-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
refactor(ci): allow release when provenance generation fails (#342)
* refactor(ci): allow release when provenance generation fails * chore(deps): update SLSA provenance generator GH Action
- Loading branch information
Showing
1 changed file
with
58 additions
and
19 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -75,23 +75,13 @@ jobs: | |
| permissions: | ||
| contents: read | ||
|
|
||
| # Generate the build provenance. The generator should be referenced with a semantic version. | ||
| # The build will fail if we reference it using the commit SHA. | ||
| provenance: | ||
| needs: build | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
| with: | ||
| base64-subjects: ${{ needs.build.outputs.artifacts-sha256 }} | ||
| permissions: | ||
| actions: read # To read the workflow path. | ||
| id-token: write # To sign the provenance. | ||
| contents: write # To add assets to a release. | ||
|
|
||
| # Create a new Release on Github from the verified build artifacts, and optionally | ||
| # publish the artifacts to a PyPI server. | ||
| release: | ||
| needs: [build, provenance] | ||
| needs: [build] | ||
| name: Release | ||
| outputs: | ||
| release-tag: ${{ steps.upload-assets.outputs.release-tag }} | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write # To publish release notes. | ||
|
|
@@ -107,11 +97,6 @@ jobs: | |
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Download provenance | ||
| uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0 | ||
| with: | ||
| name: ${{ needs.provenance.outputs.attestation-name }} | ||
|
|
||
| - name: Download artifact | ||
| uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0 | ||
| with: | ||
|
|
@@ -133,18 +118,24 @@ jobs: | |
| uses: actions/setup-python@b55428b1882923874294fa556849718a1d7f2ca5 # v4.2.0 | ||
| with: | ||
| python-version: '3.10' | ||
|
|
||
| - name: Set up Commitizen | ||
| run: | | ||
| pip install --upgrade pip wheel | ||
| pip install 'commitizen ==2.32.1' | ||
| - name: Create Release Notes | ||
| run: cz changelog --dry-run $(cz version --project) > RELEASE_NOTES.md | ||
|
|
||
| # Create the release including the artifacts and the SLSA L3 provenance. | ||
| - name: Upload assets | ||
| id: upload-assets | ||
| env: | ||
| GH_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }} | ||
| run: TAG=`git describe --tags --abbrev=0` && gh release create $TAG dist/* ${{ needs.provenance.outputs.attestation-name }} --title $TAG --notes-file RELEASE_NOTES.md | ||
| run: | | ||
| TAG=`git describe --tags --abbrev=0` | ||
| gh release create $TAG dist/* --title $TAG --notes-file RELEASE_NOTES.md | ||
| echo "release-tag=$TAG" >> $GITHUB_OUTPUT | ||
| # Uncomment the following steps to publish to a PyPI server. | ||
| # At the moment PyPI does not provide a mechanism to publish | ||
|
|
@@ -166,3 +157,51 @@ jobs: | |
| # TWINE_USERNAME=<USERNAME> | ||
| # TWINE_PASSWORD=<PASSWORD> | ||
| # TWINE_REPOSITORY_URL=<REPOSITORY_URL> | ||
|
|
||
| # Generate the build provenance. The generator should be referenced with a semantic version. | ||
| # The build will fail if we reference it using the commit SHA. To avoid using a pre-built | ||
| # provenance generator which depends on an external service Rekor (https://github.com/sigstore/rekor) | ||
| # we build this generator from source for now. For more information see this discussion: | ||
| # https://github.com/slsa-framework/slsa-github-generator/issues/942 | ||
| provenance: | ||
| needs: [build, release] | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
| with: | ||
| base64-subjects: ${{ needs.build.outputs.artifacts-sha256 }} | ||
| compile-generator: true # Build the generator from source. | ||
| # Set private-repository to true for private repositories. Note that the repository name is | ||
| # uploaded as part of the transparency log entry on the public Rekor instance (rekor.sigstore.dev). | ||
| private-repository: false | ||
| permissions: | ||
| actions: read # To read the workflow path. | ||
| id-token: write # To sign the provenance. | ||
| contents: write # To add assets to a release. | ||
|
|
||
| # Publish the SLSA provenance as the GitHub release asset. | ||
| publish_provenance: | ||
| needs: [release, provenance] | ||
| name: Publish provenance | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: write # To publish release notes. | ||
| steps: | ||
|
|
||
| - name: Harden Runner | ||
| uses: step-security/harden-runner@2e205a28d0e1da00c5f53b161f4067b052c61f34 # v1.5.0 | ||
| with: | ||
| egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | ||
|
|
||
| - name: Check out repository | ||
| uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3.0.2 | ||
| with: | ||
| fetch-depth: 0 | ||
|
|
||
| - name: Download provenance | ||
| uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 # v3.0.0 | ||
| with: | ||
| name: ${{ needs.provenance.outputs.attestation-name }} | ||
|
|
||
| - name: Upload provenance | ||
| run: gh release upload ${{ needs.release.outputs.release-tag }} ${{ needs.provenance.outputs.attestation-name }} | ||
| env: | ||
| GH_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }} | ||