Skip to content

Commit

Permalink
chrore(ci): added Release workflow + configs
Browse files Browse the repository at this point in the history
Signed-off-by: manhtukhang <travis.khang@protonmail.com>
  • Loading branch information
manhtukhang committed Dec 4, 2024
1 parent 371996e commit 52c1229
Show file tree
Hide file tree
Showing 8 changed files with 292 additions and 1 deletion.
15 changes: 14 additions & 1 deletion .github/workflows/_test-acceptance.tmpl.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -42,12 +42,25 @@ jobs:
file-install: false

- name: Download plugin from build
if: github.action_ref != 'v*'
if: github.ref_type != 'tag'
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: vault-plugin-secrets-nexus-repository
path: dist/bin

- name: Download plugin from release
if: github.ref_type == 'tag'
env:
# GH_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -euo pipefail
git remote -v
gh release list
gh release download "$GITHUB_REF_NAME" -p "vault-plugin-secrets-nexus-repository_${GITHUB_REF_NAME}_linux-amd64"
mkdir -p "${VAULT_PLUGIN_DIR}"
mv "vault-plugin-secrets-nexus-repository_${GITHUB_REF_NAME}_linux-amd64" "${VAULT_PLUGIN_DIR}/vault-plugin-secrets-nexus-repository"
- name: Run test
shell: bash
env:
Expand Down
200 changes: 200 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,200 @@
name: Release with SLSA

on:
# For manual tests.
workflow_dispatch:
push:
tags:
- "*" # triggers only if push new tag version, like `0.8.4`.
# Run daily as a dry-run/test.
schedule:
- cron: "0 1 * * *"

permissions: read-all

env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ISSUE_REPOSITORY: manhtukhang/vault-plugin-secrets-nexus-repository
# In case daily runs fail, the label for filing the issue
HEADER: release

jobs:
args:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.ldflags.outputs.version }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
# - name: Generate SLSA Goreleaser config files
# run: |
# mkdir -p .slsa-goreleaser/
# for os in "linux windows darwin"; do
# for arch in "amd64 arm64"; do
# sed "s/__REPLACE_GOOS__/${os}; s/__REPLACE_GOARCH__/${arch}/g" .slsa-goreleaser.tmpl.yaml > ".slsa-goreleaser/${os}-${arch}.yaml"
# done
# done
# - name: Upload SLSA Goreleaser config files
# uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
# with:
# name: slsa-goreleaser
# path: slsa-goreleaser
# if-no-files-found: error
- name: Generate dynamic LDFlags
id: ldflags
run: |
echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> "$GITHUB_OUTPUT"
build-provenance:
name: build-${{matrix.os}}-${{matrix.arch}}
needs: [ args ]
strategy:
matrix:
os:
- linux
# - windows
# - darwin
arch:
- amd64
# - arm64
permissions:
actions: read # For the detection of GitHub Actions environment.
id-token: write # For signing.
contents: write # For asset uploads.
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v2.0.0 # always use a tag @X.Y.Z for for slsa builders, not SHA!
with:
go-version-file: "go.mod"
config-file: .slsa-goreleaser/${{matrix.os}}-${{matrix.arch}}.yaml
compile-builder: false
draft-release: true
evaluated-envs: "VERSION:${{needs.args.outputs.version}}, PROJECTNAME:vault-plugin-secrets-nexus-repository"

verification:
needs: [ build-provenance ]
runs-on: ubuntu-latest
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
permissions: read-all
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

# - name: Install the verifier
# uses: slsa-framework/slsa-verifier/actions/installer@3714a2a4684014deb874a0e737dffa0ee02dd647 # v2.6.0

- name: Download assets
env:
#GH_TOKEN: ${{ github.token }}
GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
ATT_FILE_NAME: "${{ needs.build-provenance.outputs.go-binary-name }}.intoto.jsonl"
ARTIFACT: ${{ needs.build-provenance.outputs.go-binary-name }}
run: |
set -euo pipefail
git remote -v
gh release list
gh release download "$GITHUB_REF_NAME" -p "$ARTIFACT"
gh release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
verification1:
needs: [ build-provenance ]
runs-on: ubuntu-latest
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
permissions: read-all
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

# - name: Install the verifier
# uses: slsa-framework/slsa-verifier/actions/installer@3714a2a4684014deb874a0e737dffa0ee02dd647 # v2.6.0

