This repository has been archived by the owner on Oct 3, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
75 lines (60 loc) · 2.78 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
name: Publish Zarf Init Package for AWS on Tag
permissions:
contents: read
on:
push:
tags:
- "v*"
jobs:
release:
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Install latest version of Zarf
uses: defenseunicorns/setup-zarf@main
- name: Install tools
uses: defenseunicorns/zarf/.github/actions/install-tools@main
- name: Setup Go
uses: defenseunicorns/zarf/.github/actions/golang@main
- name: Build ECR credential-helper binary
run: make build-credential-helper-linux-amd
- name: "ECR Credential Helper: Login to GHCR"
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: dummy
password: ${{ github.token }}
- name: "ECR Credential Helper: Build and Publish the Image"
run: docker buildx build --push --platform linux/amd64 --tag ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME .
# TODO@jeff-mccoy: Setup cosign signing key secrets in repo
# - name: "ECR Credential Helper: Sign the Image"
# run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME
# env:
# COSIGN_EXPERIMENTAL: 1
# AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
# AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
# AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
- name: Build AWS init package for release
run: make release-aws-init-package CREDENTIAL_HELPER_IMAGE_TAG=$GITHUB_REF_NAME
- name: Publish AWS Init Package as OCI and Skeleton
run: make publish-aws-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages
# Create a CVE report based on this build
- name: Create release time CVE report
run: make cve-report
- name: Save CVE report
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: cve-report
path: build/zarf-known-cves.csv
# Create GitHub release and upload the AWS init package as a release artifact
- name: Create GitHub release and upload AWS init package as release artifact
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
run: gh release create "$GITHUB_REF_NAME" ./build/zarf-init-*.tar.zst --generate-notes --verify-tag