-
Notifications
You must be signed in to change notification settings - Fork 173
173 lines (144 loc) · 5.62 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
name: Publish Zarf Packages on Tag
permissions:
contents: read
on:
push:
tags:
- "v*"
jobs:
build:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
- name: Setup golang
uses: ./.github/actions/golang
- name: Setup NodeJS
uses: ./.github/actions/node
- name: Install tools
uses: ./.github/actions/install-tools
- name: Build CLI
run: |
make build-cli-linux-amd
make build-cli-linux-arm
- name: "Zarf Agent: Login to GHCR"
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: dummy
password: ${{ github.token }}
- name: "Zarf Agent: Build and Publish the Image"
run: |
cp build/zarf build/zarf-linux-amd64
cp build/zarf-arm build/zarf-linux-arm64
docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/zarf/agent:$GITHUB_REF_NAME .
rm build/zarf-linux-amd64
rm build/zarf-linux-arm64
- name: "Zarf Agent: Sign the Image"
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/defenseunicorns/zarf/agent:$GITHUB_REF_NAME
env:
COSIGN_EXPERIMENTAL: 1
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
# Builds init packages since GoReleaser won't handle this for us
- name: Build init-packages For Release
run: |
make release-init-package ARCH=amd64 AGENT_IMAGE_TAG=$GITHUB_REF_NAME
make release-init-package ARCH=arm64 AGENT_IMAGE_TAG=$GITHUB_REF_NAME
- name: Publish Init Package as OCI and Skeleton
run: |
make publish-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages
make publish-init-package ARCH=arm64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages
# Create a CVE report based on this build
- name: Create release time CVE report
run: "make cve-report"
# Upload the contents of the build directory for later stages to use
- name: Upload build artifacts
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: build-artifacts
path: build/
retention-days: 1
validate:
runs-on: ubuntu-latest
needs: build
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
- name: Download build artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: build-artifacts
path: build/
- name: Setup golang
uses: ./.github/actions/golang
- name: Make Zarf executable
run: |
chmod +x build/zarf
# Build the example packages and run the tests
- name: Build examples and run tests
run: |
sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true make test-e2e ARCH=amd64
- name: Save logs
if: always()
uses: ./.github/actions/save-logs
push:
runs-on: ubuntu-latest
needs: validate
permissions:
contents: write
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
fetch-depth: 0
- name: Setup golang
uses: ./.github/actions/golang
- name: Setup NodeJS
uses: ./.github/actions/node
- name: Install tools
uses: ./.github/actions/install-tools
- name: Download build artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: build-artifacts
path: build/
# Set up AWS credentials for GoReleaser to upload backups of artifacts to S3
- name: Set AWS Credentials
uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0
with:
aws-access-key-id: ${{ secrets.AWS_GOV_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
aws-region: us-gov-west-1
- name: Skip brew latest for pre-release tags
run: |
if [[ $GITHUB_REF_NAME == *"rc"* ]]; then
echo "BREW_NAME=zarf@latest-rc" >> $GITHUB_ENV
else
echo "BREW_NAME=zarf" >> $GITHUB_ENV
fi
# Create the GitHub release notes, upload artifact backups to S3, publish homebrew recipe
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@5fdedb94abba051217030cc86d4523cf3f02243d # v4.6.0
with:
distribution: goreleaser
version: latest
args: release --rm-dist --debug
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.ZARF_ORG_PROJECT_TOKEN }}
- name: Save CVE report
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: cve-report
path: build/zarf-known-cves.csv