-
Notifications
You must be signed in to change notification settings - Fork 5
107 lines (100 loc) · 3.94 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
on:
push:
branches:
- main
tags:
- "v*"
name: Release policy - test
jobs:
test:
name: run tests and linters
uses: ./.github/workflows/reusable-test-policy-go.yml
release:
needs: test
permissions:
# Required to create GH releases
contents: write
# Required to push to GHCR
packages: write
# Required by cosign keyless signing
id-token: write
# TODO: go back to using the reusable workflow once we don't need the special tinygo build
#uses: kubewarden/github-actions/.github/workflows/[email protected]
#with:
# oci-target: ghcr.io/${{ github.repository_owner }}/policies/container-resources
runs-on: ubuntu-latest
steps:
- name: Install dependencies
uses: kubewarden/github-actions/[email protected]
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
# until https://github.com/actions/checkout/pull/579 is released
fetch-depth: 0
- name: Install patched tinygo
shell: bash
run: |
wget https://github.com/tinygo-org/tinygo/releases/download/v0.31.1/tinygo_0.31.1_amd64.deb
sudo dpkg -i tinygo_0.31.1_amd64.deb
wget https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-16/libclang_rt.builtins-wasm32-wasi-16.0.tar.gz
tar xvf libclang_rt.builtins-wasm32-wasi-16.0.tar.gz
sudo cp lib/wasi/libclang_rt.builtins-wasm32.a /usr/local/lib/tinygo/lib/wasi-libc/sysroot/lib/wasm32-wasi/
sudo cp wasi-gh-action.json /usr/local/lib/tinygo/targets/wasi.json
- id: calculate-version
if: ${{ inputs.artifacthub }}
# obtain latest tag. Here it must be the current release tag
run: echo "version=$(git describe --tags --abbrev=0 | cut -c2-)" >> $GITHUB_OUTPUT
shell: bash
- name: Check that artifacthub-pkg.yml is up-to-date
if: ${{ inputs.artifacthub }}
uses: kubewarden/github-actions/[email protected]
with:
version: ${{ steps.calculate-version.outputs.version }}
- name: Build policy
run: |
tinygo build -o policy.wasm -target=wasi -no-debug .
- name: Generate the SBOM files
shell: bash
run: |
spdx-sbom-generator -f json
# SBOM files should have "sbom" in the name due the CLO monitor
# https://clomonitor.io/docs/topics/checks/#software-bill-of-materials-sbom
mv bom-go-mod.json policy-sbom.spdx.json
- name: Annotate Wasm module
shell: bash
run: |
make annotated-policy.wasm
- name: Sign BOM file
shell: bash
run: |
cosign sign-blob --yes --output-certificate policy-sbom.spdx.cert \
--output-signature policy-sbom.spdx.sig \
policy-sbom.spdx.json
- name: Upload policy SBOM files
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: policy-sbom
path: |
policy-sbom.spdx.json
policy-sbom.spdx.cert
policy-sbom.spdx.sig
- name: Run e2e tests
run: |
make e2e-tests
- name: Release
uses: kubewarden/github-actions/[email protected]
with:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
oci-target: ghcr.io/${{ github.repository_owner }}/policies/container-resources
push-artifacthub:
# skip when releasing :latest from main, versions will not match
if: startsWith(github.ref, 'refs/tags/v')
needs: release
permissions:
# Give the default GITHUB_TOKEN write permission to commit and push the
# added or changed files to the repository.
contents: write
runs-on: ubuntu-latest
steps:
-
name: Push artifacthub files to artifacthub branch
uses: kubewarden/github-actions/[email protected]