Skip to content

ci: permission at job level (#2922) #152

ci: permission at job level (#2922)

ci: permission at job level (#2922) #152

Workflow file for this run

name: Release CLI and Packages on Tag
permissions:
contents: read
on:
push:
tags:
- "v*"
jobs:
build-release:
runs-on: ubuntu-latest
permissions:
id-token: write
packages: write
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Setup golang
uses: ./.github/actions/golang
- name: Install tools
uses: ./.github/actions/install-tools
- name: install grype
env:
VERSION: v0.74.6
run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin $VERSION"
shell: bash
- name: Build CLI
run: |
make build-cli-linux-amd
make build-cli-linux-arm
- name: "Zarf Agent: Login to GHCR"
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: dummy
password: ${{ github.token }}
- name: "Zarf Agent: Build and Publish the Image"
run: |
cp build/zarf build/zarf-linux-amd64
cp build/zarf-arm build/zarf-linux-arm64
docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME .
rm build/zarf-linux-amd64
rm build/zarf-linux-arm64
echo ZARF_AGENT_IMAGE_DIGEST=$(docker buildx imagetools inspect ghcr.io/zarf-dev/zarf/agent:$GITHUB_REF_NAME --format '{{ json . }}' | jq -r .manifest.digest) >> $GITHUB_ENV
- name: Auth with AWS
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{ secrets.AWS_KMS_ROLE }}
role-session-name: ${{ github.job || github.event.client_payload.pull_request.head.sha || github.sha }}
aws-region: us-east-2
role-duration-seconds: 3600
- name: "Zarf Agent: Sign the Image"
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/zarf-dev/zarf/agent@$ZARF_AGENT_IMAGE_DIGEST -y
env:
COSIGN_EXPERIMENTAL: 1
# Builds init packages since GoReleaser won't handle this for us
- name: Build init-packages For Release
run: |
make release-init-package ARCH=amd64 AGENT_IMAGE_TAG=$GITHUB_REF_NAME
make release-init-package ARCH=arm64 AGENT_IMAGE_TAG=$GITHUB_REF_NAME
- name: Publish Init Package as OCI and Skeleton
run: |
make publish-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/zarf-dev/packages
make publish-init-package ARCH=arm64 REPOSITORY_URL=ghcr.io/zarf-dev/packages
# Create a CVE report based on this build
- name: Create release time CVE report
run: "make cve-report"
# Upload the contents of the build directory for later stages to use
- name: Upload build artifacts
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
with:
name: build-artifacts
path: build/
retention-days: 1
validate-release:
runs-on: ubuntu-latest
needs: build-release
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Download build artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: build-artifacts
path: build/
- name: Setup golang
uses: ./.github/actions/golang
- name: Make Zarf executable
run: |
chmod +x build/zarf
# Before we run the regular tests we need to aggressively cleanup files to reduce disk pressure
- name: Cleanup files
uses: ./.github/actions/cleanup-files
# Build the example packages and run the tests
- name: Build examples and run tests
run: |
sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true make test-e2e ARCH=amd64
- name: Save logs
if: always()
uses: ./.github/actions/save-logs
create-release:
runs-on: ubuntu-latest
needs: validate-release
environment: release
permissions:
contents: write
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- name: Setup golang
uses: ./.github/actions/golang
- name: Install tools
uses: ./.github/actions/install-tools
- name: Download build artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: build-artifacts
path: build/
- name: Make zarf executable and skip brew latest for pre-release tags
run: |
chmod +x build/zarf
if [[ $GITHUB_REF_NAME == *"rc"* ]]; then
echo "BREW_NAME=zarf@latest-rc" >> $GITHUB_ENV
else
echo "BREW_NAME=zarf" >> $GITHUB_ENV
fi
# Before we run the release we need to aggressively cleanup files to reduce disk pressure
- name: Cleanup files
uses: ./.github/actions/cleanup-files
- name: Setup release ENV vars
run: |
K8S_MODULES_VER=$(go list -f '{{.Version}}' -m k8s.io/client-go | sed 's/v//; s/\./ /g')
echo K8S_MODULES_MAJOR_VER=$(expr $(echo "$K8S_MODULES_VER" | cut -d " " -f 1) + 1) >> $GITHUB_ENV
echo K8S_MODULES_MINOR_VER=$(echo "$K8S_MODULES_VER" | cut -d " " -f 2) >> $GITHUB_ENV
echo K8S_MODULES_PATCH_VER=$(echo "$K8S_MODULES_VER" | cut -d " " -f 3) >> $GITHUB_ENV
echo K9S_VERSION=$(go list -f '{{.Version}}' -m github.com/derailed/k9s) >> $GITHUB_ENV
echo CRANE_VERSION=$(go list -f '{{.Version}}' -m github.com/google/go-containerregistry) >> $GITHUB_ENV
echo SYFT_VERSION=$(go list -f '{{.Version}}' -m github.com/anchore/syft) >> $GITHUB_ENV
echo ARCHIVER_VERSION=$(go list -f '{{.Version}}' -m github.com/mholt/archiver/v3) >> $GITHUB_ENV
echo HELM_VERSION=$(go list -f '{{.Version}}' -m helm.sh/helm/v3) >> $GITHUB_ENV
- name: Get Brew tap repo token
id: brew-tap-token
uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
with:
app-id: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_ID }}
private-key: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_SECRET }}
owner: defenseunicorns
repositories: homebrew-tap
# Create the GitHub release notes, upload artifact backups to S3, publish homebrew recipe
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
with:
distribution: goreleaser
version: "~> v2"
args: release --clean --verbose
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.brew-tap-token.outputs.token }}
- name: Save CVE report
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
with:
name: cve-report
path: build/zarf-known-cves.csv