Merge pull request #1003 from viccuad/main #96
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: policy-server release | |
on: | |
push: | |
tags: | |
- "v*" | |
# Declare default permissions as read only. | |
permissions: read-all | |
jobs: | |
ci: | |
uses: ./.github/workflows/ci.yml | |
permissions: read-all | |
build: | |
name: Build container image | |
permissions: | |
packages: write | |
id-token: write | |
runs-on: ubuntu-latest | |
outputs: | |
repository: ${{ steps.setoutput.outputs.repository }} | |
tag: ${{ steps.setoutput.outputs.tag }} | |
artifact: ${{ steps.setoutput.outputs.artifact }} | |
digest: ${{ steps.setoutput.outputs.digest }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Install cosign | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Retrieve tag name (tag) | |
run: | | |
echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV | |
- name: Push and push container image | |
id: build-image | |
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 | |
with: | |
context: . | |
file: ./Dockerfile | |
platforms: linux/amd64, linux/arm64 | |
push: true | |
sbom: true | |
provenance: mode=max | |
tags: | | |
ghcr.io/${{github.repository_owner}}/policy-server:${{ env.TAG_NAME }} | |
- name: Sign container image | |
run: | | |
cosign sign --yes ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }} | |
cosign verify \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | |
--certificate-identity="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/release.yml@${{ github.ref }}" \ | |
ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }} | |
- id: setoutput | |
name: Set output parameters | |
run: | | |
echo "digest=${{ steps.build-image.outputs.digest }}" >> $GITHUB_OUTPUT | |
sbom: | |
name: Fetch, sign and verify SBOM and provenance files | |
strategy: | |
matrix: | |
arch: [amd64, arm64] | |
permissions: | |
packages: write | |
id-token: write | |
needs: | |
- build | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install cosign | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
- name: Install the crane command | |
uses: kubewarden/github-actions/crane-installer@d94509d260ee11a92b4f65bc0acd297feec24d7f # v3.3.5 | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Verify container image signature | |
run: | | |
cosign verify \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | |
--certificate-identity="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/release.yml@${{ github.ref }}" \ | |
ghcr.io/${{ github.repository_owner }}/policy-server@${{ needs.build.outputs.digest }} | |
- name: Find platform digest | |
shell: bash | |
run: | | |
set -e | |
DIGEST=$(crane digest \ | |
--platform "linux/${{ matrix.arch }}" \ | |
ghcr.io/${{ github.repository_owner }}/policy-server@${{ needs.build.outputs.digest }}) | |
echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV" | |
- name: Find attestation digest | |
run: | | |
set -e | |
DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-server@${{ needs.build.outputs.digest }} \ | |
| jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest") | select(.annotations["vnd.docker.reference.digest"]=="${{ env.PLATFORM_DIGEST }}") | .digest' | |
) | |
echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV" | |
- name: Find provenance manifest digest | |
run: | | |
set -e | |
DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-server@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \ | |
jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") | .digest') | |
echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV" | |
- name: Find SBOM manifest layers digest | |
run: | | |
set -e | |
DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-server@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \ | |
jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")') | |
echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV" | |
- name: Download provenance and SBOM files | |
run: | | |
set -e | |
crane blob ghcr.io/${{github.repository_owner}}/policy-server@${{ env.PROVENANCE_DIGEST}} > policy-server-attestation-${{ matrix.arch }}-provenance.json | |
sha256sum policy-server-attestation-${{ matrix.arch }}-provenance.json >> policy-server-attestation-${{ matrix.arch }}-checksum.txt | |
for sbom_digest in "${{ env.SBOM_DIGEST }}"; do | |
crane blob ghcr.io/${{github.repository_owner}}/policy-server@$sbom_digest > policy-server-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json | |
sha256sum policy-server-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json >> policy-server-attestation-${{ matrix.arch }}-checksum.txt | |
done | |
- name: Sign checksum file | |
run: | | |
cosign sign-blob --yes \ | |
--bundle policy-server-attestation-${{ matrix.arch }}-checksum-cosign.bundle \ | |
policy-server-attestation-${{ matrix.arch }}-checksum.txt | |
cosign verify-blob \ | |
--bundle policy-server-attestation-${{ matrix.arch }}-checksum-cosign.bundle \ | |
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \ | |
--certificate-identity="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/release.yml@${{ github.ref }}" \ | |
policy-server-attestation-${{ matrix.arch }}-checksum.txt | |
- name: Upload SBOMs as artifacts | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: attestation-${{ matrix.arch }} | |
path: policy-server-attestation-${{ matrix.arch }}* | |
release: | |
name: Create release | |
needs: | |
- ci | |
- build | |
- sbom | |
permissions: | |
contents: write | |
runs-on: ubuntu-latest | |
steps: | |
- name: Retrieve tag name | |
if: ${{ startsWith(github.ref, 'refs/tags/') }} | |
run: | | |
echo TAG_NAME=$(echo ${{ github.ref_name }}) >> $GITHUB_ENV | |
- name: Get latest release tag | |
id: get_last_release_tag | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
let release = await github.rest.repos.getLatestRelease({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
}); | |
if (release.status === 200 ) { | |
core.setOutput('old_release_tag', release.data.tag_name) | |
return | |
} | |
core.setFailed("Cannot find latest release") | |
- name: Get release ID from the release created by release drafter | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
let releases = await github.rest.repos.listReleases({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
}); | |
for (const release of releases.data) { | |
if (release.draft) { | |
core.info(release) | |
core.exportVariable('RELEASE_ID', release.id) | |
return | |
} | |
} | |
core.setFailed(`Draft release not found`) | |
- name: Checkout code for kubewarden-dashboard.json | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Download attestation artifact | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
pattern: attestation-* | |
path: ./ | |
merge-multiple: true | |
- name: Display structure of downloaded files | |
run: ls -R | |
- name: Create tarball for the attestation files | |
run: | | |
for arch in "amd64" "arm64"; do | |
tar -czf attestation-$arch.tar.gz $(ls policy-server-attestation-$arch-*) | |
done | |
- name: Upload release assets | |
id: upload_release_assets | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
let fs = require('fs'); | |
let path = require('path'); | |
let files = [ | |
'attestation-amd64.tar.gz', | |
'attestation-arm64.tar.gz', | |
'kubewarden-dashboard.json'] | |
const {RELEASE_ID} = process.env | |
for (const file of files) { | |
let file_data = fs.readFileSync(file); | |
let response = await github.rest.repos.uploadReleaseAsset({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
release_id: `${RELEASE_ID}`, | |
name: path.basename(file), | |
data: file_data, | |
}); | |
} | |
- name: Publish release | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
const {RELEASE_ID} = process.env | |
const {TAG_NAME} = process.env | |
isPreRelease = ${{ contains(github.ref_name, '-alpha') || contains(github.ref_name, '-beta') || contains(github.ref_name, '-rc') }} | |
github.rest.repos.updateRelease({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
release_id: `${RELEASE_ID}`, | |
draft: false, | |
tag_name: `${TAG_NAME}`, | |
name: `${TAG_NAME}`, | |
prerelease: isPreRelease, | |
make_latest: !isPreRelease | |
}); | |
- name: Trigger chart update | |
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0 | |
with: | |
token: ${{ secrets.WORKFLOW_PAT }} | |
repository: "${{github.repository_owner}}/helm-charts" | |
event-type: update-chart | |
client-payload: '{"version": "${{ github.ref_name }}", "oldVersion": "${{ steps.get_last_release_tag.outputs.old_release_tag }}", "repository": "${{ github.repository }}"}' |