v6.6.0 #13
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Release Build | |
| on: | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.ref }}-${{ github.workflow }} | |
| cancel-in-progress: true | |
| permissions: {} | |
| jobs: | |
| build-push-test: | |
| name: Build, Push and Test (🍨 ${{ matrix.flavor }}) | |
| strategy: | |
| matrix: | |
| flavor: [cpp, rust] | |
| uses: ./.github/workflows/wc-build-push-test.yml | |
| secrets: | |
| TEST_GITHUB_TOKEN: ${{ secrets.TEST_GITHUB_TOKEN }} | |
| TEST_GITHUB_USER: ${{ secrets.TEST_GITHUB_USER }} | |
| TEST_GITHUB_PASSWORD: ${{ secrets.TEST_GITHUB_PASSWORD }} | |
| TEST_GITHUB_TOTP_SECRET: ${{ secrets.TEST_GITHUB_TOTP_SECRET }} | |
| permissions: | |
| actions: read # is needed by anchore/sbom-action to find workflow artifacts when attaching release assets | |
| attestations: write # is needed by actions/attest-build-provenance to push attestations | |
| contents: write # is needed by anchore/sbom-action for artifact uploads | |
| id-token: write # is needed by actions/attest-build-provenance to obtain an OIDC token | |
| packages: write # is needed to push image manifest when using GitHub Container Registry | |
| pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments | |
| with: | |
| devcontainer-metadata-file: .devcontainer/${{ matrix.flavor }}/devcontainer-metadata.json | |
| dockerfile: .devcontainer/${{ matrix.flavor }}/Dockerfile | |
| image-name: ${{ github.repository }}-${{ matrix.flavor }} | |
| integration-test-file: test/${{ matrix.flavor }}/integration-tests.bats | |
| acceptance-test-path: ${{ matrix.flavor == 'cpp' && 'test/cpp/features' || '' }} | |
| test-devcontainer-file: ${{ matrix.flavor == 'cpp' && '.devcontainer/cpp-test/devcontainer.json' || '' }} | |
| apply-release-notes-template: | |
| name: 📝 Apply Release Template | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Please note that this is an overly broad scope, but GitHub does not | |
| # currently provide a more fine-grained permission for release modification. | |
| contents: write # is needed to modify a release | |
| steps: | |
| - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: audit | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - name: Amend release description | |
| run: | | |
| set -Eeuo pipefail | |
| CURRENT_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body') | |
| HEADER=$(echo "$CURRENT_NOTES" | awk '/^## / {print; exit}') | |
| TEMPLATE=$(cat "$GITHUB_WORKSPACE/.github/RELEASE_TEMPLATE.md") | |
| BODY=$(echo "$CURRENT_NOTES" | sed "0,/^## /d") | |
| gh release edit "${REF_NAME}" --notes "${HEADER}${TEMPLATE}${BODY}" | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| REF_NAME: ${{ github.ref_name }} | |
| update-release-notes: | |
| name: Update Release Notes (🍨 ${{ matrix.flavor }}) | |
| strategy: | |
| matrix: | |
| flavor: [cpp, rust] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Please note that this is an overly broad scope, but GitHub does not | |
| # currently provide a more fine-grained permission for release modification. | |
| contents: write # is needed to modify a release | |
| needs: [build-push-test, apply-release-notes-template] | |
| env: | |
| CONTAINER_FLAVOR: ${{ matrix.flavor }} | |
| REF_NAME: ${{ github.ref_name }} | |
| REGISTRY: ghcr.io | |
| steps: | |
| - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: audit | |
| - name: Inspect manifest and extract digest | |
| id: inspect-manifest | |
| run: | | |
| set -Eeuo pipefail | |
| output=$(docker buildx imagetools inspect "${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}:${REF_NAME}" --format '{{json .}}') | |
| echo "digest=$(echo "$output" | jq -r '.manifest.digest // .manifests[0].digest')" >> "$GITHUB_OUTPUT" | |
| env: | |
| GH_REPO: ${{ github.repository }} | |
| - name: Upload provenance to release | |
| run: | | |
| set -Eeuo pipefail | |
| FORMATTED_DIGEST=${DIGEST//:/_} | |
| gh attestation verify --repo "${GH_REPO}" "oci://${REGISTRY}/${GH_REPO}-${CONTAINER_FLAVOR}@${DIGEST}" --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${REPOSITORY_OWNER}-${REPOSITORY_NAME}-${CONTAINER_FLAVOR}_${FORMATTED_DIGEST}.intoto.jsonl" | |
| gh release upload "${REF_NAME}" ./*.intoto.jsonl | |
| env: | |
| DIGEST: ${{ steps.inspect-manifest.outputs.digest }} | |
| GH_REPO: ${{ github.repository }} | |
| GH_TOKEN: ${{ github.token }} | |
| REPOSITORY_OWNER: ${{ github.repository_owner }} | |
| REPOSITORY_NAME: ${{ github.event.repository.name }} | |
| - name: Update package details in release | |
| run: | | |
| set -Eeuo pipefail | |
| UPDATED_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body') | |
| UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-version }}"/"${REF_NAME}"} | |
| UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-sha }}"/"${DIGEST}"} | |
| gh release edit "${REF_NAME}" --notes "${UPDATED_NOTES}" | |
| env: | |
| DIGEST: ${{ steps.inspect-manifest.outputs.digest }} | |
| GH_REPO: ${{ github.repository }} | |
| GH_TOKEN: ${{ github.token }} | |
| publish-devcontainer-templates: | |
| name: 📝 Publish templates | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write # is needed by devcontainers/action to write templates as OCI artifacts | |
| steps: | |
| - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: audit | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| persist-credentials: false | |
| - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - uses: devcontainers/action@1082abd5d2bf3a11abccba70eef98df068277772 # v1.4.3 | |
| with: | |
| disable-repo-tagging: true | |
| publish-templates: true | |
| base-path-to-templates: .devcontainer | |
| generate-documents: | |
| name: 📄 Documentation | |
| uses: ./.github/workflows/wc-document-generation.yml | |
| permissions: | |
| contents: read | |
| upload-documents: | |
| name: 📄 Upload Documents | |
| runs-on: ubuntu-latest | |
| permissions: | |
| # Please note that this is an overly broad scope, but GitHub does not | |
| # currently provide a more fine-grained permission for release modification. | |
| contents: write # is needed to modify a release | |
| needs: [generate-documents] | |
| steps: | |
| - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 | |
| with: | |
| disable-sudo: true | |
| egress-policy: audit | |
| - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0 | |
| with: | |
| pattern: documents | |
| - name: Upload documents to release | |
| run: | | |
| set -Eeuo pipefail | |
| gh release upload "${REF_NAME}" ./*.pdf | |
| env: | |
| GH_REPO: ${{ github.repository }} | |
| GH_TOKEN: ${{ github.token }} | |
| REF_NAME: ${{ github.ref_name }} | |
| comment-released-prs: | |
| name: Comment on released PRs | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write # is needed by rdlf0/comment-released-prs-action to post comments on PRs | |
| steps: | |
| - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: audit | |
| - uses: rdlf0/comment-released-prs-action@a81897eaea04a5faa8779d28607826ddb033321a # v3.1.0 | |
| with: | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} |