-
Notifications
You must be signed in to change notification settings - Fork 223
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
release: add provenance with GitHub actions #3938
Conversation
.ci/Makefile
Outdated
docker build -t $(DOCKER_REGISTRY)/$(DOCKER_IMAGE_NAME):$(AGENT_VERSION) \ | ||
--build-arg AGENT_DIR=$(DIST_DIR) .. | ||
|
||
push-docker: build-docker | ||
@echo "Obsoleted, use GitHub actions" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moving away from the push-docker.sh script drops support for only sometimes applying the "latest" Docker tag to an image. This handling was used so that we could use the same push-docker.sh script for the current latest major releases (4.x) and for the 3.x maintenance branch.
I suppose this is fine, given that we won't add provenance support to the 3.x branch. At some point if/when tehre is a 5.x major, then we'd need to make sure that a maintenance 4.x release does NOT push the "latest" Docker tag.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shall we move this topic to a follow-up?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, this PR doesn't need to handle this.
Co-authored-by: Trent Mick <trent.mick@elastic.co>
- name: Attest Lambda layer zip | ||
uses: github-early-access/generate-build-provenance@main | ||
with: | ||
subject-path: "${{ github.workspace }}/build/aws/elastic-apm-node-lambda-layer-*.zip" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q: Do we really want to (a) publish attestations (this goes on a public immutable ledger of some sort, IIUC), and (b) docker build and push for every commit to main? My concern is that this is very wasteful.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm probably biased, but I prefer to run the release on the main branch with a dry-run
or a subset of the jobs; this can detect any breaking changes in workflows.
Therefore, I enabled the provenance for those artefacts - I see it might be useful, and those artefacts will be available and with their attestations.
From the disc space, it should be ok, there is no limitation in our elastic docker registry
What does this pull request do?
Run the release steps partially for
main
- to validate things work smoothly before the release. It skips the below steps:Further details
Use the GitHub provenance in this project as explained in https://docs.npmjs.com/generating-provenance-statements
## Test
I created a test feature branch and https://github.com/elastic/apm-agent-nodejs/actions/runs/8819809747 is now running in
dry-run
mode: