From 2e677b2b267ebc1debd4838714e08cdca5962408 Mon Sep 17 00:00:00 2001 From: Victor Martinez Date: Wed, 10 Apr 2024 16:35:28 +0200 Subject: [PATCH] github-action: add provenance --- .github/workflows/release-main.yml | 20 +++++++++++++++++--- .github/workflows/release.yml | 19 ++++++++++++++++--- 2 files changed, 33 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release-main.yml b/.github/workflows/release-main.yml index cf7c0a0e..475b2232 100644 --- a/.github/workflows/release-main.yml +++ b/.github/workflows/release-main.yml @@ -14,9 +14,11 @@ env: jobs: release: runs-on: ubuntu-latest - + permissions: + id-token: write + contents: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Bootstrap Action Workspace uses: ./.github/workflows/bootstrap @@ -29,8 +31,13 @@ jobs: - name: Inspect public API change run: ./build.sh generateapichanges -s true + - name: generate build provenance + uses: github-early-access/generate-build-provenance@main + with: + subject-path: "${{ github.workspace }}/build/output/*.nupkg" + - name: Prepare feedz.io - uses: hashicorp/vault-action@v2.4.2 + uses: hashicorp/vault-action@v3.0.0 with: url: ${{ secrets.VAULT_ADDR }} method: approle @@ -50,6 +57,13 @@ jobs: run: | until dotnet nuget push 'build/output/*.nupkg' -k ${{secrets.GITHUB_TOKEN}} --skip-duplicate --no-symbols -s https://nuget.pkg.github.com/elastic/index.json; do echo "Retrying"; sleep 1; done; + - name: Store artifacts + if: success() + uses: actions/upload-artifact@v4 + with: + name: nupkg + path: build/output/*.nupkg + - if: ${{ failure() }} uses: elastic/apm-pipeline-library/.github/actions/slack-message@current with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 345c01f4..35a8cff3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,9 +13,10 @@ permissions: jobs: release: runs-on: ubuntu-latest - + permissions: + id-token: write steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Bootstrap Action Workspace uses: ./.github/workflows/bootstrap @@ -34,8 +35,13 @@ jobs: - name: Create or update release for tag on github run: ./build.sh createreleaseongithub -s true --token ${{ secrets.GITHUB_TOKEN }} + - name: generate build provenance + uses: github-early-access/generate-build-provenance@main + with: + subject-path: "${{ github.workspace }}/build/output/*.nupkg" + - name: Prepare Nuget - uses: hashicorp/vault-action@v2.4.2 + uses: hashicorp/vault-action@v3.0.0 with: url: ${{ secrets.VAULT_ADDR }} method: approle @@ -48,6 +54,13 @@ jobs: - name: Release to Nuget run: dotnet nuget push 'build/output/*.nupkg' -k ${REPO_API_KEY} -s ${REPO_API_URL} --skip-duplicate --no-symbols + - name: Store artifacts + if: success() + uses: actions/upload-artifact@v4 + with: + name: nupkg + path: build/output/*.nupkg + - if: ${{ success() }} uses: elastic/apm-pipeline-library/.github/actions/slack-message@current with: