-
Notifications
You must be signed in to change notification settings - Fork 0
161 lines (132 loc) · 4.93 KB
/
prepare-release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
name: Prepare Release
on:
workflow_dispatch:
inputs:
version:
description: Version to release, e.g. 'v0.1.0'
required: true
type: string
env:
REGISTRY: ghcr.io
SCOPED_NAME: ${{ github.repository }} # owner/repo_name
IMAGE: ghcr.io/${{ github.repository }}
VERSION: ${{ inputs.version }}
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
packages: write
contents: read
outputs:
digest: ${{ steps.push.outputs.digest }}
steps:
- name: Validate version input
run: |
#!/bin/bash
set -e
# allow arbitrary suffixes, e.g. v0.1.0-test when debugging the workflow itself
if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-.*)?$ ]]; then
echo "Invalid version input (must match vx.y.z): $VERSION" >&2
exit 1
fi
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Build image
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
with:
containerfiles: Dockerfile
image: ${{ env.IMAGE }}
tags: |
${{ github.sha }}
${{ inputs.version }}
- name: Generate SBOM
uses: anchore/sbom-action@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0
with:
image: ${{ env.IMAGE }}:${{ github.sha }}
format: cyclonedx-json
output-file: .sbom.json
upload-artifact: false
upload-release-assets: false
- name: Login to registry
uses: redhat-actions/podman-login@4934294ad0449894bcd1e9f191899d7292469603 # v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image
id: push
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
with:
registry: ${{ env.REGISTRY }}
image: ${{ env.SCOPED_NAME }}
tags: |
${{ github.sha }}
${{ inputs.version }}
- name: Generate image attestation
uses: actions/attest-build-provenance@7668571508540a607bdfd90a87a560489fe372eb # v2
with:
subject-name: ${{ env.IMAGE }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true
- name: Generate SBOM attestation
uses: actions/attest-sbom@cbfd0027ae731a5892db25ecd226930d7ffd19eb # v2
with:
subject-name: ${{ env.IMAGE }}
subject-digest: ${{ steps.push.outputs.digest }}
sbom-path: .sbom.json
push-to-registry: true
bump-image:
runs-on: ubuntu-latest
needs: [build]
permissions:
contents: write
pull-requests: write
env:
DIGEST: ${{ needs.build.outputs.digest }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
# differential-checkton tests require full commit history
fetch-depth: 0
submodules: true
- name: Test release image
run: |
make test-with-prebuilt-image IMAGE="${IMAGE}:${VERSION}@${DIGEST}"
- name: Auto-update files for release
env:
GH_TOKEN: ${{ github.token }}
run: |
#!/bin/bash
set -e
prev_image=$(yq '.runs.image' action.yaml)
prev_image_without_digest=${prev_image%@*}
prev_version=${prev_image_without_digest##*:} # extract tag
if [[ ! "$prev_version" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-.*)?$ ]]; then
prev_version=""
fi
hack/update_changelog.py -r "$VERSION" -p "$prev_version" -R "$GITHUB_REPOSITORY"
image_with_digest=${IMAGE}:${VERSION}@${DIGEST}
sed -E "s;(\s*)image: .*;\1image: docker://$image_with_digest;" -i action.yaml
sed -E "s;uses: $GITHUB_REPOSITORY@.*;uses: $GITHUB_REPOSITORY@$VERSION;" -i README.md
if [[ -z "$(git diff)" ]]; then
echo "No changes applied. Is this version already released?" >&2
exit 1
fi
git config --global user.name "checkton-bot"
git config --global user.email "<[email protected]>"
git checkout -b "selfupdate/$VERSION"
msg="Release $VERSION"
cat <<- EOF > /tmp/body.txt
* Update the action image to \`$image_with_digest\`
* Mark \`$VERSION\` as released in the CHANGELOG
* Update version tag in the usage example in the README
You may wish to verify that the image is legit:
\`\`\`
gh attestation verify --repo $GITHUB_REPOSITORY oci://$image_with_digest
\`\`\`
EOF
git add --update
git commit -m "$msg"
git push -f --set-upstream origin "selfupdate/$VERSION"
gh pr create --title "$msg" --body-file /tmp/body.txt