chore(main): release 6.4.1 (#931) #8
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Release Build | |
| on: | |
| push: | |
| # This workflow should only run on tags, it will trigger when release-please | |
| # kicks-off the release process. | |
| tags: ["v*.*.*"] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.ref }}-${{ github.workflow }} | |
| cancel-in-progress: true | |
| permissions: {} | |
| jobs: | |
| build-push-test: | |
| uses: ./.github/workflows/wc-build-push-test.yml | |
| secrets: | |
| TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} | |
| TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }} | |
| TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} | |
| TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} | |
| permissions: | |
| actions: read | |
| attestations: write | |
| checks: write | |
| contents: write | |
| id-token: write | |
| packages: write | |
| pull-requests: write | |
| with: | |
| # Disable the cache for release builds | |
| enable-cache: false | |
| apply-release-notes-template: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: audit | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Amend release description | |
| run: | | |
| set -Eeuo pipefail | |
| CURRENT_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body') | |
| HEADER=$(echo "$CURRENT_NOTES" | awk '/^## / {print; exit}') | |
| TEMPLATE=$(cat "$GITHUB_WORKSPACE/.github/RELEASE_TEMPLATE.md") | |
| BODY=$(echo "$CURRENT_NOTES" | sed "0,/^## /d") | |
| gh release edit "${REF_NAME}" --notes "${HEADER}${TEMPLATE}${BODY}" | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| REF_NAME: ${{ github.ref_name }} | |
| update-release-notes: | |
| strategy: | |
| matrix: | |
| flavor: [cpp, rust] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| needs: [build-push-test, apply-release-notes-template] | |
| env: | |
| CONTAINER_FLAVOR: ${{ matrix.flavor }} | |
| REF_NAME: ${{ github.ref_name }} | |
| REGISTRY: ghcr.io | |
| steps: | |
| - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: audit | |
| - name: Inspect manifest and extract digest | |
| id: inspect-manifest | |
| run: | | |
| set -Eeuo pipefail | |
| output=$(docker buildx imagetools inspect "${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}:${REF_NAME}" --format '{{json .}}') | |
| echo "digest=$(echo "$output" | jq -r '.manifest.digest // .manifests[0].digest')" >> "$GITHUB_OUTPUT" | |
| env: | |
| GH_REPO: ${{ github.repository }} | |
| - name: Upload provenance to release | |
| run: | | |
| set -Eeuo pipefail | |
| FORMATTED_DIGEST=${DIGEST//:/_} | |
| gh attestation verify --repo "${GH_REPO}" "oci://${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}@${DIGEST}" --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${REPOSITORY_OWNER}-${REPOSITORY_NAME}-${CONTAINER_FLAVOR}_${FORMATTED_DIGEST}.intoto.jsonl" | |
| gh release upload "${REF_NAME}" ./*.intoto.jsonl | |
| env: | |
| DIGEST: ${{ steps.inspect-manifest.outputs.digest }} | |
| GH_REPO: ${{ github.repository }} | |
| GH_TOKEN: ${{ github.token }} | |
| REPOSITORY_OWNER: ${{ github.repository_owner }} | |
| REPOSITORY_NAME: ${{ github.event.repository.name }} | |
| - name: Update package details in release | |
| run: | | |
| set -Eeuo pipefail | |
| UPDATED_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body') | |
| UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-version }}"/"${REF_NAME}"} | |
| UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-sha }}"/"${DIGEST}"} | |
| gh release edit "${REF_NAME}" --notes "${UPDATED_NOTES}" | |
| env: | |
| DIGEST: ${{ steps.inspect-manifest.outputs.digest }} | |
| GH_REPO: ${{ github.repository }} | |
| GH_TOKEN: ${{ github.token }} |