fix(release): don't attest archives (#1749) #168

Workflow file for this run

.github/workflows/build_and_package.yaml at 98b08b7

	name: Build and Package

	on:
	push:
	tags:
	- "v..*"

	# https://github.com/ossf/scorecard/blob/7ed886f1bd917d19cb9d6ce6c10e80e81fa31c39/docs/checks.md#token-permissions
	permissions:
	contents: read

	jobs:
	test:
	uses: chainloop-dev/chainloop/.github/workflows/test.yml@main

	init_attestation:
	runs-on: ubuntu-latest
	needs: test
	if: github.ref_type == 'tag' # Guard to make sure we are releasing once
	outputs:
	attestation_id: ${{ steps.init_attestation.outputs.attestation_id }}
	steps:
	- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Install Chainloop
	run: \|
	curl -sfL https://docs.chainloop.dev/install.sh \| bash -s

	- name: Initialize Attestation
	id: init_attestation
	run: \|
	attestation_id=$(chainloop attestation init --workflow ${CHAINLOOP_WORKFLOW_NAME} --project ${CHAINLOOP_PROJECT_NAME} --release --remote-state -o json \| jq -r .attestationID)
	echo "attestation_id=$attestation_id" >> $GITHUB_OUTPUT
	env:
	CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
	CHAINLOOP_WORKFLOW_NAME: "chainloop-vault-build-and-package"
	CHAINLOOP_PROJECT_NAME: "chainloop"

	release:
	name: Release CLI and control-plane/artifact-cas container images
	needs: init_attestation
	runs-on: ubuntu-latest
	if: github.ref_type == 'tag' # Guard to make sure we are releasing once
	permissions:
	contents: write # required for goreleaser to upload the release assets
	packages: write # to push container images
	pull-requests: write
	env:
	CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
	ATTESTATION_ID: ${{ needs.init_attestation.outputs.attestation_id }}

	steps:
	- name: Install Cosign
	uses: sigstore/cosign-installer@ef6a6b364bbad08abd36a5f8af60b595d12702f8 # main
	with:
	cosign-release: "v2.2.3"

	- name: Install Chainloop
	run: \|
	curl -sfL https://docs.chainloop.dev/install.sh \| bash -s

	- name: Checkout
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

	- name: Docker login to Github Packages
	uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Set up Go
	uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
	with:
	go-version: "1.23.4"

	# install qemu binaries for multiarch builds (needed by goreleaser/buildx)
	- name: Setup qemu
	id: qemu
	uses: docker/setup-qemu-action@v3

	- name: Install Syft
	run: \|
	# Install Syft
	wget --no-verbose https://raw.githubusercontent.com/anchore/syft/main/install.sh -O - \| sh -s -- -b /usr/local/bin

	- name: Run GoReleaser
	id: release
	uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # v3.2.0
	with:
	distribution: goreleaser
	version: latest
	args: release --clean
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	COSIGN_KEY: ${{ secrets.COSIGN_KEY }}
	POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
	POSTHOG_ENDPOINT: ${{ secrets.POSTHOG_ENDPOINT }}

	- name: Attest GoReleaser outputs
	id: attest_goreleaser
	run: \|
	# goreleaser output resides in dist/artifacts.json
	# Attest all built containers and manifests
	images=$(cat dist/artifacts.json \| jq -r '.[] \| select(.type=="Docker Image" or .type=="Docker Manifest") \| .path')
	for entry in $images; do
	syft -o cyclonedx-json=/tmp/sbom.cyclonedx.json $entry
	chainloop attestation add --value $entry --kind CONTAINER_IMAGE --attestation-id ${{ env.ATTESTATION_ID }}
	chainloop attestation add --value /tmp/sbom.cyclonedx.json --attestation-id ${{ env.ATTESTATION_ID }}
	done

	- name: Bump Chart and Dagger Version
	run: .github/workflows/utils/bump-chart-and-dagger-version.sh deployment/chainloop extras/dagger ${{ github.ref_name }}
	- name: Bump Project Version
	run: .github/workflows/utils/bump-project-version.sh

	- name: Create Pull Request
	uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5.0.2
	with:
	commit-message: Bump Chart and Dagger Version ${{ github.ref_name }}
	signoff: true
	base: main
	title: Bump Helm Chart and Dagger Version => ${{ github.ref_name }}
	body: \|
	A new Chainloop release is available! Bumping Helm Chart reference and Dagger version to ${{ github.ref_name }}
	labels: \|
	automated
	helm

	finish_attestation:
	name: Finish Attestation
	runs-on: ubuntu-latest
	needs:
	- init_attestation
	- release
	steps:
	- name: Install Chainloop
	run: \|
	curl -sfL https://docs.chainloop.dev/install.sh \| bash -s

	- name: Finish and Record Attestation
	if: ${{ success() }}
	run: \|
	chainloop attestation push --attestation-id ${{ needs.init_attestation.outputs.attestation_id }}

	- name: Mark attestation as failed
	if: ${{ failure() }}
	run: \|
	chainloop attestation reset --attestation-id ${{ needs.init_attestation.outputs.attestation_id }}

	- name: Mark attestation as cancelled
	if: ${{ cancelled() }}
	run: \|
	chainloop attestation reset --trigger cancellation --attestation-id ${{ needs.init_attestation.outputs.attestation_id }}

	github-release:
	needs: release
	if: github.ref_type == 'tag' # Guard to make sure we are releasing once
	uses: chainloop-dev/chainloop/.github/workflows/release.yaml@main
	with:
	tag: ${{ github.ref_name }}
	secrets:
	chainloop_token: ${{ secrets.CHAINLOOP_TOKEN }}
	cosign_key: ${{ secrets.COSIGN_KEY }}
	cosign_pass: ${{ secrets.COSIGN_PASSWORD }}
	permissions:
	packages: write
	contents: write

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix(release): don't attest archives (#1749) #168

Workflow file

fix(release): don't attest archives (#1749) #168

Jobs

Run details

Workflow file for this run