Skip to content

chore: update the release workflow to accept sigstore terms and sign … #122

chore: update the release workflow to accept sigstore terms and sign …

chore: update the release workflow to accept sigstore terms and sign … #122

Workflow file for this run

name: Publish Zarf Packages on Tag
permissions:
contents: read
on:
push:
tags:
- "v*"
jobs:
build:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Setup golang
uses: ./.github/actions/golang
- name: Install tools
uses: ./.github/actions/install-tools
- name: Build CLI
run: |
make build-cli-linux-amd
make build-cli-linux-arm
- name: "Zarf Agent: Login to GHCR"
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: dummy
password: ${{ github.token }}
- name: "Zarf Agent: Build and Publish the Image"
run: |
cp build/zarf build/zarf-linux-amd64
cp build/zarf-arm build/zarf-linux-arm64
docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/zarf/agent:$GITHUB_REF_NAME .
rm build/zarf-linux-amd64
rm build/zarf-linux-arm64
echo ZARF_AGENT_IMAGE_DIGEST=$(docker buildx imagetools inspect ghcr.io/defenseunicorns/zarf/agent:$GITHUB_REF_NAME --format '{{ json . }}' | jq -r .manifest.digest) >> $GITHUB_ENV
- name: "Zarf Agent: Sign the Image"
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/defenseunicorns/zarf/agent:$ZARF_AGENT_IMAGE_DIGEST -y
env:
COSIGN_EXPERIMENTAL: 1
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
# Builds init packages since GoReleaser won't handle this for us
- name: Build init-packages For Release
run: |
make release-init-package ARCH=amd64 AGENT_IMAGE_TAG=$GITHUB_REF_NAME
make release-init-package ARCH=arm64 AGENT_IMAGE_TAG=$GITHUB_REF_NAME
- name: Publish Init Package as OCI and Skeleton
run: |
make publish-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages
make publish-init-package ARCH=arm64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages
# Create a CVE report based on this build
- name: Create release time CVE report
run: "make cve-report"
# Upload the contents of the build directory for later stages to use
- name: Upload build artifacts
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
with:
name: build-artifacts
path: build/
retention-days: 1
validate:
runs-on: ubuntu-latest
needs: build
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Download build artifacts
uses: actions/download-artifact@7a1cd3216ca9260cd8022db641d960b1db4d1be4 # v4.0.0
with:
name: build-artifacts
path: build/
- name: Setup golang
uses: ./.github/actions/golang
- name: Make Zarf executable
run: |
chmod +x build/zarf
# Before we run the regular tests we need to aggressively cleanup files to reduce disk pressure
- name: Cleanup files
uses: ./.github/actions/cleanup-files
# Build the example packages and run the tests
- name: Build examples and run tests
run: |
sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true make test-e2e ARCH=amd64
- name: Save logs
if: always()
uses: ./.github/actions/save-logs
push:
runs-on: ubuntu-latest
needs: validate
permissions:
contents: write
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Setup golang
uses: ./.github/actions/golang
- name: Install tools
uses: ./.github/actions/install-tools
- name: Download build artifacts
uses: actions/download-artifact@7a1cd3216ca9260cd8022db641d960b1db4d1be4 # v4.0.0
with:
name: build-artifacts
path: build/
# Set up AWS credentials for GoReleaser to upload backups of artifacts to S3
- name: Set AWS Credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
aws-access-key-id: ${{ secrets.AWS_GOV_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
aws-region: us-gov-west-1
- name: Make zarf executable and skip brew latest for pre-release tags
run: |
chmod +x build/zarf
if [[ $GITHUB_REF_NAME == *"rc"* ]]; then
echo "BREW_NAME=zarf@latest-rc" >> $GITHUB_ENV
else
echo "BREW_NAME=zarf" >> $GITHUB_ENV
fi
# Before we run the release we need to aggressively cleanup files to reduce disk pressure
- name: Cleanup files
uses: ./.github/actions/cleanup-files
- name: Setup release ENV vars
run: |
K8S_MODULES_VER=$(go list -f '{{.Version}}' -m k8s.io/client-go | sed 's/v//; s/\./ /g')
echo K8S_MODULES_MAJOR_VER=$(expr $(echo "$K8S_MODULES_VER" | cut -d " " -f 1) + 1) >> $GITHUB_ENV
echo K8S_MODULES_MINOR_VER=$(echo "$K8S_MODULES_VER" | cut -d " " -f 2) >> $GITHUB_ENV
echo K8S_MODULES_PATCH_VER=$(echo "$K8S_MODULES_VER" | cut -d " " -f 3) >> $GITHUB_ENV
# Create the GitHub release notes, upload artifact backups to S3, publish homebrew recipe
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
with:
distribution: goreleaser
version: latest
args: release --rm-dist --debug
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.ZARF_ORG_PROJECT_TOKEN }}
- name: Save CVE report
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
with:
name: cve-report
path: build/zarf-known-cves.csv