- name: Download assets
env:
#GH_TOKEN: ${{ github.token }}
GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
ATT_FILE_NAME: "${{ needs.build-provenance.outputs.go-binary-name }}.intoto.jsonl"
ARTIFACT: ${{ needs.build-provenance.outputs.go-binary-name }}
run: |
set -euo pipefail
git remote -v
gh -R "$GITHUB_REPOSITORY" release list
verification-2:
needs: [ build-provenance ]
runs-on: ubuntu-latest
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
permissions:
contents: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

# - name: Install the verifier
# uses: slsa-framework/slsa-verifier/actions/installer@3714a2a4684014deb874a0e737dffa0ee02dd647 # v2.6.0

- name: Download assets
env:
#GH_TOKEN: ${{ github.token }}
GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
ATT_FILE_NAME: "${{ needs.build-provenance.outputs.go-binary-name }}.intoto.jsonl"
ARTIFACT: ${{ needs.build-provenance.outputs.go-binary-name }}
run: |
set -euo pipefail
git remote -v
gh release list
verification-22:
needs: [ build-provenance ]
runs-on: ubuntu-latest
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
permissions:
contents: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

# - name: Install the verifier
# uses: slsa-framework/slsa-verifier/actions/installer@3714a2a4684014deb874a0e737dffa0ee02dd647 # v2.6.0

- name: Download assets
env:
#GH_TOKEN: ${{ github.token }}
GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
ATT_FILE_NAME: "${{ needs.build-provenance.outputs.go-binary-name }}.intoto.jsonl"
ARTIFACT: ${{ needs.build-provenance.outputs.go-binary-name }}
run: |
set -euo pipefail
git remote -v
gh release -R "$GITHUB_REPOSITORY" list
# - name: Verify assets
# env:
# ARTIFACT: ${{ needs.build-provenance.outputs.go-binary-name }}
# ATT_FILE_NAME: "${{ needs.build-provenance.outputs.go-binary-name }}.intoto.jsonl"
# run: |
# set -euo pipefail
#
# echo "Verifying $ARTIFACT using $ATT_FILE_NAME"
# slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \
# --source-uri "github.com/$GITHUB_REPOSITORY" \
# --source-tag "$GITHUB_REF_NAME" \
# "$ARTIFACT"
# test:
# needs: [ build-provenance ]
# if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
# strategy:
# matrix:
# vault: [ "1.17.6", "1.18.2" ]
# vault: [ "1.17.6", "1.18.2" ]
# nexus: [ "3.73.0", "3.74.0" ]
# vault: [ "1.17.6", "1.18.2" ]
# uses: ./.github/workflows/_test-acceptance.tmpl.yaml
# with:
# vault-version: ${{ matrix.vault }}
# nxr-version: ${{ matrix.nexus }}
# vault-plugin-dir: ./dist/bin
13 changes: 13 additions & 0 deletions .slsa-goreleaser/darwin-amd64.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 1
env:
- CGO_ENABLED=0
goos: darwin
goarch: amd64
binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go"
flags:
- -trimpath
ldflags:
- -s
- -w
- "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}"
13 changes: 13 additions & 0 deletions .slsa-goreleaser/darwin-arm64.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 1
env:
- CGO_ENABLED=0
goos: darwin
goarch: arm64
binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go"
flags:
- -trimpath
ldflags:
- -s
- -w
- "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}"
13 changes: 13 additions & 0 deletions .slsa-goreleaser/linux-amd64.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 1
env:
- CGO_ENABLED=0
goos: linux
goarch: amd64
binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
main: "./src/cmd/vault-plugin-secrets-nexus-repository/main.go"
flags:
- -trimpath
ldflags:
- -s
- -w
- "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}"
13 changes: 13 additions & 0 deletions .slsa-goreleaser/linux-arm64.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 1
env:
- CGO_ENABLED=0
goos: linux
goarch: arm64
binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go"
flags:
- -trimpath
ldflags:
- -s
- -w
- "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}"
13 changes: 13 additions & 0 deletions .slsa-goreleaser/windows-amd64.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 1
env:
- CGO_ENABLED=0
goos: windows
goarch: amd64
binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go"
flags:
- -trimpath
ldflags:
- -s
- -w
- "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}"
13 changes: 13 additions & 0 deletions .slsa-goreleaser/windows-arm64.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 1
env:
- CGO_ENABLED=0
goos: windows
goarch: arm64
binary: "{{ .Env.PROJECTNAME }}_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
main: "./src/cmd/{{ .Env.PROJECTNAME }}/main.go"
flags:
- -trimpath
ldflags:
- -s
- -w
- "-X github.com/manhtukhang/{{ .Env.PROJECTNAME }}.Version=v{{ .Env.VERSION }}"

0 comments on commit 52c1229

Please sign in to comment.