From 97a3a508c6a3ce99d621140514a7a3ee96817d9b Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Tue, 8 Apr 2025 12:12:14 -0700 Subject: [PATCH 1/6] move restriction to composite action --- .github/workflows/github-release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml index 6474ad2c07..dd8557272b 100644 --- a/.github/workflows/github-release.yml +++ b/.github/workflows/github-release.yml @@ -164,7 +164,6 @@ jobs: ## Create the downstream PR for the release branch to master,develop create-pr: if: | - !contains(github.ref, '-rc') && ( inputs.node_tag != '' || inputs.signer_tag != '' From 76f651728197e8517c1294ff495cd2fba654871d Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Tue, 8 Apr 2025 12:15:10 -0700 Subject: [PATCH 2/6] Adding attestation and permissions for standalone image --- .github/workflows/image-build-source.yml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/.github/workflows/image-build-source.yml b/.github/workflows/image-build-source.yml index 82f15893c6..6955dc52eb 100644 --- a/.github/workflows/image-build-source.yml +++ b/.github/workflows/image-build-source.yml @@ -23,6 +23,9 @@ jobs: runs-on: ubuntu-latest ## Requires the repo environment "Push to Docker", which will trigger a secondary approval step before running this workflow. environment: "Push to Docker" + permissions: + id-token: write + attestations: write steps: ## Setup Docker for the builds - name: Docker setup @@ -68,3 +71,24 @@ jobs: GIT_COMMIT=${{ env.GITHUB_SHA_SHORT }} TARGET_CPU=x86-64-v3 push: ${{ env.DOCKER_PUSH }} + + ## Generate docker image attestation(s) + - name: Generate artifact attestation (${{ github.event.repository.name }}) + id: attest_primary + uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 + with: + # subject-name: index.docker.io/${{ env.docker-org }}/${{ github.event.repository.name }} + subject-name: | + index.docker.io/${{env.docker-org}}/${{ github.event.repository.name }} + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: true + + - name: Generate artifact attestation (stacks-blockchain) + id: attest_secondary + uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 + with: + # subject-name: index.docker.io/${{ env.docker-org }}/${{ github.event.repository.name }} + subject-name: | + index.docker.io/${{env.docker-org}}/stacks-blockchain + subject-digest: ${{ steps.docker_build.outputs.digest }} + push-to-registry: true From e8483715d96d7a77b94db128afaf36b2cc6209ae Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Tue, 8 Apr 2025 12:15:54 -0700 Subject: [PATCH 3/6] Only build stacks-inspect for test --- .github/workflows/core-build-tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/core-build-tests.yml b/.github/workflows/core-build-tests.yml index 614f3f69c3..7d652f2a89 100644 --- a/.github/workflows/core-build-tests.yml +++ b/.github/workflows/core-build-tests.yml @@ -24,7 +24,7 @@ jobs: - name: Build the binaries id: build run: | - cargo build + cargo build --bin stacks-inspect - name: Dump constants JSON id: consts-dump run: cargo run --bin stacks-inspect -- dump-consts | tee out.json From dbd71ab510e7321e5a97844e47f02fdabc6793d3 Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Wed, 9 Apr 2025 13:32:48 -0700 Subject: [PATCH 4/6] modify how environments are used --- .github/workflows/ci.yml | 1 + .github/workflows/github-release.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6446197e42..cac4627619 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -94,6 +94,7 @@ jobs: needs: - rustfmt - check-release + secrets: inherit uses: ./.github/workflows/github-release.yml with: node_tag: ${{ needs.check-release.outputs.node_tag }} diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml index dd8557272b..d36bfda6d9 100644 --- a/.github/workflows/github-release.yml +++ b/.github/workflows/github-release.yml @@ -139,6 +139,7 @@ jobs: - andon-cord - build-binaries - create-release + environment: "Push to Docker" strategy: fail-fast: false ## Build a maximum of 2 images concurrently based on matrix.dist From 265b10ca82166a0113aad5b67d6a82584a4db161 Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Wed, 9 Apr 2025 21:54:50 -0700 Subject: [PATCH 5/6] add required permissions and environment --- .github/workflows/github-release.yml | 9 ++++++--- .github/workflows/image-build-source.yml | 6 ++---- 2 files changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml index d36bfda6d9..5e37ca65c2 100644 --- a/.github/workflows/github-release.yml +++ b/.github/workflows/github-release.yml @@ -38,9 +38,9 @@ concurrency: run-name: ${{ inputs.node_tag || inputs.signer_tag }} jobs: - ## This job's sole purpose is trigger a secondary approval outside of the matrix jobs below. + ## This job's sole purpose is trigger a secondary approval outside of the matrix jobs below. ## - If this job isn't approved to run, then the subsequent jobs will also not run - for this reason, we always exit 0 - ## - `andon-cord` requires the repo environment "Build Release", which will trigger a secondary approval step before running this workflow. + ## - `andon-cord` requires the repo environment "Build Release", which will trigger a secondary approval step before running this workflow. andon-cord: if: | inputs.node_tag != '' || @@ -135,11 +135,14 @@ jobs: inputs.signer_tag != '' name: Docker Image (Binary) runs-on: ubuntu-latest + environment: "Push to Docker" + permissions: + id-token: write + attestations: write needs: - andon-cord - build-binaries - create-release - environment: "Push to Docker" strategy: fail-fast: false ## Build a maximum of 2 images concurrently based on matrix.dist diff --git a/.github/workflows/image-build-source.yml b/.github/workflows/image-build-source.yml index 6955dc52eb..947d8fe580 100644 --- a/.github/workflows/image-build-source.yml +++ b/.github/workflows/image-build-source.yml @@ -77,8 +77,7 @@ jobs: id: attest_primary uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 with: - # subject-name: index.docker.io/${{ env.docker-org }}/${{ github.event.repository.name }} - subject-name: | + subject-name: | index.docker.io/${{env.docker-org}}/${{ github.event.repository.name }} subject-digest: ${{ steps.docker_build.outputs.digest }} push-to-registry: true @@ -87,8 +86,7 @@ jobs: id: attest_secondary uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3 with: - # subject-name: index.docker.io/${{ env.docker-org }}/${{ github.event.repository.name }} - subject-name: | + subject-name: | index.docker.io/${{env.docker-org}}/stacks-blockchain subject-digest: ${{ steps.docker_build.outputs.digest }} push-to-registry: true From 9f9c160ecdb0d73d83065444c82d8ac0a43f62bd Mon Sep 17 00:00:00 2001 From: wileyj <2847772+wileyj@users.noreply.github.com> Date: Thu, 10 Apr 2025 07:27:26 -0700 Subject: [PATCH 6/6] add missing permissions to binary build step --- .github/workflows/github-release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/github-release.yml b/.github/workflows/github-release.yml index 5e37ca65c2..ef0620c4c7 100644 --- a/.github/workflows/github-release.yml +++ b/.github/workflows/github-release.yml @@ -65,6 +65,9 @@ jobs: runs-on: ubuntu-latest needs: - andon-cord + permissions: + id-token: write + attestations: write strategy: ## Run a maximum of 10 builds concurrently, using the matrix defined in inputs.arch max-parallel: 10