refactor publish-release action to install only or run it with options

Signed-off-by: cpanato <ctadeu@gmail.com>
kubernetes-sigs · Apr 19, 2024 · eb875a3 · eb875a3
1 parent 2991384
commit eb875a3
Show file tree

Hide file tree

Showing 6 changed files with 309 additions and 104 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+---
 version: 2
 updates:
   # CI workflows
@@ -41,3 +42,10 @@ updates:
     schedule:
       interval: "daily"
     open-pull-requests-limit: 10
+
+  # publish-release
+  - package-ecosystem: "github-actions"
+    directory: "/publish-release"
+    schedule:
+      interval: "daily"
+    open-pull-requests-limit: 10
diff --git a/.github/workflows/test-publish-release.yaml b/.github/workflows/test-publish-release.yaml
@@ -0,0 +1,144 @@
+# Copyright 2024 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: test-publish-release-action
+
+on:
+  pull_request:
+  push:
+    branches:
+      - 'main'
+
+jobs:
+  changes:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
+    outputs:
+      pr: ${{ steps.filter.outputs.pr }}
+
+    steps:
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
+        id: filter
+        with:
+          filters: |
+            pr:
+              - 'publish-release/**'
+              - '.github/workflows/test-publish-release.yaml'
+
+  test_publish_release_action:
+    needs: changes
+    if: ${{ needs.changes.outputs.pr == 'true' }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os:
+          - macos-latest
+          - ubuntu-latest
+
+    permissions: {}
+
+    name: Install publish-release and test presence in path
+    steps:
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Install publish-release
+        uses: ./publish-release
+        with:
+          install-only: 'true'
+      - name: Check install!
+        run: publish-release help
+      - name: Check root directory
+        run: |
+          if [[ $(git diff --stat) != '' ]]; then
+            echo 'should be clean'
+            exit 1
+          else
+            exit 0
+          fi
+        shell: bash
+
+  test_publish_release_action_custom_dir_root:
+    runs-on: ubuntu-latest
+    needs: changes
+    if: ${{ needs.changes.outputs.pr == 'true' }}
+    permissions: {}
+    name: Install Custom publish-release and test presence in path with custom root dir
+    steps:
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Install publish-release
+        uses: ./publish-release
+        with:
+          install-only: 'true'
+          install-dir: /usr/bin
+          use-sudo: true
+      - name: Check install!
+        run: publish-release help
+      - name: Check install dir!
+        run: |
+          [[ $(dirname "$(which publish-release)") == /usr/bin ]]
+        shell: bash
+      - name: Check root directory
+        run: |
+          [[ -z $(git diff --stat) ]]
+        shell: bash
+
+  test_publish_release_action_custom_dir:
+    runs-on: ${{ matrix.os }}
+    needs: changes
+    if: ${{ needs.changes.outputs.pr == 'true' }}
+    strategy:
+      matrix:
+        os:
+          - macos-latest
+          - ubuntu-latest
+    permissions: {}
+    name: Install Custom path publish-release and test presence in path
+    steps:
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Install publish-release
+        uses: ./publish-release
+        with:
+          install-only: 'true'
+          install-dir: "$HOME/.prtest"
+      - name: Check install!
+        run: publish-release help
+      - name: Check install dir!
+        run: |
+          [[ $(dirname "$(which publish-release)") == "$HOME/.prtest" ]]
+        shell: bash
+      - name: Check root directory
+        run: |
+          [[ -z $(git diff --stat) ]]
+        shell: bash
+
+  test_publish_release_action_wrong:
+    runs-on: ${{ matrix.os }}
+    needs: changes
+    if: ${{ needs.changes.outputs.pr == 'true' }}
+    strategy:
+      matrix:
+        os:
+          - macos-latest
+          - ubuntu-latest
+    permissions: {}
+    name: Try to install a wrong publish-release
+    steps:
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+      - name: Install publish-release
+        uses: ./publish-release
+        with:
+          install-only: 'true'
+          publish-release-version: 'honk'
+        continue-on-error: true
diff --git a/publish-release/README.md b/publish-release/README.md
@@ -1,13 +1,13 @@
 # publish-release
 
-This action is designed to run when a repository gets tagged. It uses 
-[`publish-release github`](https://github.com/kubernetes/release/tree/master/cmd/publish-release) 
+This action is designed to run when a repository gets tagged. It uses
+[`publish-release github`](https://github.com/kubernetes/release/tree/master/cmd/publish-release)
 to create a new release on GitHub. The action can upload assets to the
 releases page and automatically create an SBOM.
 
