Skip to content

Commit

Permalink
chrore(ci): added Release workflow + configs
Browse files Browse the repository at this point in the history
Signed-off-by: manhtukhang <[email protected]>
  • Loading branch information
manhtukhang committed Dec 4, 2024
1 parent 371996e commit 42653c2
Show file tree
Hide file tree
Showing 9 changed files with 246 additions and 1 deletion.
15 changes: 14 additions & 1 deletion .github/workflows/_test-acceptance.tmpl.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ jobs:
test:
name: 'Test plugin on Vault v${{ inputs.vault-version }} + Nexus Repository v${{ inputs.nxr-version }}'
runs-on: ubuntu-latest
permissions:
contents: write
steps:

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Expand All @@ -42,12 +44,23 @@ jobs:
file-install: false

- name: Download plugin from build
if: github.action_ref != 'v*'
if: github.ref_type != 'tag'
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: vault-plugin-secrets-nexus-repository
path: dist/bin

- name: Download plugin from release
if: github.ref_type == 'tag'
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VAULT_PLUGIN_DIR: ${{ inputs.vault-plugin-dir }}
run: |
set -euo pipefail
gh release download "$GITHUB_REF_NAME" -p "vault-plugin-secrets-nexus-repository_${GITHUB_REF_NAME}_linux-amd64"
mkdir -p "${VAULT_PLUGIN_DIR}"
mv "vault-plugin-secrets-nexus-repository_${GITHUB_REF_NAME}_linux-amd64" "${VAULT_PLUGIN_DIR}/vault-plugin-secrets-nexus-repository"
- name: Run test
shell: bash
env:
Expand Down
151 changes: 151 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,151 @@
name: Release with SLSA

on:
# For manual tests.
workflow_dispatch:
push:
tags:
- "*" # triggers only if push new tag version, like `0.8.4`.
# Run daily as a dry-run/test.
schedule:
- cron: "0 1 * * *"

permissions: read-all

env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ISSUE_REPOSITORY: manhtukhang/vault-plugin-secrets-nexus-repository
# In case daily runs fail, the label for filing the issue
HEADER: release

jobs:
args:
runs-on: ubuntu-latest
outputs:
version: ${{ steps.ldflags.outputs.version }}
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
# - name: Generate SLSA Goreleaser config files
# run: |
# mkdir -p .slsa-goreleaser/
# for os in "linux windows darwin"; do
# for arch in "amd64 arm64"; do
# sed "s/__REPLACE_GOOS__/${os}; s/__REPLACE_GOARCH__/${arch}/g" .slsa-goreleaser.tmpl.yaml > ".slsa-goreleaser/${os}-${arch}.yaml"
# done
# done
# - name: Upload SLSA Goreleaser config files
# uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
# with:
# name: slsa-goreleaser
# path: slsa-goreleaser
# if-no-files-found: error
- name: Generate dynamic LDFlags
id: ldflags
run: |
echo "version=$(git describe --tags --always --dirty | cut -c2-)" >> "$GITHUB_OUTPUT"
build-provenance:
name: build-${{matrix.os}}-${{matrix.arch}}
needs: [ args ]
strategy:
matrix:
os:
- linux
- windows
- darwin
arch:
- amd64
- arm64
permissions:
actions: read # For the detection of GitHub Actions environment.
id-token: write # For signing.
contents: write # For asset uploads.
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # always use a tag @X.Y.Z for for slsa builders, not SHA!
with:
go-version-file: "go.mod"
config-file: .slsa-goreleaser/${{matrix.os}}-${{matrix.arch}}.yaml
compile-builder: false
draft-release: true
evaluated-envs: "VERSION:${{needs.args.outputs.version}}, PROJECTNAME:vault-plugin-secrets-nexus-repository"

verification:
needs: [ build-provenance ]
runs-on: ubuntu-latest
permissions:
contents: write
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/installer@3714a2a4684014deb874a0e737dffa0ee02dd647 # v2.6.0

- name: Download assets
env:
GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
ATT_FILE_NAME: "${{ needs.build-provenance.outputs.go-binary-name }}.intoto.jsonl"
ARTIFACT: ${{ needs.build-provenance.outputs.go-binary-name }}
run: |
set -euo pipefail
gh release download "$GITHUB_REF_NAME" -p "$ARTIFACT"
gh release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
- name: Verify assets
env:
ARTIFACT: ${{ needs.build-provenance.outputs.go-binary-name }}
ATT_FILE_NAME: "${{ needs.build-provenance.outputs.go-binary-name }}.intoto.jsonl"
run: |
set -euo pipefail
echo "Verifying $ARTIFACT using $ATT_FILE_NAME"
slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \
--source-uri "github.com/$GITHUB_REPOSITORY" \
--source-tag "$GITHUB_REF_NAME" \
"$ARTIFACT"
test:
needs: [ build-provenance ]
permissions:
contents: write
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
strategy:
matrix:
vault: [ "1.17.6", "1.18.2" ]
nexus: [ "3.73.0", "3.74.0" ]
uses: ./.github/workflows/_test-acceptance.tmpl.yaml
with:
vault-version: ${{ matrix.vault }}
nxr-version: ${{ matrix.nexus }}
vault-plugin-dir: ./dist/bin


if-succeed-publish-release:
needs: [ verification, test ]
permissions:
contents: write
runs-on: ubuntu-latest
if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0

- run: |
set -euo pipefail
PRE_RELEASE="false"
if [[ "${GITHUB_REF_NAME}" == "*-rc*" ]]; then
PRE_RELEASE="true"
fi
gh api --method POST \
-H "Accept: application/vnd.github+json" \
"/repos/${GITHUB_REPOSITORY}/releases/generate-notes" \
-f "tag_name=${GITHUB_REF_NAME}" | jq -r '.body' > release-notes.md
gh release edit "${GITHUB_REF_NAME}" --draft=false --prerelease="${PRE_RELEASE}" --notes-file=release-notes.md
3 changes: 3 additions & 0 deletions .github/workflows/test-acceptance.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ name: Acceptance Test

on:
push:
tags-ignore: '**'
pull_request:


Expand Down Expand Up @@ -48,6 +49,8 @@ jobs:
path: dist/bin
if-no-files-found: error
test:
permissions:
contents: write
needs: [ pre_job, build ]
strategy:
matrix:
Expand Down
13 changes: 13 additions & 0 deletions .slsa-goreleaser/darwin-amd64.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 1
env:
- CGO_ENABLED=0
goos: darwin
goarch: amd64
binary: "vault-plugin-secrets-nexus-repository_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
main: "./src/cmd/vault-plugin-secrets-nexus-repository/main.go"
flags:
- -trimpath
ldflags:
- -s
- -w
- "-X github.com/manhtukhang/vault-plugin-secrets-nexus-repository.Version=v{{ .Env.VERSION }}"
13 changes: 13 additions & 0 deletions .slsa-goreleaser/darwin-arm64.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 1
env:
- CGO_ENABLED=0
goos: darwin
goarch: arm64
binary: "vault-plugin-secrets-nexus-repository_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
main: "./src/cmd/vault-plugin-secrets-nexus-repository/main.go"
flags:
- -trimpath
ldflags:
- -s
- -w
- "-X github.com/manhtukhang/vault-plugin-secrets-nexus-repository.Version=v{{ .Env.VERSION }}"
13 changes: 13 additions & 0 deletions .slsa-goreleaser/linux-amd64.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 1
env:
- CGO_ENABLED=0
goos: linux
goarch: amd64
binary: "vault-plugin-secrets-nexus-repository_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
main: "./src/cmd/vault-plugin-secrets-nexus-repository/main.go"
flags:
- -trimpath
ldflags:
- -s
- -w
- "-X github.com/manhtukhang/vault-plugin-secrets-nexus-repository.Version=v{{ .Env.VERSION }}"
13 changes: 13 additions & 0 deletions .slsa-goreleaser/linux-arm64.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 1
env:
- CGO_ENABLED=0
goos: linux
goarch: arm64
binary: "vault-plugin-secrets-nexus-repository_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
main: "./src/cmd/vault-plugin-secrets-nexus-repository/main.go"
flags:
- -trimpath
ldflags:
- -s
- -w
- "-X github.com/manhtukhang/vault-plugin-secrets-nexus-repository.Version=v{{ .Env.VERSION }}"
13 changes: 13 additions & 0 deletions .slsa-goreleaser/windows-amd64.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 1
env:
- CGO_ENABLED=0
goos: windows
goarch: amd64
binary: "vault-plugin-secrets-nexus-repository_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
main: "./src/cmd/vault-plugin-secrets-nexus-repository/main.go"
flags:
- -trimpath
ldflags:
- -s
- -w
- "-X github.com/manhtukhang/vault-plugin-secrets-nexus-repository.Version=v{{ .Env.VERSION }}"
13 changes: 13 additions & 0 deletions .slsa-goreleaser/windows-arm64.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 1
env:
- CGO_ENABLED=0
goos: windows
goarch: arm64
binary: "vault-plugin-secrets-nexus-repository_v{{ .Env.VERSION }}_{{ .Os }}-{{ .Arch }}"
main: "./src/cmd/vault-plugin-secrets-nexus-repository/main.go"
flags:
- -trimpath
ldflags:
- -s
- -w
- "-X github.com/manhtukhang/vault-plugin-secrets-nexus-repository.Version=v{{ .Env.VERSION }}"

0 comments on commit 42653c2

Please sign in to comment.