ci: permission at job level (#2922) #152
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release CLI and Packages on Tag | |
permissions: | |
contents: read | |
on: | |
push: | |
tags: | |
- "v*" | |
jobs: | |
build-release: | |
runs-on: ubuntu-latest | |
permissions: | |
id-token: write | |
packages: write | |
steps: | |
# Checkout the repo and setup the tooling for this job | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: Setup golang | |
uses: ./.github/actions/golang | |
- name: Install tools | |
uses: ./.github/actions/install-tools | |
- name: install grype | |
env: | |
VERSION: v0.74.6 | |
run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin $VERSION" | |
shell: bash | |
- name: Build CLI | |
run: | | |
make build-cli-linux-amd | |
make build-cli-linux-arm | |
- name: "Zarf Agent: Login to GHCR" | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: dummy | |
password: ${{ github.token }} | |
- name: "Zarf Agent: Build and Publish the Image" | |
run: | | |
cp build/zarf build/zarf-linux-amd64 | |
cp build/zarf-arm build/zarf-linux-arm64 | |
docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME . | |
rm build/zarf-linux-amd64 | |
rm build/zarf-linux-arm64 | |
echo ZARF_AGENT_IMAGE_DIGEST=$(docker buildx imagetools inspect ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME --format '{{ json . }}' | jq -r .manifest.digest) >> $GITHUB_ENV | |
- name: Auth with AWS | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
role-to-assume: ${{ secrets.AWS_KMS_ROLE }} | |
role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }} | |
aws-region: us-east-2 | |
role-duration-seconds: 3600 | |
- name: "Zarf Agent: Sign the Image" | |
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/zarf-dev/zarf/agent@$ZARF_AGENT_IMAGE_DIGEST -y | |
env: | |
COSIGN_EXPERIMENTAL: 1 | |
# Builds init packages since GoReleaser won't handle this for us | |
- name: Build init-packages For Release | |
run: | | |
make release-init-package ARCH=amd64 AGENT_IMAGE_TAG=$GITHUB_REF_NAME | |
make release-init-package ARCH=arm64 AGENT_IMAGE_TAG=$GITHUB_REF_NAME | |
- name: Publish Init Package as OCI and Skeleton | |
run: | | |
make publish-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/zarf-dev/packages | |
make publish-init-package ARCH=arm64 REPOSITORY_URL=ghcr.io/zarf-dev/packages | |
# Create a CVE report based on this build | |
- name: Create release time CVE report | |
run: "make cve-report" | |
# Upload the contents of the build directory for later stages to use | |
- name: Upload build artifacts | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: build-artifacts | |
path: build/ | |
retention-days: 1 | |
validate-release: | |
runs-on: ubuntu-latest | |
needs: build-release | |
steps: | |
# Checkout the repo and setup the tooling for this job | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: Download build artifacts | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: build-artifacts | |
path: build/ | |
- name: Setup golang | |
uses: ./.github/actions/golang | |
- name: Make Zarf executable | |
run: | | |
chmod +x build/zarf | |
# Before we run the regular tests we need to aggressively cleanup files to reduce disk pressure | |
- name: Cleanup files | |
uses: ./.github/actions/cleanup-files | |
# Build the example packages and run the tests | |
- name: Build examples and run tests | |
run: | | |
sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true make test-e2e ARCH=amd64 | |
- name: Save logs | |
if: always() | |
uses: ./.github/actions/save-logs | |
create-release: | |
runs-on: ubuntu-latest | |
needs: validate-release | |
environment: release | |
permissions: | |
contents: write | |
steps: | |
# Checkout the repo and setup the tooling for this job | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- name: Setup golang | |
uses: ./.github/actions/golang | |
- name: Install tools | |
uses: ./.github/actions/install-tools | |
- name: Download build artifacts | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: build-artifacts | |
path: build/ | |
- name: Make zarf executable and skip brew latest for pre-release tags | |
run: | | |
chmod +x build/zarf | |
if [[ $GITHUB_REF_NAME == *"rc"* ]]; then | |
echo "BREW_NAME=zarf@latest-rc" >> $GITHUB_ENV | |
else | |
echo "BREW_NAME=zarf" >> $GITHUB_ENV | |
fi | |
# Before we run the release we need to aggressively cleanup files to reduce disk pressure | |
- name: Cleanup files | |
uses: ./.github/actions/cleanup-files | |
- name: Setup release ENV vars | |
run: | | |
K8S_MODULES_VER=$(go list -f '{{.Version}}' -m k8s.io/client-go | sed 's/v//; s/\./ /g') | |
echo K8S_MODULES_MAJOR_VER=$(expr $(echo "$K8S_MODULES_VER" | cut -d " " -f 1) + 1) >> $GITHUB_ENV | |
echo K8S_MODULES_MINOR_VER=$(echo "$K8S_MODULES_VER" | cut -d " " -f 2) >> $GITHUB_ENV | |
echo K8S_MODULES_PATCH_VER=$(echo "$K8S_MODULES_VER" | cut -d " " -f 3) >> $GITHUB_ENV | |
echo K9S_VERSION=$(go list -f '{{.Version}}' -m github.com/derailed/k9s) >> $GITHUB_ENV | |
echo CRANE_VERSION=$(go list -f '{{.Version}}' -m github.com/google/go-containerregistry) >> $GITHUB_ENV | |
echo SYFT_VERSION=$(go list -f '{{.Version}}' -m github.com/anchore/syft) >> $GITHUB_ENV | |
echo ARCHIVER_VERSION=$(go list -f '{{.Version}}' -m github.com/mholt/archiver/v3) >> $GITHUB_ENV | |
echo HELM_VERSION=$(go list -f '{{.Version}}' -m helm.sh/helm/v3) >> $GITHUB_ENV | |
- name: Get Brew tap repo token | |
id: brew-tap-token | |
uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3 | |
with: | |
app-id: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_ID }} | |
private-key: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_SECRET }} | |
owner: defenseunicorns | |
repositories: homebrew-tap | |
# Create the GitHub release notes, upload artifact backups to S3, publish homebrew recipe | |
- name: Run GoReleaser | |
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0 | |
with: | |
distribution: goreleaser | |
version: "~> v2" | |
args: release --clean --verbose | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}} | |
HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.brew-tap-token.outputs.token }} | |
- name: Save CVE report | |
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
with: | |
name: cve-report | |
path: build/zarf-known-cves.csv |