 ## Example Release Cut
 
-Please note that `publish-release` uses the Kubernetes release tooling, this 
+Please note that `publish-release` uses the Kubernetes release tooling, this
 means that it will look for a tag following [semantic versioning](https://semver.org/)
 (eg v1.2.3).
 
@@ -38,3 +38,18 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 ```
 
+### Optional Inputs
+
+The following optional inputs:
+
+| Input | Description |
+| --- | --- |
+| `publish-release-version` | `publish-release` version to use instead of the default. |
+| `install-dir` | directory to place the `bom` binary into instead of the default (`$HOME/.publish-release`). |
+| `use-sudo` | set to `true` if `install-dir` location requires sudo privs. Defaults to false. |
+| `install-only` | set to `true` if need only install `publish-release` binary. Defaults to false. |
+| `assets` | Assets to upload to the release page. |
+| `draft` | Mark the release as draft. Defaults to false. |
+| `sbom` | Generate an SBOM from the code. Defaults to true. |
+| `template` | Release template file. |
+| `name` | Name for the release. |
diff --git a/publish-release/action.yaml b/publish-release/action.yaml
@@ -20,24 +20,36 @@ branding:
   color: 'blue'
 
 inputs:
+  publish-release-version:
+    description: 'publish-release version to be installed'
+    required: false
+    default: '0.16.8'
+  install-only:
+    description: "Only install publish-release binary"
+    required: false
+    default: 'false'
+  install-dir:
+    description: 'Where to install the publish-release binary'
+    required: false
+    default: '$HOME/.publish-release'
+  use-sudo:
+    description: 'set to true if install-dir location requires sudo privs'
+    required: false
+    default: 'false'
   assets:
     description: "Assets to upload to the release page (see readme)."
-    type: string
     required: false
   draft:
     description: "Mark the release as draft"
-    type: boolean
     required: false
-    default: false
+    default: 'false'
   sbom:
     description: "Generate an SBOM from the code"
-    type: boolean
     required: false
-    default: true
+    default: 'true'
   template:
     description: "Release template file"
     required: false
-
   name:
     description: "Name for the release"
     required: false
@@ -52,16 +64,133 @@ inputs:
 runs:
   using: "composite"
   steps:
-    - name: Check out code onto GOPATH
-      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.0.2
+    - uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
+      with:
+        install-dir: ${{ inputs.install-dir }}
+        use-sudo: ${{ inputs.use-sudo }}
 
