ci: add semantic-release (#19)

liatrio · Jun 15, 2023 · be98f9b · be98f9b
1 parent dde6e6a
commit be98f9b
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 11 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -2,9 +2,7 @@ name: app
 on:
   push:
     branches:
-      - '*'
-    tags:
-      - v*.*.*
+      - '**'
 
 jobs:
   test:
@@ -52,14 +50,24 @@ jobs:
         run: make test
 
   release:
-    if: startsWith(github.ref, 'refs/tags/')
+    if: github.ref == 'refs/heads/main'
     runs-on: ubuntu-latest
     needs: [test]
     steps:
       - name: Checkout
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
+      - name: Setup Node.js
+        uses: actions/setup-node@v3
+        with:
+          node-version: 18
+      - name: Setup Semantic Release
+        run: npm install -g semantic-release -D
+      - name: Release
+        run: npx semantic-release
+        env:
+          GH_TOKEN: ${{ github.token }}
       - name: Setup Go
         uses: actions/setup-go@v4
         with:

diff --git a/.releaserc b/.releaserc
@@ -0,0 +1,21 @@
+{
+  "branches": "main",
+  "repositoryUrl": "https://github.com/liatrio/gh-trusted-builds-attestations",
+  "debug": "false",
+  "plugins": [
+    [
+        "@semantic-release/commit-analyzer", {
+          "preset": "angular",
+          "releaseRules": [
+            {"type": "docs", "release": "patch"},
+            {"type": "refactor", "release": "patch"},
+            {"type": "style", "release": "patch"},
+            {"type": "build", "release": "patch"}
+          ],
+          "parserOpts": {
+            "noteKeywords": ["BREAKING CHANGE", "BREAKING CHANGES"]
+          }
+        }
+    ]
+  ]
+}
diff --git a/README.md b/README.md
@@ -29,6 +29,8 @@ All attestation types may use or require these flags.
 
 `--oidc-client-id`: Defaults to `sigstore`.
 
+`--id-token`: An optional flag to specify an id token to use for keyless signing.
+
 `--artifact-uri`: **required** URI of the OCI artifact i.e., the subject of the attestation.
 ex: `ghcr.io/liatrio/gh-trusted-builds-app`
 
@@ -112,17 +114,32 @@ The following process is used to create a VSA:
 
 ##### Command Flags
 
+`--debug`: Emit print logs from policy evaluation. Defaults to `false`
+
+`--policy-query`: The Rego query to use when evaluating the policy. Defaults to `data.governance.allow`.
+
 `--policy-url`: Location of policy bundle that will be used to determine VSA result.
 Supports http(s) urls for unauthenticated external downloads.
 Absolute and relative paths can be used for an existing, local bundle.
 
 Examples:
 
-- `https://github.com/liatrio/gh-trusted-builds-policy/releases/download/v1.1.1/bundle.tar.gz`
+- `https://github.com/liatrio/gh-trusted-builds-policy/releases/download/v1.4.0/bundle.tar.gz`
 - `bundle.tar.gz`
 - `../bundle.tar.gz`
 - `/Users/myhome/bundle.tar.gz`
 
+`--signer-identities-query`: A Rego query that should specify the expected attestation signer identities. The result should be a list of objects that can be unmarshalled into `cosign.Identity`. Defaults to `data.governance.signer_identities`.
+
+```rego
+[
+    {
+        "issuer": "https://token.actions.githubusercontent.com",
+        "subjectRegExp": `^https://github\.com/liatrio/gh-trusted-builds-workflows/\.github/workflows/build-and-push\.yaml@.*`,
+    }
+]
+```
+
 `--verifier-id`: ID of entity verifying the policy for the VSA.
 
 #### Version
@@ -131,12 +148,6 @@ Examples:
 
 Prints the build version information of the application.
 
-#### Help
-
-- Subcommand: `help`
-
-Prints the available subcommands that can be executed.
-
 ## Local Development
 
 In order to build the project, you'll need Go 1.20+.