ci(release): Bump attestation GHA to 4.6.0 #619
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| workflow_call: | |
| inputs: | |
| run_all: | |
| description: "Run all checks (ignore path filtering)" | |
| required: false | |
| type: boolean | |
| default: true | |
| push: | |
| pull_request: | |
| types: [opened, synchronize, reopened, labeled] | |
| workflow_dispatch: | |
| inputs: | |
| run_all: | |
| description: "Run all checks (ignore path filtering)" | |
| required: false | |
| type: boolean | |
| default: false | |
| # Declare default permissions as read only. | |
| permissions: read-all | |
| jobs: | |
| # Detect which files changed to run appropriate checks | |
| changes: | |
| name: Detect changes | |
| runs-on: ubuntu-latest | |
| outputs: | |
| go: ${{ steps.changed-files.outputs.go }} | |
| rust: ${{ steps.changed-files.outputs.rust }} | |
| ci-full: ${{ steps.changed-files.outputs.ci-full }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Detect changed files | |
| id: changed-files | |
| run: | | |
| # If run_all input is true (from workflow_call or workflow_dispatch), run everything | |
| if [ "${{ inputs.run_all }}" = "true" ]; then | |
| echo "run_all=true, running all checks" | |
| echo "go=true" >> $GITHUB_OUTPUT | |
| echo "rust=true" >> $GITHUB_OUTPUT | |
| echo "ci-full=true" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| # Check for CI trigger labels on PRs | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| LABELS='${{ toJson(github.event.pull_request.labels.*.name) }}' | |
| echo "PR Labels: $LABELS" | |
| if echo "$LABELS" | grep -q "ci-full"; then | |
| echo "Label 'ci-full' found, running all checks" | |
| echo "go=true" >> $GITHUB_OUTPUT | |
| echo "rust=true" >> $GITHUB_OUTPUT | |
| echo "ci-full=true" >> $GITHUB_OUTPUT | |
| exit 0 | |
| fi | |
| if echo "$LABELS" | grep -q "ci-go"; then | |
| echo "Label 'ci-go' found, running Go checks" | |
| echo "go=true" >> $GITHUB_OUTPUT | |
| fi | |
| if echo "$LABELS" | grep -q "ci-rust"; then | |
| echo "Label 'ci-rust' found, running Rust checks" | |
| echo "rust=true" >> $GITHUB_OUTPUT | |
| fi | |
| # If triggered by label event and we found a matching label, skip path detection | |
| if [ "${{ github.event.action }}" = "labeled" ]; then | |
| LABEL_NAME='${{ github.event.label.name }}' | |
| if [ "$LABEL_NAME" = "ci-full" ] || [ "$LABEL_NAME" = "ci-go" ] || [ "$LABEL_NAME" = "ci-rust" ]; then | |
| echo "Triggered by label event, skipping path detection" | |
| exit 0 | |
| fi | |
| fi | |
| fi | |
| # Determine base ref for comparison | |
| if [ "${{ github.event_name }}" = "pull_request" ]; then | |
| BASE_REF="${{ github.event.pull_request.base.sha }}" | |
| else | |
| # For push events, compare with previous commit | |
| BASE_REF="${{ github.event.before }}" | |
| # If first push to branch, compare with parent | |
| if [ "$BASE_REF" = "0000000000000000000000000000000000000000" ]; then | |
| BASE_REF="HEAD^" | |
| fi | |
| fi | |
| echo "Comparing against base: $BASE_REF" | |
| # Check for Go file changes | |
| GO_CHANGES=$(git diff --name-only "$BASE_REF" HEAD | grep -E '\.(go)$|^go\.(mod|sum)$|^Makefile$|^\.golangci\.yml$|^cmd/|^api/|^internal/|^audit-scanner/' || true) | |
| if [ -n "$GO_CHANGES" ]; then | |
| echo "go=true" >> $GITHUB_OUTPUT | |
| echo "Go files changed:" | |
| echo "$GO_CHANGES" | |
| else | |
| echo "go=false" >> $GITHUB_OUTPUT | |
| echo "No Go files changed" | |
| fi | |
| # Check for Rust file changes | |
| RUST_CHANGES=$(git diff --name-only "$BASE_REF" HEAD | grep -E '^crates/.*\.rs$|^crates/.*/Cargo\.(toml|lock)$|^Cargo\.(toml|lock)$|^rust-toolchain\.toml$|^crates/Makefile$' || true) | |
| if [ -n "$RUST_CHANGES" ]; then | |
| echo "rust=true" >> $GITHUB_OUTPUT | |
| echo "Rust files changed:" | |
| echo "$RUST_CHANGES" | |
| else | |
| echo "rust=false" >> $GITHUB_OUTPUT | |
| echo "No Rust files changed" | |
| fi | |
| # Go jobs | |
| test-go: | |
| name: Go tests | |
| needs: changes | |
| if: needs.changes.outputs.go == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version: "1.26" | |
| check-latest: true # Always check for the latest patch release | |
| - run: make test-go | |
| - name: Upload Go test coverage to Codecov | |
| uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_ORG_TOKEN }} | |
| with: | |
| name: go-tests | |
| files: coverage/cover.out | |
| flags: go-tests | |
| verbose: true | |
| e2e-go: | |
