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body')
HEADER=$(echo "$CURRENT_NOTES" | awk '/^## / {print; exit}')
TEMPLATE=$(cat "$GITHUB_WORKSPACE/.github/RELEASE_TEMPLATE.md")
BODY=$(echo "$CURRENT_NOTES" | sed "0,/^## /d")
gh release edit "${REF_NAME}" --notes "${HEADER}${TEMPLATE}${BODY}"
env:
GH_TOKEN: ${{ github.token }}
REF_NAME: ${{ github.ref_name }}
update-release-notes:
name: Update Release Notes (🍨 ${{ matrix.flavor }})
strategy:
matrix:
flavor: [cpp, rust]
runs-on: ubuntu-latest
permissions:
# `contents: write` is needed to modify a release.
# Please note that this is an overly broad scope, but GitHub does not
# currently provide a more fine-grained permission for release modification.
contents: write
needs: [build-push-test, apply-release-notes-template]
env:
CONTAINER_FLAVOR: ${{ matrix.flavor }}
REF_NAME: ${{ github.ref_name }}
REGISTRY: ghcr.io
steps:
- uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
disable-sudo-and-containers: true
egress-policy: audit
- name: Inspect manifest and extract digest
id: inspect-manifest
run: |
set -Eeuo pipefail
output=$(docker buildx imagetools inspect "${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}:${REF_NAME}" --format '{{json .}}')
echo "digest=$(echo "$output" | jq -r '.manifest.digest // .manifests[0].digest')" >> "$GITHUB_OUTPUT"
env:
GH_REPO: ${{ github.repository }}
- name: Upload provenance to release
run: |
set -Eeuo pipefail
FORMATTED_DIGEST=${DIGEST//:/_}
gh attestation verify --repo "${GH_REPO}" "oci://${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}@${DIGEST}" --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${REPOSITORY_OWNER}-${REPOSITORY_NAME}-${CONTAINER_FLAVOR}_${FORMATTED_DIGEST}.intoto.jsonl"
gh release upload "${REF_NAME}" ./*.intoto.jsonl
env:
DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
REPOSITORY_OWNER: ${{ github.repository_owner }}
REPOSITORY_NAME: ${{ github.event.repository.name }}
- name: Update package details in release
run: |
set -Eeuo pipefail
UPDATED_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body')
UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-version }}"/"${REF_NAME}"}
UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-sha }}"/"${DIGEST}"}
gh release edit "${REF_NAME}" --notes "${UPDATED_NOTES}"
env:
DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
upload-documents:
name: 📄 Upload Documents
runs-on: ubuntu-latest
permissions:
# `contents: write` is needed to modify a release.
# Please note that this is an overly broad scope, but GitHub does not
# currently provide a more fine-grained permission for release modification.
contents: write
needs: [build-push-test]
steps:
- uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
with:
pattern: documents
- name: Upload documents to release
run: |
set -Eeuo pipefail
gh release upload "${REF_NAME}" ./*.pdf
env:
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
REF_NAME: ${{ github.ref_name }}