From afc33a41c430da20fb19cdd949d2649702155c35 Mon Sep 17 00:00:00 2001
From: Adam Kaplan <adam.kaplan@redhat.com>
Date: Mon, 1 Apr 2024 15:28:16 -0400
Subject: [PATCH 1/2] Release Workflow Fixes

Fixes for the release workflow to support release branches:

- Print input parameters at the start of the workflow.
- Use input git reference for release.
- Sign image using sha of the tag's git commit.

Signed-off-by: Adam Kaplan <adam.kaplan@redhat.com>
---
 .github/workflows/release.yaml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 40fed7774..f1de10f4a 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -28,6 +28,9 @@ jobs:
       TAG: ${{ inputs.release }}
 
     steps:
+    - name: Setup release ${{ inputs.release }}
+      run: |
+        echo "Creating release ${{ inputs.release }} from previous tag ${{ inputs.tags }} with ref ${{ inputs.git-ref }}"
     - uses: actions/checkout@v4
       with:
         ref: ${{ inputs.git-ref }}
@@ -57,6 +60,8 @@ jobs:
 
     - name: Draft release
       id: draft_release
+      # TODO: This action is no longer mainained. We should use a different action
+      # or the gh command line directly.
       uses: actions/create-release@v1
       with:
         release_name: "Shipwright Build release ${{ inputs.release }}"
@@ -64,6 +69,10 @@ jobs:
         body_path: Changes.md
         draft: true
         prerelease: true
+        # create-release assumes one fo two things if commitish is not set
+        # 1. Release is from the "latest commit" on the repo's default branch.
+        # 2. Release is for an existing tag with the same name
+        commitish: ${{ inputs.git-ref }}
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -78,9 +87,13 @@ jobs:
         gh release upload ${TAG} sample-strategies.yaml
 
     - name: Sign released images
+      # Updated to use the git SHA of the checked out commit. The SHA for
+      # workflow_dispatch events is the latest SHA of the _branch_ where the
+      # action was invoked.
       run: |
+        gitsha=$(git rev-parse --verify HEAD)
         grep -o "ghcr.io[^\"]*" release.yaml | xargs cosign sign --yes \
-            -a sha=${{ github.sha }} \
+            -a sha=${gitsha} \
             -a run_id=${{ github.run_id }} \
             -a run_attempt=${{ github.run_attempt }}
 

From 8e36f8dba14ed7d6c08b1b3033ee9bf4406d7c13 Mon Sep 17 00:00:00 2001
From: Adam Kaplan <adam@adambkaplan.com>
Date: Tue, 2 Apr 2024 09:54:24 -0400
Subject: [PATCH 2/2] Fix Typo

Correct a typo in YAML comment.

Co-authored-by: Sascha Schwarze <schwarzs@de.ibm.com>
---
 .github/workflows/release.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f1de10f4a..c1c01d888 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -69,7 +69,7 @@ jobs:
         body_path: Changes.md
         draft: true
         prerelease: true
-        # create-release assumes one fo two things if commitish is not set
+        # create-release assumes one of two things if commitish is not set
         # 1. Release is from the "latest commit" on the repo's default branch.
         # 2. Release is for an existing tag with the same name
         commitish: ${{ inputs.git-ref }}