v0.96.11 #137
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release | |
on: | |
release: | |
jobs: | |
# This reusable workflow inspects if the given workflow_name exists on Chainloop. If the Workflow does not exist | |
# it will create one with an empty contract ready for operators to be filled. Otherwise, if found, it will just | |
# be ignored and the process will continue. For this to work it's using a pre-created API Token | |
onboard_workflow: | |
name: Onboard Chainloop Workflow | |
uses: chainloop-dev/labs/.github/workflows/chainloop_onboard.yml@4173e015dbd5dc2a8802555c268da63d57bbe576 | |
with: | |
project: "chainloop" | |
workflow_name: "chainloop-vault-release" | |
secrets: | |
api_token: ${{ secrets.CHAINLOOP_TOKEN }} | |
release: | |
name: Record release from GitHub | |
runs-on: ubuntu-latest | |
needs: onboard_workflow | |
permissions: | |
packages: write | |
contents: write | |
env: | |
CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }} | |
CHAINLOOP_WORKFLOW_NAME: ${{ needs.onboard_workflow.outputs.workflow_name }} | |
GH_TOKEN: ${{ github.token }} | |
steps: | |
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
- name: Install Chainloop | |
run: | | |
curl -sfL https://raw.githubusercontent.com/chainloop-dev/chainloop/01ad13af08950b7bfbc83569bea207aeb4e1a285/docs/static/install.sh | bash -s | |
- name: Initialize Attestation | |
run: | | |
chainloop attestation init --workflow-name ${CHAINLOOP_WORKFLOW_NAME} | |
- name: Attest all assets | |
run: | | |
tag=$(echo -n ${{github.ref}} | cut -d / -f3) | |
gh release download $tag -D /tmp/github-release | |
for entry in $(ls /tmp/github-release); do | |
# If the name is cas.cyclonedx.json, controlplane.cyclonedx.json or cli.cyclonedx.json, we need to add the attestation with the correct name | |
if [[ $entry =~ ^(cas|controlplane|cli)\.cyclonedx\.json$ ]]; then | |
name=$(echo -n "${entry%.json}" | sed 's/\./-/g') | |
chainloop attestation add --value "/tmp/github-release/$entry" --name "$name" | |
continue | |
fi | |
chainloop attestation add --value "/tmp/github-release/$entry" | |
done | |
# Include source code | |
version=$(echo -n $tag | sed 's/v//g') | |
gh release download $tag -A tar.gz -D /tmp | |
chainloop attestation add --value "/tmp/chainloop-$version.tar.gz" | |
# Include control-plane image | |
chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/control-plane:$tag" | |
# Include cas image | |
chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/artifact-cas:$tag" | |
# Include cli image | |
chainloop attestation add --value "ghcr.io/chainloop-dev/chainloop/cli:$tag" | |
- name: Finish and Record Attestation | |
id: attestation-push | |
if: ${{ success() }} | |
run: | | |
chainloop attestation status --full | |
attestation_sha=$(chainloop attestation push --key env://CHAINLOOP_SIGNING_KEY -o json | jq -r '.digest') | |
echo "attestation_sha=$attestation_sha" >> $GITHUB_OUTPUT | |
env: | |
CHAINLOOP_SIGNING_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
CHAINLOOP_SIGNING_KEY: ${{ secrets.COSIGN_KEY }} | |
- name: Mark attestation as failed | |
if: ${{ failure() }} | |
run: | | |
chainloop attestation reset | |
- name: Mark attestation as cancelled | |
if: ${{ cancelled() }} | |
run: | | |
chainloop attestation reset --trigger cancellation | |
- name: Add attestation link to release notes | |
if: ${{ success() }} | |
run: | | |
chainloop_release_url="## Chainloop Attestation"$'\n'"[View the attestation of this release](https://app.chainloop.dev/attestation/${{ steps.attestation-push.outputs.attestation_sha }})" | |
current_notes=$(gh release view ${{ github.ref_name }} --json body -q '.body') | |
if echo "$current_notes" | grep -q "## Chainloop Attestation"; then | |
# Replace the existing Chainloop Attestation section with the new URL | |
modified_notes=$(echo "$current_notes" | sed -E "s|## Chainloop Attestation[^\n]*\n\[View the attestation of this release\]\(https://app\.chainloop\.dev/attestation/[^\)]*\)|$chainloop_release_url|") | |
else | |
# Add the Chainloop Attestation section to the top | |
modified_notes="$chainloop_release_url"$'\n\n'"$current_notes" | |
fi | |
# Update the release notes and ignore if it fails since we might be lacking permissions to update the release notes | |
gh release edit ${{ github.ref_name }} -n "$modified_notes" || echo -n "Not enough permissions to edit the release notes. Skipping..." |