| name: Go e2e tests | |
| needs: changes | |
| if: needs.changes.outputs.go == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version: "1.26" | |
| check-latest: true # Always check for the latest patch release | |
| - run: make test-e2e | |
| golangci: | |
| name: Golangci-lint | |
| needs: changes | |
| if: needs.changes.outputs.go == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 | |
| with: | |
| go-version: "1.26" | |
| check-latest: true # Always check for the latest patch release | |
| - name: golangci-lint | |
| uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0 | |
| with: | |
| version: v2.11.3 | |
| # Rust jobs | |
| calculate-crates-matrix: | |
| name: Calculate crates matrix | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: List crate folders | |
| id: set-matrix | |
| run: | | |
| # Exclude context-aware-test-policy as it's a test fixture, not a standalone crate | |
| CRATES=$(ls -1 crates | grep -v "^Makefile$" | grep -v "^context-aware-test-policy$" | jq -R -s -c 'split("\n")[:-1]') | |
| echo "matrix={\"crate\":$CRATES}" >> $GITHUB_OUTPUT | |
| fmt-rust-per-crate: | |
| needs: calculate-crates-matrix | |
| name: Rustfmt (${{ matrix.crate }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: ${{fromJson(needs.calculate-crates-matrix.outputs.matrix)}} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: "Run cargo fmt" | |
| run: | | |
| make -C crates/${{ matrix.crate }} fmt | |
| clippy-rust-per-crate: | |
| needs: calculate-crates-matrix | |
| name: Clippy (${{ matrix.crate }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: ${{fromJson(needs.calculate-crates-matrix.outputs.matrix)}} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: "Run cargo clippy" | |
| run: | | |
| make -C crates/${{ matrix.crate }} lint | |
| unit-tests-rust-per-crate: | |
| needs: calculate-crates-matrix | |
| name: Unit tests (${{ matrix.crate }}) | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: ${{fromJson(needs.calculate-crates-matrix.outputs.matrix)}} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: "Run cargo test" | |
| run: | | |
| make -C crates/${{ matrix.crate }} unit-tests | |
| integration-tests-burrego: | |
| needs: [changes, calculate-crates-matrix] | |
| if: needs.changes.outputs.rust == 'true' | |
| name: E2E tests (burrego) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install opa | |
| uses: kubewarden/github-actions/opa-installer@f1695ca9a575bf58b85d6c3652c7ff7d1d12ec24 # v4.5.16 | |
| with: | |
| opa-version: v1.12.2 | |
| - name: Install bats | |
| run: sudo apt-get install -y bats | |
| - name: Run e2e tests | |
| run: make -C crates/burrego e2e-tests | |
| integration-tests-kwctl: | |
| needs: [changes, calculate-crates-matrix] | |
| if: needs.changes.outputs.rust == 'true' | |
| name: E2E tests (kwctl) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run e2e tests | |
| run: make -C crates/kwctl e2e-tests | |
| e2e-tests-sigstore-kwctl: | |
| needs: [changes, calculate-crates-matrix] | |
| if: needs.changes.outputs.rust == 'true' | |
| name: E2E tests sigstore (kwctl) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Prepare sigstore environment for testing | |
| uses: ./.github/actions/setup-sigstore-env | |
| - name: Run kwctl Sigstore E2E tests | |
| run: make -C crates/kwctl e2e-tests-sigstore | |
| e2e-tests-sigstore-policy-server: | |
| needs: [changes, calculate-crates-matrix] | |
| if: needs.changes.outputs.rust == 'true' | |
| name: E2E tests sigstore (policy-server) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Prepare sigstore environment for testing | |
| uses: ./.github/actions/setup-sigstore-env | |
| - name: Run policy-server Sigstore E2E tests | |
| run: make -C crates/policy-server e2e-tests-sigstore | |
| integration-tests-policy-server: | |
| needs: [changes, calculate-crates-matrix] | |
| if: needs.changes.outputs.rust == 'true' | |
| name: Integration tests (policy-server) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run integration tests | |
| run: make -C crates/policy-server integration-tests | |
| integration-tests-policy-evaluator: | |
| needs: [changes, calculate-crates-matrix] | |
| if: needs.changes.outputs.rust == 'true' | |
| name: Integration tests (policy-evaluator) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Build kwctl | |
| run: make -C crates/kwctl build-release | |
| - name: Setup kwctl | |
| run: | | |
| mkdir -p $HOME/.kwctl | |
