ci: Don't hardcode the cert identity generation on attestations #53

Workflow file for this run

.github/workflows/release.yml at a142fc0

	name: Release
	on:
	push:
	tags:
	- "v*"

	# Declare default permissions as read only.
	permissions: read-all

	jobs:
	version-check:
	name: Check Cargo.toml files version
	runs-on: ubuntu-latest
	steps:
	- name: Download source code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- name: Check cargo file version
	run: \|
	CARGO_VERSION=$(sed -n 's/^version[[:space:]]=[[:space:]]"$.*$"/\1/p' crates/kwctl/Cargo.toml)
	POLICY_SERVER_VERSION=$(sed -n 's/^version[[:space:]]=[[:space:]]"$.*$"/\1/p' crates/policy-server/Cargo.toml)
	TAG_VERSION=$(echo ${{ github.ref_name }} \| sed 's/v//')

	if [ "$CARGO_VERSION" != "$TAG_VERSION" ];then
	echo "::error title=Invalid Cargo.toml version::crates/kwctl/Cargo.toml version does not match the tag version"
	exit 1
	fi

	if [ "$POLICY_SERVER_VERSION" != "$TAG_VERSION" ];then
	echo "::error title=Invalid Cargo.toml version::crates/policy-server/Cargo.toml version does not match the tag version"
	exit 1
	fi

	ci:
	needs: version-check
	uses: ./.github/workflows/ci.yml
	# Specify all permissions explicitly - read for most, write for attestations
	permissions:
	actions: read
	artifact-metadata: read
	attestations: write
	checks: read
	contents: read
	deployments: read
	discussions: read
	id-token: write
	issues: read
	models: read
	packages: read
	pages: read
	pull-requests: read
	repository-projects: read
	security-events: read
	statuses: read
	with:
	run_all: true

	build-containers:
	name: Build container images
	strategy:
	matrix:
	component: [policy-server, kubewarden-controller, audit-scanner]
	arch: [amd64, arm64]
	include:
	- arch: amd64
	runner: ubuntu-latest
	platform: linux/amd64
	- arch: arm64
	runner: ubuntu-24.04-arm
	platform: linux/arm64
	permissions:
	packages: write # Pushing images to ghcr.io
	id-token: write # Signing images with cosign
	runs-on: ${{ matrix.runner }}
	steps:
	- name: Checkout code
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	- name: Build, sign, and upload digest
	uses: kubewarden/github-actions/container-build@f1695ca9a575bf58b85d6c3652c7ff7d1d12ec24 # v4.5.16
	with:
	component: ${{ matrix.component }}
	arch: ${{ matrix.arch }}
	platform: ${{ matrix.platform }}
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	merge-containers:
	name: Merge multi-arch manifests
	runs-on: ubuntu-latest
	needs: [build-containers]
	permissions:
	packages: write # Pushing multi-arch manifest to ghcr.io
	id-token: write # Signing images with cosign
	strategy:
	matrix:
	component: [policy-server, kubewarden-controller, audit-scanner]
	steps:
	- name: Merge multi-arch images
	uses: kubewarden/github-actions/merge-multiarch@f1695ca9a575bf58b85d6c3652c7ff7d1d12ec24 # v4.5.16
	with:
	component: ${{ matrix.component }}
	tag: ${{ github.ref_name }}
	arch: amd64,arm64
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

	build-kwctl:
	name: Build kwctl binaries
	uses: ./.github/workflows/build-kwctl.yml
	permissions:
	id-token: write
	attestations: write
	with:
	force_build: true

	attestation:
	name: Generate attestations
	needs: build-containers
	permissions:
	packages: write
	id-token: write
	strategy:
	matrix:
	component: [kubewarden-controller, audit-scanner, policy-server]
	arch: [amd64, arm64]
	uses: ./.github/workflows/attestation.yml
	with:
	component: ${{ matrix.component }}
	arch: ${{ matrix.arch }}

	release:
	name: Create release

	needs:
	- ci
	- merge-containers
	- build-kwctl
	- attestation

	permissions:
	contents: write

	runs-on: ubuntu-latest

	steps:
	- name: Retrieve tag name
	if: ${{ startsWith(github.ref, 'refs/tags/') }}
	run: \|
	echo TAG_NAME=$(echo ${{ github.ref_name }}) >> $GITHUB_ENV
	- name: Get latest release tag
	id: get_last_release_tag
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
	with:
	script: \|
	let release = await github.rest.repos.getLatestRelease({
	owner: context.repo.owner,
	repo: context.repo.repo,
	});

	if (release.status === 200 ) {
	core.setOutput('old_release_tag', release.data.tag_name)
	return
	}
	core.setFailed("Cannot find latest release")
	- name: Get release ID from the release created by release drafter
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
	with:
	script: \|
	let releases = await github.rest.repos.listReleases({
	owner: context.repo.owner,
	repo: context.repo.repo,
	});
	for (const release of releases.data) {
	if (release.draft) {
	core.info(release)
	core.exportVariable('RELEASE_ID', release.id)
	return
	}
	}
	core.setFailed(`Draft release not found`)
	- name: Download attestation artifacts
	uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
	with:
	pattern: attestation-*
	merge-multiple: true
	- name: Download kwctl artifacts
	uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
	with:
	pattern: kwctl-*
	merge-multiple: false
	- name: Display structure of downloaded files
	run: ls -R
	- name: Upload release assets
	id: upload_release_assets
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
	with:
	script: \|
	let fs = require('fs');
	let path = require('path');

