-
Notifications
You must be signed in to change notification settings - Fork 7
100 lines (96 loc) · 3.96 KB
/
release-build.yml
File metadata and controls
100 lines (96 loc) · 3.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
---
name: Release Build
on:
push:
# This workflow should only run on tags, it will trigger when release-please
# kicks-off the release process.
tags: ["v*.*.*"]
workflow_dispatch:
concurrency:
group: ${{ github.ref }}-${{ github.workflow }}
cancel-in-progress: true
permissions: {}
jobs:
build-push-test:
uses: ./.github/workflows/wc-build-push-test.yml
secrets:
TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }}
TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }}
TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }}
TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }}
permissions:
actions: read
attestations: write
checks: write
contents: write
id-token: write
packages: write
pull-requests: write
with:
# Disable the cache for release builds
enable-cache: false
apply-release-notes-template:
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Amend release description
run: |
set -Eeuo pipefail
CURRENT_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body')
HEADER=$(echo "$CURRENT_NOTES" | awk '/^## / {print; exit}')
TEMPLATE=$(cat "$GITHUB_WORKSPACE/.github/RELEASE_TEMPLATE.md")
BODY=$(echo "$CURRENT_NOTES" | sed "0,/^## /d")
gh release edit "${REF_NAME}" --notes "${HEADER}${TEMPLATE}${BODY}"
env:
GITHUB_TOKEN: ${{ github.token }}
REF_NAME: ${{ github.ref_name }}
update-release-notes:
strategy:
matrix:
flavor: [cpp, rust]
runs-on: ubuntu-latest
permissions:
contents: write
needs: [build-push-test, apply-release-notes-template]
env:
CONTAINER_FLAVOR: ${{ matrix.flavor }}
REF_NAME: ${{ github.ref_name }}
REGISTRY: ghcr.io
steps:
- uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
with:
egress-policy: audit
- name: Inspect manifest and extract digest
id: inspect-manifest
run: |
set -Eeuo pipefail
output=$(docker buildx imagetools inspect "${REGISTRY}/${{ github.repository }}-${CONTAINER_FLAVOR}:${REF_NAME}" --format '{{json .}}')
echo "digest=$(echo "$output" | jq -r '.manifest.digest // .manifests[0].digest')" >> "$GITHUB_OUTPUT"
- name: Upload provenance to release
run: |
set -Eeuo pipefail
FORMATTED_DIGEST=${DIGEST//:/_}
gh attestation verify --repo ${{ github.repository }} "oci://${REGISTRY}/${{ github.repository }}-${CONTAINER_FLAVOR}@${DIGEST}" --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${REPOSITORY_OWNER}-${REPOSITORY_NAME}-${CONTAINER_FLAVOR}_${FORMATTED_DIGEST}.intoto.jsonl"
gh release upload "${REF_NAME}" ./*.intoto.jsonl
env:
DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
GH_TOKEN: ${{ github.token }}
REPOSITORY_OWNER: ${{ github.repository_owner }}
REPOSITORY_NAME: ${{ github.event.repository.name }}
- name: Update package details in release
run: |
set -Eeuo pipefail
UPDATED_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body')
UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-version }}"/"${REF_NAME}"}
UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-sha }}"/"${DIGEST}"}
gh release edit "${REF_NAME}" --notes "${UPDATED_NOTES}"
env:
DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
GH_TOKEN: ${{ github.token }}