Skip to content
This repository has been archived by the owner on Oct 3, 2024. It is now read-only.

Commit

Permalink
Add release workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
Lucas Rodriguez committed Oct 18, 2023
1 parent a8a0aa9 commit 48ea41b
Show file tree
Hide file tree
Showing 2 changed files with 78 additions and 0 deletions.
68 changes: 68 additions & 0 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
name: Publish Zarf Init Package for AWS on Tag

permissions:
contents: read

on:
push:
tags:
- "v*"

jobs:
release:
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0

- name: Install latest version of Zarf
uses: defenseunicorns/setup-zarf@main

- name: Install tools
uses: defenseunicorns/zarf/.github/actions/install-tools@main

- name: "ECR Credential Helper: Login to GHCR"
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: dummy
password: ${{ github.token }}

- name: "ECR Credential Helper: Build and Publish the Image"
run: docker buildx build --push --platform linux/amd64 --tag ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME .

- name: "ECR Credential Helper: Sign the Image"
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME
env:
COSIGN_EXPERIMENTAL: 1
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}

- name: Build AWS init package for release
run: make release-aws-init-package CREDENTIAL_HELPER_IMAGE_TAG=$GITHUB_REF_NAME

- name: Publish AWS Init Package as OCI and Skeleton
run: make publish-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages

# Create a CVE report based on this build
- name: Create release time CVE report
run: make cve-report

- name: Save CVE report
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: cve-report
path: build/zarf-known-cves.csv

# Create GitHub release and upload the AWS init package as a release artifact
- name: Create GitHub release and upload AWS init package as release artifact
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
run: gh release create "$GITHUB_REF_NAME" ./build/zarf-init-*.tar.zst --generate-notes --verify-tag
10 changes: 10 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

# Provide a default value for the operating system architecture used in tests, e.g. " APPLIANCE_MODE=true|false make test-e2e ARCH=arm64"
ARCH ?= amd64
CLI_VERSION ?= $(if $(shell git describe --tags),$(shell git describe --tags),"UnknownVersion")
CREDENTIAL_HELPER_BIN := ./build/zarf-ecr-credential-helper
CLUSTER_NAME ?= ""
INSTANCE_TYPE ?= t3.small
Expand Down Expand Up @@ -48,6 +49,15 @@ build-local-credential-helper-image: ## Build the ECR credential helper image to
aws-init-package: ## Build the AWS Zarf init package
zarf package create -o build -a $(ARCH) --confirm .

# INTERNAL: used to build a release version of the AWS init package with a specific credential-helper image
release-aws-init-package:
zarf package create -o build -a $(ARCH) --set CREDENTIAL_HELPER_IMAGE_TAG=$(CREDENTIAL_HELPER_IMAGE_TAG) --confirm .

# INTERNAL: used to publish the AWS init package
publish-aws-init-package:
zarf package publish build/zarf-init-$(ARCH)-$(CLI_VERSION).tar.zst oci://$(REPOSITORY_URL)
zarf package publish . oci://$(REPOSITORY_URL)

eks-package: ## Build the EKS package
zarf package create packages/eks -a multi -o build --confirm

Expand Down

0 comments on commit 48ea41b

Please sign in to comment.