feat: add release github action

Signed-off-by: zong-zhe <[email protected]>
kcl-lang · Jan 31, 2024 · e6be0c6 · e6be0c6
1 parent 9ac9af8
commit e6be0c6
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 87 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -57,12 +57,12 @@ jobs:
         with:
           registry: ghcr.io
           username: kclbot
-          password: ${{ secrets.GHCR_TOKEN }}
+          password: ${{ secrets.DEPLOY_ACCESS_TOKEN }}
       - name: Docker login docker.io
         uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
         with:
           username: kclbot
-          password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c # v5.5.0
@@ -85,71 +85,4 @@ jobs:
           platforms: linux/amd64,linux/arm/v7,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-      - name: Sign images
-        env:
-          COSIGN_EXPERIMENTAL: 1
-        run: |
-          cosign sign --yes kcllang/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
-          cosign sign --yes ghcr.io/kcl-lang/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
-      - name: GoReleaser publish signed SBOM
-        id: run-goreleaser
-        if: startsWith(github.ref, 'refs/tags/v')
-        uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
-        with:
-          version: latest
-          args: release --clean --skip-validate
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Generate SLSA hashes
-        id: hash
-        env:
-          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
-        run: |
-          set -euo pipefail
-
-          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
-          echo "hashes=$hashes" >> $GITHUB_OUTPUT
-          
-          image_url=fluxcd/${{ env.CONTROLLER }}:${{ steps.prep.outputs.version }}
-          image_digest=${{ steps.build-push.outputs.digest }}
-          echo "image_url=$image_url" >> $GITHUB_OUTPUT
-          echo "image_digest=$image_digest" >> $GITHUB_OUTPUT
-
-  release-provenance:
-    needs: [release]
-    permissions:
-      actions: read # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write # To add assets to the release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      base64-subjects: "${{ needs.release.outputs.hashes }}"
-      upload-assets: true
-
-  dockerhub-provenance:
-    needs: [release]
-    permissions:
-      actions: read # for detecting the Github Actions environment.
-      id-token: write # for creating OIDC tokens for signing.
-      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      image: ${{ needs.release.outputs.image_url }}
-      digest: ${{ needs.release.outputs.image_digest }}
-      registry-username: fluxcdbot
-    secrets:
-      registry-password: ${{ secrets.DOCKER_FLUXCD_PASSWORD }}
-
-  ghcr-provenance:
-    needs: [release]
-    permissions:
-      actions: read # for detecting the Github Actions environment.
-      id-token: write # for creating OIDC tokens for signing.
-      packages: write # for uploading attestations.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      image: ghcr.io/${{ needs.release.outputs.image_url }}
-      digest: ${{ needs.release.outputs.image_digest }}
-      registry-username: fluxcdbot
-    secrets:
-      registry-password: ${{ secrets.GHCR_TOKEN }}
+
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -28,20 +28,3 @@ sboms:
   - artifacts: archive
   - id: source
     artifacts: source
-
-# signs the checksum file
-# all files (including the sboms) are included in the checksum, so we don't need to sign each one if we don't want to
-# https://goreleaser.com/customization/sign
-signs:
-  - cmd: cosign
-    env:
-      - COSIGN_EXPERIMENTAL=1
-    certificate: '${artifact}.pem'
-    args:
-      - sign-blob
-      - "--yes"
-      - '--output-certificate=${certificate}'
-      - '--output-signature=${signature}'
-      - '${artifact}'
-    artifacts: checksum
-    output: true