-
Notifications
You must be signed in to change notification settings - Fork 5
88 lines (70 loc) · 3.3 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
name: Create KRCI release
on:
push:
tags:
- 'v*'
env:
GOLANG_VERSION: '1.22'
jobs:
prepare-release:
name: Perform automatic release on trigger ${{ github.ref }}
runs-on: ubuntu-latest
env:
# The name of the tag as supplied by the GitHub event
SOURCE_TAG: ${{ github.ref }}
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: '0'
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: ${{ env.GOLANG_VERSION }}
- name: Check if the published tag is well formed and setup vars
run: |
set -xue
# refs/tags/v2.10.7 -> v2.10.7
RELEASE_TAG="${SOURCE_TAG##*/}"
# install git-chglog
go install github.com/git-chglog/git-chglog/cmd/git-chglog@latest
# install crane
go install github.com/google/go-containerregistry/cmd/[email protected]
# install rekor-cli
go install github.com/sigstore/rekor/cmd/[email protected]
git-chglog --template .chglog/release.tpl.md -o release.md ${RELEASE_TAG}
# Extract image name and tag from RELEASE_TAG
IMAGE_NAME="epamedp/sonar-operator"
IMAGE_TAG=${RELEASE_TAG#v}
# Get the digest of the image
DIGEST=$(crane digest ${IMAGE_NAME}:${IMAGE_TAG} | tr ':' '-')
# Get the digest of the attestation layer
ATTESTATION_DIGEST=$(crane manifest ${IMAGE_NAME}:${DIGEST}.att | jq -r '.layers[].digest')
# Get the digest of the signature layer
SIGNATURE_DIGEST=$(crane manifest ${IMAGE_NAME}:${DIGEST}.sig | jq -r '.layers[].digest')
# Search for the UUID of the attestation in JSON format
ATTESTATION_UUID_JSON=$(rekor-cli search --sha ${ATTESTATION_DIGEST} --format json)
# Search for the UUID of the signature in JSON format
SIGNATURE_UUID_JSON=$(rekor-cli search --sha ${SIGNATURE_DIGEST} --format json)
# Parse the JSON output to get the UUIDs
ATTESTATION_UUID=$(echo ${ATTESTATION_UUID_JSON} | jq -r '.UUIDs[0]')
SIGNATURE_UUID=$(echo ${SIGNATURE_UUID_JSON} | jq -r '.UUIDs[0]')
# Create a new file with the desired text and the UUIDs
echo "### Deployment Certifications and Source Traceability" > new_release.md
echo "KubeRocketCI container images bear [cosign](https://github.com/sigstore/cosign) signatures. Refer to the [documentation](https://docs.kuberocketci.io/docs/developer-guide/artifacts-verification) for instructions on verification." >> new_release.md
echo "The Rekor UUID's for this release is \`${ATTESTATION_UUID}\` - attestation and" >> new_release.md
echo "\`${SIGNATURE_UUID}\` - signature" >> new_release.md
# Append the contents of release.md to new_release.md
cat release.md >> new_release.md
# Move new_release.md to release.md
mv new_release.md release.md
echo "RELEASE_TAG=${RELEASE_TAG}" >> $GITHUB_ENV
- name: Create GitHub release
uses: actions/create-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
id: create_release
with:
tag_name: ${{ env.RELEASE_TAG }}
release_name: ${{ env.RELEASE_TAG }}
body_path: release.md