Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(action): Create new action to consume GitHub releases #822

Merged
merged 3 commits into from
May 28, 2024
Merged

feat(action): Create new action to consume GitHub releases #822

merged 3 commits into from
May 28, 2024

Conversation

javirln
Copy link
Member

@javirln javirln commented May 22, 2024
edited

This patch uses changes introduced in #820 to auto discover materials based on the GitHub releases' assets.

Changes:

  • Uses the workflow chainloop-vault-release
  • Rename the file from github_release to release
  • Attests everything included on the GitHub Release

Refs #785

@javirln javirln requested review from migmartri and jiparis May 22, 2024 15:07
@javirln javirln self-assigned this May 22, 2024
migmartri
migmartri approved these changes May 22, 2024
View reviewed changes
.github/workflows/github_release.yaml Outdated Show resolved Hide resolved
.github/workflows/github_release.yaml Outdated Show resolved Hide resolved
@javirln javirln marked this pull request as ready for review May 24, 2024 11:07
@migmartri
Copy link
Member

We need to decide how this is going to co-exist/replace with our current release job/attestation. Do you have any thoughts on that transition?

@javirln
Copy link
Member Author

javirln commented May 27, 2024
edited

We need to decide how this is going to co-exist/replace with our current release job/attestation. Do you have any thoughts on that transition?

I had a look at it the other day and we are indeed adding some values twice. We could leave the old release to the following:

  • Create all the binaries with goreleaser
  • Attest plugins since they are not part of the GitHub releases
  • Generate all SBOMS from source code
  • Create PR for Chart bump

goreleaser will take care of the majority of the heavy lifting by attesting all remaining binaries and container images. From the GitHub release workflow we could:

  • Attest all binaries except plugins
  • Attest all SBOMS generated on the previous step part for the GitHub release
  • Attest all container images

That would require changing the current release contract.

@javirln
Copy link
Member Author

javirln commented May 27, 2024

Other option on the table:

  • Remove duplicates on release workflow
  • Use this reusable workflow as parte of the release one
  • Add in different attestation the missing pieces such as the plugins binaries and container images (they would be removed from the GitHub release workflow)

That would also require changes on the release contract as well.

@jiparis
Copy link
Member

jiparis commented May 27, 2024

Other option on the table:

  • Remove duplicates on release workflow
  • Use this reusable workflow as parte of the release one
  • Add in different attestation the missing pieces such as the plugins binaries and container images (they would be removed from the GitHub release workflow)

That would also require changes on the release contract as well.

I would go this way, leaving this one as generic as possible and keeping the specifics in the current one.
I'd also investigate how to put all this logic in a Github Action instead of a reusable workflow. Maybe as part of a different effort.

@javirln
Copy link
Member Author

javirln commented May 28, 2024

I would remove the container images from this one, open a new PR to include it on the Release. Please keep in mind that this will create two different attestations that might not be related more from the commit.

@migmartri migmartri self-requested a review May 28, 2024 07:13
@javirln javirln mentioned this pull request May 28, 2024
Merged
@javirln
feat(action): Create new action to consume GitHub releases
48b1504 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln
Remove container images from attestation
13b429b 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln
Rename file and change workflow name
f6c864b 
Signed-off-by: Javier Rodriguez <javier@chainloop.dev>
@javirln javirln merged commit 7052e4a into main May 28, 2024
13 checks passed
@javirln javirln deleted the feat/785 branch May 28, 2024 13:02
This was referenced May 28, 2024
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@migmartri migmartri migmartri approved these changes

@jiparis jiparis Awaiting requested review from jiparis

Assignees

@javirln javirln

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@javirln @migmartri @jiparis