	let files = [
	'kubewarden-controller-attestation-amd64-provenance.intoto.jsonl',
	'kubewarden-controller-attestation-amd64-provenance.intoto.jsonl.bundle.sigstore',
	'kubewarden-controller-attestation-arm64-provenance.intoto.jsonl',
	'kubewarden-controller-attestation-arm64-provenance.intoto.jsonl.bundle.sigstore',
	'kubewarden-controller-attestation-amd64-sbom.json',
	'kubewarden-controller-attestation-amd64-sbom.json.bundle.sigstore',
	'kubewarden-controller-attestation-arm64-sbom.json',
	'kubewarden-controller-attestation-arm64-sbom.json.bundle.sigstore',
	'audit-scanner-attestation-amd64-provenance.intoto.jsonl',
	'audit-scanner-attestation-amd64-provenance.intoto.jsonl.bundle.sigstore',
	'audit-scanner-attestation-arm64-provenance.intoto.jsonl',
	'audit-scanner-attestation-arm64-provenance.intoto.jsonl.bundle.sigstore',
	'audit-scanner-attestation-amd64-sbom.json',
	'audit-scanner-attestation-amd64-sbom.json.bundle.sigstore',
	'audit-scanner-attestation-arm64-sbom.json',
	'audit-scanner-attestation-arm64-sbom.json.bundle.sigstore',
	'policy-server-attestation-amd64-provenance.intoto.jsonl',
	'policy-server-attestation-amd64-provenance.intoto.jsonl.bundle.sigstore',
	'policy-server-attestation-arm64-provenance.intoto.jsonl',
	'policy-server-attestation-arm64-provenance.intoto.jsonl.bundle.sigstore',
	'policy-server-attestation-amd64-sbom.json',
	'policy-server-attestation-amd64-sbom.json.bundle.sigstore',
	'policy-server-attestation-arm64-sbom.json',
	'policy-server-attestation-arm64-sbom.json.bundle.sigstore',
	'./kwctl-airgap-scripts/kubewarden-load-policies.sh',
	'./kwctl-airgap-scripts/kubewarden-save-policies.sh',
	'./kwctl-darwin-aarch64/kwctl-darwin-aarch64.zip',
	'./kwctl-darwin-aarch64-sbom/kwctl-darwin-aarch64-sbom.spdx',
	'./kwctl-darwin-aarch64-sbom/kwctl-darwin-aarch64-sbom.spdx.bundle.sigstore',
	'./kwctl-darwin-x86_64/kwctl-darwin-x86_64.zip',
	'./kwctl-darwin-x86_64-sbom/kwctl-darwin-x86_64-sbom.spdx',
	'./kwctl-darwin-x86_64-sbom/kwctl-darwin-x86_64-sbom.spdx.bundle.sigstore',
	'./kwctl-linux-aarch64/kwctl-linux-aarch64.zip',
	'./kwctl-linux-aarch64-sbom/kwctl-linux-aarch64-sbom.spdx',
	'./kwctl-linux-aarch64-sbom/kwctl-linux-aarch64-sbom.spdx.bundle.sigstore',
	'./kwctl-linux-x86_64/kwctl-linux-x86_64.zip',
	'./kwctl-linux-x86_64-sbom/kwctl-linux-x86_64-sbom.spdx',
	'./kwctl-linux-x86_64-sbom/kwctl-linux-x86_64-sbom.spdx.bundle.sigstore',
	'./kwctl-windows-x86_64/kwctl-windows-x86_64.exe.zip',
	'./kwctl-windows-x86_64-sbom/kwctl-windows-x86_64-sbom.spdx',
	'./kwctl-windows-x86_64-sbom/kwctl-windows-x86_64-sbom.spdx.bundle.sigstore']
	const {RELEASE_ID} = process.env

	for (const file of files) {
	let file_data = fs.readFileSync(file);

	let response = await github.rest.repos.uploadReleaseAsset({
	owner: context.repo.owner,
	repo: context.repo.repo,
	release_id: `${RELEASE_ID}`,
	name: path.basename(file),
	data: file_data,
	});
	}
	- name: Publish release
	uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
	with:
	script: \|
	const {RELEASE_ID} = process.env
	const {TAG_NAME} = process.env
	isPreRelease = ${{ contains(github.ref_name, '-alpha') \|\| contains(github.ref_name, '-beta') \|\| contains(github.ref_name, '-rc') }}
	github.rest.repos.updateRelease({
	owner: context.repo.owner,
	repo: context.repo.repo,
	release_id: `${RELEASE_ID}`,
	draft: false,
	tag_name: `${TAG_NAME}`,
	name: `${TAG_NAME}`,
	prerelease: isPreRelease,
	make_latest: !isPreRelease
	});

	sync-helm-charts:
	name: Trigger Helm Charts Sync Workflow
	needs: release
	runs-on: ubuntu-latest
	steps:
	- uses: actions/create-github-app-token@fee1f7d63c2ff003460e3d139729b119787bc349 # v2.2.2
	id: generate-token
	with:
	app-id: ${{ secrets.APP_ID }}
	private-key: ${{ secrets.APP_PRIVATE_KEY }}
	owner: ${{ github.repository_owner }}
	repositories: \|
	helm-charts
	- name: Trigger chart update
	env:
	GH_TOKEN: ${{ steps.generate-token.outputs.token }}
	run: \|
	echo '{
	"event_type": "release-adm-controller",
	"client_payload": {
	"source_repo": "${{ github.repository }}",
	"tag": "${{ github.ref_name }}"
	}
	}' > payload.json
	gh api repos/${{ github.repository_owner }}/helm-charts/dispatches \
	-X POST \
	--input payload.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: Don't hardcode the cert identity generation on attestations #53

Workflow file

ci: Don't hardcode the cert identity generation on attestations #53

Uh oh!

Workflow file for this run