Skip to content
Release Build

v6.9.0 #27

Sign in to view logs

v6.9.0

v6.9.0 #27

Workflow file for this run

.github/workflows/release-build.yml at c16822b
---
name: Release Build
on:
release:
types: [published]
workflow_dispatch:
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
cancel-in-progress: true
permissions: {}
jobs:
build-push-test:
name: Build → Push → Test
uses: ./.github/workflows/build-push-test.yml
permissions:
actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets
artifact-metadata: write # is needed by actions/attest-build-provenance to write artifact metadata
attestations: write # is needed by actions/attest-build-provenance to push attestations
contents: write # is needed by anchore/sbom-action for artifact uploads
id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token
packages: write # is needed to push image manifest when using GitHub Container Registry
pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments
secrets:
TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
apply-release-notes-template:
name: 📝 Apply Release Template
runs-on: ubuntu-latest
permissions:
# Please note that this is an overly broad scope, but GitHub does not
# currently provide a more fine-grained permission for release modification.
contents: write # is needed to modify a release
steps:
- uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
disable-sudo-and-containers: true
egress-policy: audit
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Amend release description
run: |
set -Eeuo pipefail
CURRENT_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body')
HEADER=$(echo "$CURRENT_NOTES" | awk '/^## / {print; exit}')
TEMPLATE=$(cat "$GITHUB_WORKSPACE/.github/RELEASE_TEMPLATE.md")
BODY=$(echo "$CURRENT_NOTES" | sed "0,/^## /d")
gh release edit "${REF_NAME}" --notes "${HEADER}${TEMPLATE}${BODY}"
env:
GH_TOKEN: ${{ github.token }}
REF_NAME: ${{ github.ref_name }}
update-release-notes:
name: Update Release Notes (🍨 ${{ matrix.flavor }})
strategy:
matrix:
flavor: [base, cpp, rust]
runs-on: ubuntu-latest
permissions:
# Please note that this is an overly broad scope, but GitHub does not
# currently provide a more fine-grained permission for release modification.
contents: write # is needed to modify a release
needs: [build-push-test, apply-release-notes-template]
env:
CONTAINER_FLAVOR: ${{ matrix.flavor }}
REF_NAME: ${{ github.ref_name }}
REGISTRY: ghcr.io
steps:
- uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
disable-sudo: true
egress-policy: audit
- name: Inspect manifest and extract digest
id: inspect-manifest
run: |
set -Eeuo pipefail
output=$(docker buildx imagetools inspect "${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}:${REF_NAME}" --format '{{json .}}')
echo "digest=$(echo "$output" | jq -r '.manifest.digest // .manifests[0].digest')" >> "$GITHUB_OUTPUT"
env:
GH_REPO: ${{ github.repository }}
- name: Upload provenance to release
run: |
set -Eeuo pipefail
FORMATTED_DIGEST=${DIGEST//:/_}
gh attestation verify --repo "${GH_REPO}" "oci://${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}@${DIGEST}" --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${REPOSITORY_OWNER}-${REPOSITORY_NAME}-${CONTAINER_FLAVOR}_${FORMATTED_DIGEST}.intoto.jsonl"
gh release upload "${REF_NAME}" ./*.intoto.jsonl
env:
DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
REPOSITORY_OWNER: ${{ github.repository_owner }}
REPOSITORY_NAME: ${{ github.event.repository.name }}
- name: Update package details in release
run: |
set -Eeuo pipefail
UPDATED_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body')
UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-version }}"/"${REF_NAME}"}
UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-sha }}"/"${DIGEST}"}
gh release edit "${REF_NAME}" --notes "${UPDATED_NOTES}"
env:
DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
publish-devcontainer-templates:
name: 📝 Publish templates
uses: ./.github/workflows/wc-publish-templates.yml
permissions:
packages: write # is needed by devcontainers/action to write templates as OCI artifacts
generate-documents:
name: 📄 Documentation
uses: ./.github/workflows/wc-document-generation.yml
permissions:
contents: read
upload-documents:
name: 📄 Upload Documents
runs-on: ubuntu-latest
permissions:
# Please note that this is an overly broad scope, but GitHub does not
# currently provide a more fine-grained permission for release modification.
contents: write # is needed to modify a release
needs: [generate-documents]
steps:
- uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
disable-sudo: true
egress-policy: audit
- uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
with:
pattern: documents
- name: Upload documents to release
run: |
set -Eeuo pipefail
gh release upload "${REF_NAME}" ./*.pdf
env:
GH_REPO: ${{ github.repository }}
GH_TOKEN: ${{ github.token }}
REF_NAME: ${{ github.ref_name }}
comment-released-prs:
name: Comment on released PRs
runs-on: ubuntu-latest
permissions:
pull-requests: write # is needed by rdlf0/comment-released-prs-action to post comments on PRs
steps:
- uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
disable-sudo-and-containers: true
egress-policy: audit
- uses: rdlf0/comment-released-prs-action@a81897eaea04a5faa8779d28607826ddb033321a # v3.1.0
with:
repo-token: ${{ secrets.GITHUB_TOKEN }}