-    # Go is required to compute dependencies
+    # if requested to install from go install
     - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v3.3.0
+      if: ${{ inputs.publish-release-version == 'main' }}
       with:
-        go-version: '1.21'
+        go-version: '1.22'
         check-latest: true
+        cache: false
+
+    - shell: bash
+      run: |
+        #!/bin/bash
+        # publish-release install script
+        shopt -s expand_aliases
+        if [ -z "$NO_COLOR" ]; then
+          alias log_info="echo -e \"\033[1;32mINFO\033[0m:\""
+          alias log_error="echo -e \"\033[1;31mERROR\033[0m:\""
+        else
+          alias log_info="echo \"INFO:\""
+          alias log_error="echo \"ERROR:\""
+        fi
+        set -e
+
+        mkdir -p ${{ inputs.install-dir }}
+
+        if [[ ${{ inputs.publish-release-version }} == "main" ]]; then
+          log_info "installing publish-release via 'go install' from its main version"
+          GOBIN=$(go env GOPATH)/bin
+          go install k8s.io/release/cmd/publish-release@master
+          ln -s $GOBIN/publish-release ${{ inputs.install-dir}}/publish-release
+          exit 0
+        fi
+
+        trap "popd >/dev/null" EXIT
+
+        pushd ${{ inputs.install-dir }} > /dev/null
+        publish_release_executable_name='publish-release'
+        case ${{ runner.os }} in
+          Linux)
+            case ${{ runner.arch }} in
+              X64)
+                desired_publish_release_filename='publish-release-amd64-linux'
+                ;;
+
+              ARM64)
+                desired_publish_release_filename='publish-release-arm64-linux'
+                ;;
+
+              *)
+                log_error "unsupported architecture $arch"
+                exit 1
+                ;;
+            esac
+            ;;
+
+          macOS)
+            case ${{ runner.arch }} in
+              X64)
+                desired_publish_release_filename='publish-release-amd64-darwin'
+                ;;
+
+              ARM64)
+                desired_publish_release_filename='publish-release-arm64-darwin'
+                ;;
+
+              *)
+                log_error "unsupported architecture $arch"
+                exit 1
+                ;;
+            esac
+            ;;
+
+          *)
+            log_error "unsupported architecture $arch"
+            exit 1
+            ;;
+        esac
+
+        SUDO=
+        if "${{ inputs.use-sudo }}" == "true" && command -v sudo >/dev/null; then
+          SUDO=sudo
+        fi
+
+        semver='^([0-9]+\.){0,2}(\*|[0-9]+)$'
+        if [[ ${{ inputs.publish-release-version }} =~ $semver ]]; then
+          log_info "Custom publish-release version '${{ inputs.publish-release-version }}' requested"
+        else
+          log_error "Unable to validate requested publish-release version: '${{ inputs.publish-release-version }}'"
+          exit 1
+        fi
+
+        # Download custom publish-release
+        log_info "Downloading platform-specific version '${{ inputs.publish-release-version }}' of publish-release...\n      https://github.com/kubernetes/release/releases/download/v${{ inputs.publish-release-version }}/${desired_publish_release_filename}"
+        $SUDO curl -sL https://github.com/kubernetes/release/releases/download/v${{ inputs.publish-release-version }}/${desired_publish_release_filename} -o ${publish_release_executable_name}
+
+        PUBLISH_RELEASE_CERT=https://github.com/kubernetes/release/releases/download/v${{ inputs.publish-release-version }}/${desired_publish_release_filename}.pem
+        PUBLISH_RELEASE_SIG=https://github.com/kubernetes/release/releases/download/v${{ inputs.publish-release-version }}/${desired_publish_release_filename}.sig
+
+        log_info "Using cosign to verify signature of desired publish-release version"
+        cosign verify-blob --certificate $PUBLISH_RELEASE_CERT --signature $PUBLISH_RELEASE_SIG \
+          --certificate-identity "https://github.com/kubernetes/release/.github/workflows/release.yml@refs/tags/v${{ inputs.publish-release-version }}" \
+          --certificate-oidc-issuer "https://token.actions.githubusercontent.com" ${publish_release_executable_name}
+        retVal=$?
+        if [[ $retVal -eq 0 ]]; then
+          $SUDO chmod +x ${publish_release_executable_name}
+          log_info "Installation complete!"
+        else
+          log_error "Unable to validate publish-release version: '${{ inputs.publish-release-version }}'"
+          exit 1
+        fi
+
+    - if: ${{ runner.os == 'Linux' || runner.os == 'macOS' }}
+      run: echo "${{ inputs.install-dir }}" >> $GITHUB_PATH
+      shell: bash
+
+    - if: ${{ inputs.install-only == 'true' }}
+      run: |
+        echo "Install only requested, installed!"
+        exit 0
+      shell: bash
 
     - shell: bash
+      if: ${{ inputs.install-only == 'false' }}
       run: |
         #!/usr/bin/env bash