Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(workflows): Integrate GitHub Release reusable workflow #851

Merged
merged 5 commits into from
May 30, 2024
Merged

feat(workflows): Integrate GitHub Release reusable workflow #851

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9a78fa3
feat(workflows): Integrate GitHub Release reusable workflow
javirln May 30, 2024
7000730
remove dependency
javirln May 30, 2024
d9cefcc
Update labs reference
javirln May 30, 2024
94010aa
Change job name
javirln May 30, 2024
00b4256
Update reference to labs project
javirln May 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
96 changes: 8 additions & 88 deletions .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,100 +2,20 @@ name: Release

on:
release:
types: [published]

permissions:
contents: read
contents: write

jobs:
# This reusable workflow inspects if the given workflow_name exists on Chainloop. If the Workflow does not exist
# it will create one with an empty contract ready for operators to be filled. Otherwise, if found, it will just
# be ignored and the process will continue. For this to work it's using a pre-created API Token
onboard_workflow:
name: Onboard Chainloop Workflow
uses: chainloop-dev/labs/.github/workflows/chainloop_onboard.yml@4173e015dbd5dc2a8802555c268da63d57bbe576
release:
name: Attest GitHub Release
uses: chainloop-dev/labs/.github/workflows/chainloop_github_release.yml@417bad33ca08beaa785ae6a6b933406cd7b935cb
with:
project: "chainloop"
workflow_name: "chainloop-vault-release"
additional_materials: "ghcr.io/chainloop-dev/chainloop/control-plane:${{ github.ref_name }},ghcr.io/chainloop-dev/chainloop/artifact-cas:${{ github.ref_name }},ghcr.io/chainloop-dev/chainloop/cli:${{ github.ref_name }}"
secrets:
api_token: ${{ secrets.CHAINLOOP_API_TOKEN }}

release:
name: Record release from GitHub
runs-on: ubuntu-latest
needs: onboard_workflow
permissions:
packages: write
env:
CHAINLOOP_VERSION: 0.89.0
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_API_TOKEN }}
CHAINLOOP_WORKFLOW_NAME: ${{ needs.onboard_workflow.outputs.workflow_name }}
GH_TOKEN: ${{ github.token }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

- name: Install Chainloop
run: |
curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s -- --version v${{ env.CHAINLOOP_VERSION }}

- name: Initialize Attestation
run: |
chainloop attestation init --workflow-name ${CHAINLOOP_WORKFLOW_NAME}

- name: Attest all assets
run: |
tag=$(echo -n ${{github.ref}} | cut -d / -f3)
gh release download $tag -D /tmp/github-release
for entry in $(ls /tmp/github-release); do
chainloop attestation add --value "/tmp/github-release/$entry"
done

# Include source code
version=$(echo -n $tag | sed 's/v//g')
gh release download $tag -A tar.gz -D /tmp
chainloop attestation add --value "/tmp/chainloop-$version.tar.gz"

# Include control-plane image
chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/control-plane:$tag"

# Include cas image
chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/artifact-cas:$tag"

# Include cli image
chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/cli:$tag"

- name: Finish and Record Attestation
id: attestation-push
if: ${{ success() }}
run: |
chainloop attestation status --full
attestation_sha=$(chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY -o json | jq -r '.digest')
echo "attestation_sha=$attestation_sha" >> $GITHUB_OUTPUT
env:
CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_KEY }}

- name: Mark attestation as failed
if: ${{ failure() }}
run: |
chainloop attestation reset

- name: Mark attestation as cancelled
if: ${{ cancelled() }}
run: |
chainloop attestation reset --trigger cancellation

- name: Add attestation link to release notes
if: ${{ success() }}
run: |
chainloop_release_url="## Chainloop Attestation"$'\n'"[View the attestation of this release](https://app.chainloop.dev/attestation/${{ steps.attestation-push.outputs.attestation_sha }})"
current_notes=$(gh release view ${{ github.ref }} --json body -q '.body')

if echo "$current_notes" | grep -q "## Chainloop Attestation"; then
# Replace the existing Chainloop Attestation section with the new URL
modified_notes=$(echo "$current_notes" | sed -E "s|## Chainloop Attestation[^\n]*\n\[View the attestation of this release\]\(https://app\.chainloop\.dev/attestation/[^\)]*\)|$chainloop_release_url|")
else
# Add the Chainloop Attestation section to the top
modified_notes="$chainloop_release_url"$'\n\n'"$current_notes"
fi

gh release edit ${{ github.ref }} -n "$modified_notes"
cosign_key: ${{ secrets.COSIGN_KEY }}
cosign_password: ${{ secrets.COSIGN_PASSWORD }}
Loading