diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..c1bb27b --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,68 @@ +name: Publish Zarf Init Package for AWS on Tag + +permissions: + contents: read + +on: + push: + tags: + - "v*" + +jobs: + release: + runs-on: ubuntu-latest + permissions: + packages: write + contents: write + steps: + # Checkout the repo and setup the tooling for this job + - name: Checkout + uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + with: + fetch-depth: 0 + + - name: Install latest version of Zarf + uses: defenseunicorns/setup-zarf@main + + - name: Install tools + uses: defenseunicorns/zarf/.github/actions/install-tools@main + + - name: "ECR Credential Helper: Login to GHCR" + uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 + with: + registry: ghcr.io + username: dummy + password: ${{ github.token }} + + - name: "ECR Credential Helper: Build and Publish the Image" + run: docker buildx build --push --platform linux/amd64 --tag ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME . + + - name: "ECR Credential Helper: Sign the Image" + run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/defenseunicorns/zarf-init-aws/ecr-credential-helper:$GITHUB_REF_NAME + env: + COSIGN_EXPERIMENTAL: 1 + AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }} + AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }} + + - name: Build AWS init package for release + run: make release-aws-init-package CREDENTIAL_HELPER_IMAGE_TAG=$GITHUB_REF_NAME + + - name: Publish AWS Init Package as OCI and Skeleton + run: make publish-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages + + # Create a CVE report based on this build + - name: Create release time CVE report + run: make cve-report + + - name: Save CVE report + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + with: + name: cve-report + path: build/zarf-known-cves.csv + + # Create GitHub release and upload the AWS init package as a release artifact + - name: Create GitHub release and upload AWS init package as release artifact + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} + run: gh release create "$GITHUB_REF_NAME" ./build/zarf-init-*.tar.zst --generate-notes --verify-tag diff --git a/Makefile b/Makefile index 320fe5c..869e6de 100644 --- a/Makefile +++ b/Makefile @@ -3,6 +3,7 @@ # Provide a default value for the operating system architecture used in tests, e.g. " APPLIANCE_MODE=true|false make test-e2e ARCH=arm64" ARCH ?= amd64 +CLI_VERSION ?= $(if $(shell git describe --tags),$(shell git describe --tags),"UnknownVersion") CREDENTIAL_HELPER_BIN := ./build/zarf-ecr-credential-helper CLUSTER_NAME ?= "" INSTANCE_TYPE ?= t3.small @@ -48,6 +49,15 @@ build-local-credential-helper-image: ## Build the ECR credential helper image to aws-init-package: ## Build the AWS Zarf init package zarf package create -o build -a $(ARCH) --confirm . +# INTERNAL: used to build a release version of the AWS init package with a specific credential-helper image +release-aws-init-package: + zarf package create -o build -a $(ARCH) --set CREDENTIAL_HELPER_IMAGE_TAG=$(CREDENTIAL_HELPER_IMAGE_TAG) --confirm . + +# INTERNAL: used to publish the AWS init package +publish-aws-init-package: + zarf package publish build/zarf-init-$(ARCH)-$(CLI_VERSION).tar.zst oci://$(REPOSITORY_URL) + zarf package publish . oci://$(REPOSITORY_URL) + eks-package: ## Build the EKS package zarf package create packages/eks -a multi -o build --confirm