| cp target/release/kwctl $HOME/.kwctl/kwctl | |
| chmod +x $HOME/.kwctl/kwctl | |
| echo "$HOME/.kwctl" >> $GITHUB_PATH | |
| - name: Install bats | |
| run: sudo apt install -y bats | |
| - name: Run integration tests | |
| run: make -C crates/policy-evaluator integration-tests | |
| coverage-rust: | |
| name: coverage-rust | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install cargo-llvm-cov | |
| uses: taiki-e/install-action@cbb1dcaa26e1459e2876c39f61c1e22a1258aac5 # v2.68.33 | |
| with: | |
| tool: cargo-llvm-cov | |
| - name: Install cosign # this is needed by some of the e2e tests | |
| uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 | |
| - run: cargo llvm-cov --ignore-run-fail --doctests --lcov --output-path coverage/rust/lcov.info | |
| - name: Upload Rust test coverage to Codecov | |
| uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_ORG_TOKEN }} | |
| with: | |
| name: rust-tests | |
| files: coverage/lcov.info | |
| flags: rust-tests | |
| verbose: true | |
| build-kwctl: | |
| name: Build kwctl | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' | |
| permissions: | |
| id-token: write | |
| attestations: write | |
| uses: ./.github/workflows/build-kwctl.yml | |
| with: | |
| force_build: true | |
| build_only: true | |
| shellcheck: | |
| name: Shellcheck | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - run: shellcheck $(find scripts/ -name '*.sh') | |
| spelling: | |
| name: Spelling check | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Check spelling with typos | |
| uses: crate-ci/typos@631208b7aac2daa8b707f55e7331f9112b0e062d # v1.44.0 | |
| charts: | |
| name: Helm unittest | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install helm | |
| uses: azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1 | |
| # Disable plugin verification until the following issue is addressed https://github.com/helm-unittest/helm-unittest/issues/777 | |
| - name: Install Helm-unittest | |
| run: helm plugin install https://github.com/helm-unittest/helm-unittest --verify=false | |
| - name: Verify common values | |
| run: make charts-check-common-values | |
| - name: helm unit tests | |
| run: make helm-unittest | |
| validate-hauler-manifest: | |
| name: Validate Hauler manifest | |
| needs: changes | |
| if: needs.changes.outputs.ci-full == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Run validation script | |
| run: ./scripts/validate-hauler-manifest.sh | |
| kwctl-docs: | |
| name: Check if the kwctl reference documentation is up to date | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - run: | | |
| make -C crates/kwctl build-docs | |
| if ! git diff --quiet crates/kwctl/cli-docs.md; then | |
| echo "Changes detected in cli-docs.md. Please run `make -C crates/kwctl build-docs` and commit the changes." | |
| gh run cancel ${{ github.run_id }} | |
| fi | |
| check-kwctl-cross-platform: | |
| name: Check kwctl (${{ matrix.os }}) | |
| needs: changes | |
| if: needs.changes.outputs.rust == 'true' | |
| strategy: | |
| matrix: | |
| os: [macos-latest, windows-latest] | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: enable git long paths on Windows | |
| if: matrix.os == 'windows-latest' | |
| run: git config --global core.longpaths true | |
| - name: Run cargo check | |
| run: make -C crates/kwctl check | |
| # Rollup job for branch protection - single stable job name that depends on all checks | |
| ci-success: | |
| name: CI Success | |
| if: always() | |
| needs: | |
| - changes | |
| - test-go | |
| - e2e-go | |
| - golangci | |
| - calculate-crates-matrix | |
| - fmt-rust-per-crate | |
| - clippy-rust-per-crate | |
| - unit-tests-rust-per-crate | |
| - integration-tests-burrego | |
| - integration-tests-kwctl | |
| - e2e-tests-sigstore-kwctl | |
| - e2e-tests-sigstore-policy-server | |
| - integration-tests-policy-server | |
| - integration-tests-policy-evaluator | |
| - build-kwctl | |
| - shellcheck | |
| - spelling | |
| - charts | |
| - validate-hauler-manifest | |
| - kwctl-docs | |
| - check-kwctl-cross-platform | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check all jobs status | |
| run: | | |
| # Check if any job failed or was cancelled | |
| if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" || "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then | |
| echo "One or more jobs failed or were cancelled" | |
| exit 1 | |
| fi | |
| echo "All jobs passed or were skipped" |