Skip to content

fix: remove unpinned image warning in lint for cosign signatures (#2681) #141

fix: remove unpinned image warning in lint for cosign signatures (#2681)

fix: remove unpinned image warning in lint for cosign signatures (#2681) #141

Workflow file for this run

name: Release CLI and Packages on Tag
permissions:
contents: read
on:
push:
tags:
- "v*"
jobs:
build:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Setup golang
uses: ./.github/actions/golang
- name: Install tools
uses: ./.github/actions/install-tools
- name: Build CLI
run: |
make build-cli-linux-amd
make build-cli-linux-arm
- name: "Zarf Agent: Login to GHCR"
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ghcr.io
username: dummy
password: ${{ github.token }}
- name: "Zarf Agent: Build and Publish the Image"
run: |
cp build/zarf build/zarf-linux-amd64
cp build/zarf-arm build/zarf-linux-arm64
docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/zarf/agent:$GITHUB_REF_NAME .
rm build/zarf-linux-amd64
rm build/zarf-linux-arm64
echo ZARF_AGENT_IMAGE_DIGEST=$(docker buildx imagetools inspect ghcr.io/defenseunicorns/zarf/agent:$GITHUB_REF_NAME --format '{{ json . }}' | jq -r .manifest.digest) >> $GITHUB_ENV
- name: "Zarf Agent: Sign the Image"
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME ghcr.io/defenseunicorns/zarf/agent@$ZARF_AGENT_IMAGE_DIGEST -y
env:
COSIGN_EXPERIMENTAL: 1
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
# Builds init packages since GoReleaser won't handle this for us
- name: Build init-packages For Release
run: |
make release-init-package ARCH=amd64 AGENT_IMAGE_TAG=$GITHUB_REF_NAME
make release-init-package ARCH=arm64 AGENT_IMAGE_TAG=$GITHUB_REF_NAME
- name: Publish Init Package as OCI and Skeleton
run: |
make publish-init-package ARCH=amd64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages
make publish-init-package ARCH=arm64 REPOSITORY_URL=ghcr.io/defenseunicorns/packages
# Create a CVE report based on this build
- name: Create release time CVE report
run: "make cve-report"
# Upload the contents of the build directory for later stages to use
- name: Upload build artifacts
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: build-artifacts
path: build/
retention-days: 1
validate:
runs-on: ubuntu-latest
needs: build
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Download build artifacts
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
with:
name: build-artifacts
path: build/
- name: Setup golang
uses: ./.github/actions/golang
- name: Make Zarf executable
run: |
chmod +x build/zarf
# Before we run the regular tests we need to aggressively cleanup files to reduce disk pressure
- name: Cleanup files
uses: ./.github/actions/cleanup-files
# Build the example packages and run the tests
- name: Build examples and run tests
run: |
sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true make test-e2e ARCH=amd64
- name: Save logs
if: always()
uses: ./.github/actions/save-logs
push:
runs-on: ubuntu-latest
needs: validate
environment: release
permissions:
contents: write
steps:
# Checkout the repo and setup the tooling for this job
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Setup golang
uses: ./.github/actions/golang
- name: Install tools
uses: ./.github/actions/install-tools
- name: Download build artifacts
uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2
with:
name: build-artifacts
path: build/
# Set up AWS credentials for GoReleaser to upload backups of artifacts to S3
- name: Set AWS Credentials
uses: aws-actions/configure-aws-credentials@010d0da01d0b5a38af31e9c3470dbfdabdecca3a # v4.0.1
with:
aws-access-key-id: ${{ secrets.AWS_GOV_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
aws-region: us-gov-west-1
- name: Make zarf executable and skip brew latest for pre-release tags
run: |
chmod +x build/zarf
if [[ $GITHUB_REF_NAME == *"rc"* ]]; then
echo "BREW_NAME=zarf@latest-rc" >> $GITHUB_ENV
else
echo "BREW_NAME=zarf" >> $GITHUB_ENV
fi
# Before we run the release we need to aggressively cleanup files to reduce disk pressure
- name: Cleanup files
uses: ./.github/actions/cleanup-files
- name: Setup release ENV vars
run: |
K8S_MODULES_VER=$(go list -f '{{.Version}}' -m k8s.io/client-go | sed 's/v//; s/\./ /g')
echo K8S_MODULES_MAJOR_VER=$(expr $(echo "$K8S_MODULES_VER" | cut -d " " -f 1) + 1) >> $GITHUB_ENV
echo K8S_MODULES_MINOR_VER=$(echo "$K8S_MODULES_VER" | cut -d " " -f 2) >> $GITHUB_ENV
echo K8S_MODULES_PATCH_VER=$(echo "$K8S_MODULES_VER" | cut -d " " -f 3) >> $GITHUB_ENV
echo K9S_VERSION=$(go list -f '{{.Version}}' -m github.com/derailed/k9s) >> $GITHUB_ENV
echo CRANE_VERSION=$(go list -f '{{.Version}}' -m github.com/google/go-containerregistry) >> $GITHUB_ENV
echo SYFT_VERSION=$(go list -f '{{.Version}}' -m github.com/anchore/syft) >> $GITHUB_ENV
echo ARCHIVER_VERSION=$(go list -f '{{.Version}}' -m github.com/mholt/archiver/v3) >> $GITHUB_ENV
echo HELM_VERSION=$(go list -f '{{.Version}}' -m helm.sh/helm/v3) >> $GITHUB_ENV
- name: Get Brew tap repo token
id: brew-tap-token
uses: actions/create-github-app-token@f2acddfb5195534d487896a656232b016a682f3c # v1.9.0
with:
app-id: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_ID }}
private-key: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_SECRET }}
owner: defenseunicorns
repositories: homebrew-tap
# Create the GitHub release notes, upload artifact backups to S3, publish homebrew recipe
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
with:
distribution: goreleaser
version: "~> v2"
args: release --clean --verbose
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ steps.brew-tap-token.outputs.token }}
- name: Save CVE report
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: cve-report
path: build/zarf-known-cves.csv