Merge pull request #294 from kyledong-suse/learn-for-namespace #5
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Create a new release for RuntimeEnforcer stack | |
| on: | |
| push: | |
| tags: | |
| - 'v*.*.*' | |
| jobs: | |
| build: | |
| strategy: | |
| matrix: | |
| component: [operator, agent] | |
| arch: [amd64, arm64] | |
| include: | |
| - arch: amd64 | |
| runner: ubuntu-latest | |
| - arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| permissions: | |
| contents: read # Access private repos | |
| packages: write | |
| id-token: write | |
| runs-on: ${{ matrix.runner }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Build image | |
| uses: ./.github/actions/container-build | |
| with: | |
| arch: ${{ matrix.arch }} | |
| dockerfile: package/Dockerfile.${{ matrix.component }} | |
| image: ${{ matrix.component }} | |
| repo: ${{ github.repository }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| merge: | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| permissions: | |
| contents: read # Access private repos | |
| packages: write # Pushing multi-arch manifest to ghcr.io | |
| id-token: write # Signing images with cosign | |
| strategy: | |
| matrix: | |
| component: [operator, agent] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Merge images | |
| uses: ./.github/actions/merge-multiarch | |
| with: | |
| arch: amd64,arm64 | |
| image: ${{ matrix.component }} | |
| repo: ${{ github.repository }} | |
| tag: ${{ github.ref_name }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| attest: | |
| name: Sign attestations and upload as artifacts | |
| strategy: | |
| matrix: | |
| component: [operator, agent] | |
| arch: [amd64, arm64] | |
| include: | |
| - arch: amd64 | |
| runner: ubuntu-latest | |
| platform: linux/amd64 | |
| - arch: arm64 | |
| runner: ubuntu-24.04-arm | |
| platform: linux/arm64 | |
| needs: [merge] | |
| permissions: | |
| contents: read # Access private repos | |
| packages: write # Uploading signed artifacts to ghcr.io | |
| id-token: write # Signing images with cosign | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Attestation | |
| uses: ./.github/actions/attestation | |
| with: | |
| arch: ${{ matrix.arch }} | |
| image: ${{ matrix.component }} | |
| repo: ${{github.repository}} | |
| artifact_prefix: RuntimeEnforcer- | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| create-release: | |
| needs: [attest] | |
| permissions: | |
| contents: write # Creating a release | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Retrieve tag name | |
| if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
| run: | | |
| echo TAG_NAME=$(echo ${{ github.ref_name }}) >> $GITHUB_ENV | |
| - name: Get release ID from the release created by release drafter | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| script: | | |
| let releases = await github.rest.repos.listReleases({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| }); | |
| for (const release of releases.data) { | |
| if (release.draft) { | |
| core.info(release) | |
| core.exportVariable('RELEASE_ID', release.id) | |
| return | |
| } | |
| } | |
| core.setFailed(`Draft release not found`) | |
| - name: Download attestation artifacts | |
| uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0 | |
| with: | |
| pattern: attestation-RuntimeEnforcer-* | |
| merge-multiple: true | |
| - name: Display structure of downloaded files | |
| run: ls -R | |
| - name: Upload release assets | |
| id: upload_release_assets | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| script: | | |
| let fs = require('fs'); | |
| let path = require('path'); | |
| let files = [ | |
| 'RuntimeEnforcer-agent-attestation-amd64-provenance.intoto.jsonl', | |
| 'RuntimeEnforcer-agent-attestation-amd64-provenance.intoto.jsonl.bundle.sigstore', | |
| 'RuntimeEnforcer-agent-attestation-amd64-sbom.json', | |
| 'RuntimeEnforcer-agent-attestation-amd64-sbom.json.bundle.sigstore', | |
| 'RuntimeEnforcer-operator-attestation-amd64-provenance.intoto.jsonl', | |
| 'RuntimeEnforcer-operator-attestation-amd64-provenance.intoto.jsonl.bundle.sigstore', | |
| 'RuntimeEnforcer-operator-attestation-amd64-sbom.json', | |
| 'RuntimeEnforcer-operator-attestation-amd64-sbom.json.bundle.sigstore', | |
| 'RuntimeEnforcer-agent-attestation-arm64-provenance.intoto.jsonl', | |
| 'RuntimeEnforcer-agent-attestation-arm64-provenance.intoto.jsonl.bundle.sigstore', | |
| 'RuntimeEnforcer-agent-attestation-arm64-sbom.json', | |
| 'RuntimeEnforcer-agent-attestation-arm64-sbom.json.bundle.sigstore', | |
| 'RuntimeEnforcer-operator-attestation-arm64-provenance.intoto.jsonl', | |
| 'RuntimeEnforcer-operator-attestation-arm64-provenance.intoto.jsonl.bundle.sigstore', | |
| 'RuntimeEnforcer-operator-attestation-arm64-sbom.json', | |
| 'RuntimeEnforcer-operator-attestation-arm64-sbom.json.bundle.sigstore', | |
| ] | |
| const {RELEASE_ID} = process.env | |
| for (const file of files) { | |
| let file_data = fs.readFileSync(file); | |
| let response = await github.rest.repos.uploadReleaseAsset({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| release_id: `${RELEASE_ID}`, | |
| name: path.basename(file), | |
| data: file_data, | |
| }); | |
| } | |
| - name: Publish release | |
| uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 | |
| with: | |
| script: | | |
| const {RELEASE_ID} = process.env | |
| const {TAG_NAME} = process.env | |
| isPreRelease = ${{ contains(github.ref_name, '-alpha') || contains(github.ref_name, '-beta') || contains(github.ref_name, '-rc') }} | |
| github.rest.repos.updateRelease({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| release_id: `${RELEASE_ID}`, | |
| draft: false, | |
| tag_name: `${TAG_NAME}`, | |
| name: `RuntimeEnforcer ${TAG_NAME}`, | |
| prerelease: isPreRelease, | |
| make_latest: !isPreRelease | |
| }); | |
| update-charts: | |
| needs: [create-release] | |
| uses: ./.github/workflows/update-charts.yml | |
| permissions: | |
| contents: write # for updatecli to update the repository | |
| pull-requests: write # for updatecli to create a PR | |
| secrets: inherit |