action: support pre-release provenance (#73)

elastic · Mar 27, 2024 · c9efd9c · c9efd9c
1 parent 61b587a
commit c9efd9c
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 7 deletions.
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -5,33 +5,42 @@ on:
     branches: [ "main" ]
 
 permissions:
-  contents: write
-  issues: write
-  packages: write
+  contents: read
 
 env:
   NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
+  RELEASE_PACKAGES: ".artifacts/package/release/*.nupkg"
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      packages: write
     steps:
       - uses: actions/checkout@v4
+
       - name: Bootstrap Action Workspace
         id: bootstrap
         uses: ./.github/workflows/bootstrap
 
       - run: ./build.sh release --test-suite=skip-e2e
         name: Release
 
+      - name: generate build provenance
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-path: "${{ github.workspace }}/${{ env.RELEASE_PACKAGES }}"
+
       - name: publish canary packages github package repository
         shell: bash
         # this is a best effort to push to GHPR, we've observed it being unavailable intermittently
         continue-on-error: true
-        run: dotnet nuget push '.artifacts/package/release/*.nupkg' -k ${{secrets.GITHUB_TOKEN}} --skip-duplicate --no-symbols
+        run: dotnet nuget push '${{ env.RELEASE_PACKAGES }}' -k ${{secrets.GITHUB_TOKEN}} --skip-duplicate --no-symbols
 
       # Github packages requires authentication, this is likely going away in the future so for now we publish to feedz.io
-      - run: dotnet nuget push '.artifacts/package/release/*.nupkg' -k ${{secrets.FEEDZ_IO_API_KEY}} -s https://f.feedz.io/elastic/all/nuget/index.json --skip-duplicate --no-symbols
+      - run: dotnet nuget push '${{ env.RELEASE_PACKAGES }}' -k ${{secrets.FEEDZ_IO_API_KEY}} -s https://f.feedz.io/elastic/all/nuget/index.json --skip-duplicate --no-symbols
         name: publish canary packages to feedz.io
         if: false && github.event_name == 'push' && startswith(github.ref, 'refs/heads')
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -14,6 +14,7 @@ env:
   NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
   JOB_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
   SLACK_CHANNEL: "#apm-agent-dotnet"
+  RELEASE_PACKAGES: ".artifacts/package/release/*.nupkg"
 
 jobs:
   release:
@@ -33,7 +34,7 @@ jobs:
     - name: generate build provenance
       uses: github-early-access/generate-build-provenance@main
       with:
-        subject-path: "${{ github.workspace }}/.artifacts/package/release/*.nupkg"
+        subject-path: "${{ github.workspace }}/${{ env.RELEASE_PACKAGES }}"
 
     - name: Prepare Nuget
       uses: hashicorp/[email protected]
@@ -48,7 +49,7 @@ jobs:
 
     - name: Release to Nuget (only for release events)
       if: ${{ github.event_name == 'release' }}
-      run: dotnet nuget push '.artifacts/package/release/*.nupkg' -k ${REPO_API_KEY} -s  ${REPO_API_URL} --skip-duplicate --no-symbols
+      run: dotnet nuget push '${{ env.RELEASE_PACKAGES }}' -k ${REPO_API_KEY} -s  ${REPO_API_URL} --skip-duplicate --no-symbols
 
     - if: ${{ success() && github.event_name == 'release' }}
       uses: elastic/apm-pipeline-library/.github/actions/slack-message@current