diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6446197e42..cac4627619 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -94,6 +94,7 @@ jobs: needs: - rustfmt - check-release + secrets: inherit uses: ./.github/workflows/github-release.yml with: node_tag: ${{ needs.check-release.outputs.node_tag }} diff --git a/.github/workflows/core-build-tests.yml b/.github/workflows/core-build-tests.yml index 614f3f69c3..7d652f2a89 100644 --- a/.github/workflows/core-build-tests.yml +++ b/.github/workflows/core-build-tests.yml @@ -24,7 +24,7 @@ jobs: - name: Build the binaries id: build run: | - cargo build + cargo build --bin stacks-inspect - name: Dump constants JSON id: consts-dump run: cargo run --bin stacks-inspect -- dump-consts | tee out.json diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml index 6474ad2c07..ef0620c4c7 100644 --- a/.github/workflows/github-release.yml +++ b/.github/workflows/github-release.yml @@ -38,9 +38,9 @@ concurrency: run-name: ${{ inputs.node_tag || inputs.signer_tag }} jobs: - ## This job's sole purpose is trigger a secondary approval outside of the matrix jobs below. + ## This job's sole purpose is trigger a secondary approval outside of the matrix jobs below. ## - If this job isn't approved to run, then the subsequent jobs will also not run - for this reason, we always exit 0 - ## - `andon-cord` requires the repo environment "Build Release", which will trigger a secondary approval step before running this workflow. + ## - `andon-cord` requires the repo environment "Build Release", which will trigger a secondary approval step before running this workflow. andon-cord: if: | inputs.node_tag != '' || @@ -65,6 +65,9 @@ jobs: runs-on: ubuntu-latest needs: - andon-cord + permissions: + id-token: write + attestations: write strategy: ## Run a maximum of 10 builds concurrently, using the matrix defined in inputs.arch max-parallel: 10 @@ -135,6 +138,10 @@ jobs: inputs.signer_tag != '' name: Docker Image (Binary) runs-on: ubuntu-latest + environment: "Push to Docker" + permissions: + id-token: write + attestations: write needs: - andon-cord - build-binaries @@ -164,7 +171,6 @@ jobs: ## Create the downstream PR for the release branch to master,develop create-pr: if: | - !contains(github.ref, '-rc') && ( inputs.node_tag != '' || inputs.signer_tag != '' diff --git a/.github/workflows/image-build-source.yml b/.github/workflows/image-build-source.yml index 82f15893c6..947d8fe580 100644 --- a/.github/workflows/image-build-source.yml +++ b/.github/workflows/image-build-source.yml @@ -23,6 +23,9 @@ jobs: runs-on: ubuntu-latest ## Requires the repo environment "Push to Docker", which will trigger a secondary approval step before running this workflow. environment: "Push to Docker" + permissions: + id-token: write + attestations: write steps: ## Setup Docker for the builds - name: Docker setup @@ -68,3 +71,22 @@ jobs: GIT_COMMIT=${{ env.GITHUB_SHA_SHORT }} TARGET_CPU=x86-64-v3 push: ${{ env.DOCKER_PUSH }} + + ## Generate docker image attestation(s) + - name: Generate artifact attestation (${{ github.event.repository.name }}) + id: attest_primary + uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 + with: + subject-name: | + index.docker.io/${{env.docker-org}}/${{ github.event.repository.name }} + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: true + + - name: Generate artifact attestation (stacks-blockchain) + id: attest_secondary + uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 + with: + subject-name: | + index.docker.io/${{env.docker-org}}/stacks-blockchain + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: true