-
Notifications
You must be signed in to change notification settings - Fork 3
358 lines (323 loc) · 15.3 KB
/
Copy pathrelease.yml
File metadata and controls
358 lines (323 loc) · 15.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
# Trusted pipeline for pushes to main: run the full validation workflow
# (ci.yml, the exact same jobs a PR gets), and only after everything is green
# let release-please version, publish, sign, and attest. Nothing here runs for
# pull requests, so write tokens never meet unreviewed code.
#
# Why release-please lives here instead of a tag-triggered workflow: tags
# created with GITHUB_TOKEN never trigger other workflows (GitHub's recursion
# guard), so publishing must be chained behind release-please in the same run.
# That is also what guarantees "the whole pipeline passed before we release".
# See docs/ci-overview.md for the full CI/CD design.
name: Release
on:
push:
branches: [main]
env:
REGISTRY: ghcr.io
IMAGE_NAME: configbutler/gitops-reverser
CHART_REGISTRY: ghcr.io/configbutler/charts
permissions:
contents: read
# Never cancel a release mid-publish; a follow-up push queues behind it.
concurrency:
group: release-${{ github.ref }}
cancel-in-progress: false
jobs:
ci:
name: CI
uses: ./.github/workflows/ci.yml
# Upper bound for the called workflow's jobs; each job inside ci.yml
# still requests only what it needs.
permissions:
contents: read
packages: write
id-token: write
security-events: write
secrets: inherit
release-please:
name: Release Please
runs-on: ubuntu-latest
timeout-minutes: 10
needs: ci
permissions:
contents: write
pull-requests: write
outputs:
release_created: ${{ steps.release.outputs.release_created }}
tag_name: ${{ steps.release.outputs.tag_name }}
version: ${{ steps.release.outputs.version }}
steps:
- name: Run release-please
id: release
uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
config-file: release-please-config.json
manifest-file: .release-please-manifest.json
# Merge the per-arch release-grade digests — already built and pushed by the
# `ci` run of *this* workflow (see build-release-* in ci.yml) — into one
# multi-arch manifest, then sign it and attach SLSA build provenance and an
# SPDX SBOM as registry attestations. ZERO builds happen here: the release
# tail retags the CI digests instead of rebuilding them.
publish-manifest:
name: Publish Multi-Arch Manifest
runs-on: ubuntu-latest
timeout-minutes: 20
# Its own release gate: with the `publish` rebuild job deleted,
# publish-manifest no longer inherits the gate transitively. Without this an
# ungated run on every main push would move latest/semver tags onto
# non-release candidate digests.
needs: [ci, release-please]
if: needs.release-please.outputs.release_created == 'true'
permissions:
contents: write # append release notes + SBOM asset
packages: write
id-token: write # cosign keyless signing + attestation OIDC
attestations: write
steps:
- name: Download digests
# Same-run artifacts uploaded by the called ci.yml (build-release-*).
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
path: /tmp/digests
pattern: digests-*
merge-multiple: true
- name: Verify release digests are present
# Fail loudly if build-release-* produced nothing (e.g. a bad gate
# skipped them): a retag with no digests must never silently no-op.
working-directory: /tmp/digests
run: |
count="$(find . -type f | wc -l)"
if [ "${count}" -eq 0 ]; then
echo "No release-grade digests found — build-release-* did not publish" >&2
exit 1
fi
echo "Found ${count} release digest(s) to retag"
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0
- name: Login to registry
uses: docker/login-action@c99871dec2022cc055c062a10cc1a1310835ceb4 # v4.3.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@dc802804100637a589fabce1cb79ff13a1411302 # v6.2.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=semver,pattern={{version}},value=${{ needs.release-please.outputs.version }}
type=semver,pattern={{major}}.{{minor}},value=${{ needs.release-please.outputs.version }}
type=semver,pattern={{major}},value=${{ needs.release-please.outputs.version }}
type=raw,value=latest
- name: Create manifest list and push
working-directory: /tmp/digests
run: |
docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
$(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
- name: Resolve multi-arch manifest digest
id: digest
run: |
docker buildx imagetools inspect "${REGISTRY}/${IMAGE_NAME}:${VERSION}"
DIGEST="$(docker buildx imagetools inspect "${REGISTRY}/${IMAGE_NAME}:${VERSION}" \
--format '{{json .Manifest.Digest}}' | tr -d '"')"
echo "Release digest: ${DIGEST}"
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
env:
VERSION: ${{ steps.meta.outputs.version }}
- name: Install cosign
uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2
with:
# Keep in sync with COSIGN_VERSION in .devcontainer/Dockerfile — this
# is the only other job that signs release artifacts (publish-helm),
# and it gets cosign from that image. Without this input the action
# defaults to its own (older) pinned cosign release.
cosign-release: v3.1.1
- name: Sign the multi-arch image (cosign keyless)
# One signature on the digest covers every tag pointing at it.
run: cosign sign --yes "${REGISTRY}/${IMAGE_NAME}@${{ steps.digest.outputs.digest }}"
- name: Attest SLSA build provenance
uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.digest.outputs.digest }}
push-to-registry: true
- name: Generate SBOM (SPDX)
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.digest.outputs.digest }}
format: spdx-json
output-file: sbom.spdx.json
upload-artifact: false
upload-release-assets: false
- name: Attest SBOM
uses: actions/attest-sbom@c604332985a26aa8cf1bdc465b92731239ec6b9e # v4.1.0
with:
subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.digest.outputs.digest }}
sbom-path: sbom.spdx.json
push-to-registry: true
# The image itself is already signed + attested above, but OpenSSF
# Scorecard's Signed-Releases check only looks at the GitHub *release
# assets*, not the OCI registry. Sign and attest the SBOM asset directly
# so the release itself carries a signature (*.sigstore.json) and SLSA
# provenance (*.intoto.jsonl) next to it.
- name: Sign the SBOM asset (cosign keyless)
run: cosign sign-blob --bundle sbom.spdx.json.sigstore.json --yes sbom.spdx.json
- name: Attest SLSA provenance for the SBOM asset
id: attest-sbom-asset
uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1
with:
subject-path: sbom.spdx.json
- name: Rename provenance bundle to the Scorecard-recognized suffix
run: cp "${{ steps.attest-sbom-asset.outputs.bundle-path }}" sbom.spdx.json.intoto.jsonl
- name: Update release info
uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1
with:
tag_name: ${{ needs.release-please.outputs.tag_name }}
# Keep the release a draft: GitHub's immutable-releases enforcement
# forbids adding assets once a release is published, so every asset
# must land while it is still a draft. The publish-release job flips
# it to published after all assets are attached.
draft: true
append_body: true
files: |
sbom.spdx.json
sbom.spdx.json.sigstore.json
sbom.spdx.json.intoto.jsonl
body: |
## Installation
### Quick Install (Single YAML)
```bash
kubectl apply -f https://github.com/ConfigButler/gitops-reverser/releases/download/${{ needs.release-please.outputs.tag_name }}/install.yaml
```
### Helm Chart
```bash
helm install gitops-reverser oci://${{ env.CHART_REGISTRY }}/gitops-reverser --version ${{ needs.release-please.outputs.version }}
```
## Docker Images
This release is available as a Docker image:
```bash
docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release-please.outputs.version }}
docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
```
**Platforms:** linux/amd64, linux/arm64
**Digest:** `${{ steps.digest.outputs.digest }}`
## Verify this release
Images are signed with cosign (keyless) and carry SLSA build provenance
and an SPDX SBOM as registry attestations:
```bash
cosign verify \
--certificate-identity-regexp '^https://github.com/ConfigButler/gitops-reverser/\.github/workflows/release\.yml@refs/heads/main$' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release-please.outputs.version }}
gh attestation verify \
oci://${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.release-please.outputs.version }} \
--repo ConfigButler/gitops-reverser
```
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Publish the Helm chart (packaged and tested by the CI run above) to GHCR.
publish-helm:
name: Publish Helm Chart
runs-on: ubuntu-latest
timeout-minutes: 15
needs: [ci, release-please]
if: needs.release-please.outputs.release_created == 'true'
permissions:
contents: write # upload install.yaml release asset
packages: write
id-token: write # cosign keyless signing + attestation OIDC
attestations: write
container:
image: ${{ needs.ci.outputs.ci-image }}
credentials:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Checkout code
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Configure Git safe directory
run: git config --global --add safe.directory /__w/gitops-reverser/gitops-reverser
- name: Download tested release bundle artifact
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: release-bundle
path: .
- name: Login to GitHub Container Registry
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | helm registry login ${{ env.REGISTRY }} --username ${{ github.actor }} --password-stdin
- name: Push Helm chart to GHCR
id: chart
run: |
helm push ./gitops-reverser.tgz "oci://${CHART_REGISTRY}" 2>&1 | tee chart-push.log
DIGEST="$(awk '/Digest:/ {print $2}' chart-push.log)"
if [ -z "${DIGEST}" ]; then
echo "Could not extract chart digest from helm push output" >&2
exit 1
fi
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
# cosign ships baked into the ci-image this job runs in (see
# .devcontainer/Dockerfile) — no installer step needed here.
- name: Log in to registry for cosign
# `helm registry login` writes helm's own registry config; cosign reads
# ~/.docker/config.json, so it needs its own login or the signature
# upload fails with UNAUTHORIZED.
env:
COSIGN_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_USER: ${{ github.actor }}
run: cosign login "${REGISTRY}" --username "${COSIGN_USER}" --password "${COSIGN_TOKEN}"
- name: Sign the Helm chart (cosign keyless)
run: cosign sign --yes "${CHART_REGISTRY}/gitops-reverser@${{ steps.chart.outputs.digest }}"
# The chart is already signed above via its OCI digest, but OpenSSF
# Scorecard's Signed-Releases check only looks at the GitHub *release
# assets*, not the OCI registry. Sign and attest install.yaml directly so
# the release carries a signature (*.sigstore.json) and SLSA provenance
# (*.intoto.jsonl) next to it.
- name: Sign install.yaml (cosign keyless)
run: cosign sign-blob --bundle install.yaml.sigstore.json --yes dist/install.yaml
- name: Attest SLSA provenance for install.yaml
id: attest-install-yaml
uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1
with:
subject-path: dist/install.yaml
- name: Rename provenance bundle to the Scorecard-recognized suffix
run: cp "${{ steps.attest-install-yaml.outputs.bundle-path }}" install.yaml.intoto.jsonl
- name: Upload install.yaml as release asset
uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.1
with:
tag_name: ${{ needs.release-please.outputs.tag_name }}
# Attach to the still-draft release; publish-release publishes it once
# every asset is in place (immutable releases reject post-publish
# uploads).
draft: true
files: |
dist/install.yaml
install.yaml.sigstore.json
install.yaml.intoto.jsonl
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Publish the release only after every asset is attached. release-please
# creates the GitHub release as a draft (see release-please-config.json);
# GitHub's immutable-releases enforcement freezes a release the moment it is
# published, so publish-manifest and publish-helm attach their assets to the
# draft and this job flips it to published at the very end. If either publish
# job fails, the release stays an unpublished draft instead of a
# half-populated immutable release.
publish-release:
name: Publish GitHub Release
runs-on: ubuntu-latest
timeout-minutes: 10
needs: [release-please, publish-manifest, publish-helm]
if: needs.release-please.outputs.release_created == 'true'
permissions:
contents: write # publish the draft release (creates the tag)
steps:
- name: Publish the draft release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG_NAME: ${{ needs.release-please.outputs.tag_name }}
run: gh release edit "${TAG_NAME}" --draft=false --repo "${{ github.repository }}"