102 lines (84 loc) · 3.49 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
name: Publish Zarf Packages on Tag
on:
push:
tags:
- "v*"
jobs:
push-resources:
runs-on: ubuntu-latest
steps:
- name: "Dependency: Install Golang"
uses: actions/setup-go@v3
with:
go-version: 1.19.x
- name: "Dependency: Install cosign"
uses: sigstore/cosign-installer@v2.8.0
- name: "Dependency: Install Docker Buildx"
id: buildx
uses: docker/setup-buildx-action@v2
- name: "Dependency: Install Grype"
run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin"
- name: "Checkout Repo"
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: "Build CLI"
run: make build-cli-linux
- name: "Zarf Agent: Login to Docker Hub"
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: "Zarf Agent: Build and Publish the Image"
run: |
cp build/zarf build/zarf-linux-amd64 && cp build/zarf-arm build/zarf-linux-arm64
docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag defenseunicorns/zarf-agent:$GITHUB_REF_NAME .
- name: "Zarf Agent: Sign the Image"
run: cosign sign --key awskms:///${{ secrets.COSIGN_AWS_KMS_KEY }} -a release-engineer=https://github.com/${{ github.actor }} -a version=$GITHUB_REF_NAME defenseunicorns/zarf-agent:$GITHUB_REF_NAME
env:
COSIGN_EXPERIMENTAL: 1
AWS_REGION: ${{ secrets.COSIGN_AWS_REGION }}
AWS_ACCESS_KEY_ID: ${{ secrets.COSIGN_AWS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.COSIGN_AWS_ACCESS_KEY }}
# Builds init packages since GoReleaser won't handle this for us
- name: "Build init-packages For Release"
run: |
make init-package ARCH=amd64 AGENT_IMAGE=defenseunicorns/zarf-agent:$GITHUB_REF_NAME
make init-package ARCH=arm64 AGENT_IMAGE=defenseunicorns/zarf-agent:$GITHUB_REF_NAME
- name: "Run Tests"
run: |
sudo env "PATH=$PATH" CI=true APPLIANCE_MODE=true make test-e2e ARCH=amd64
sudo chown $USER /tmp/zarf-*.log
- name: "Save test debug logs"
uses: actions/upload-artifact@v3
if: always()
with:
name: debug-log
path: /tmp/zarf-*.log
# Builds init packages since GoReleaser won't handle this for us
- name: "Create release time CVE report"
run: "make cve-report"
# Set up AWS credentials for GoReleaser to upload backups of artifacts to S3
- name: Set AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_GOV_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_GOV_SECRET_ACCESS_KEY }}
aws-region: us-gov-west-1
# Create the GitHub release notes, upload artifact backups to S3, publish homebrew recipe
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@v3
with:
distribution: goreleaser
version: latest
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN}}
HOMEBREW_TAP_GITHUB_TOKEN: ${{ secrets.ZARF_ORG_PROJECT_TOKEN }}
- name: "Save CVE report"
uses: actions/upload-artifact@v3
with:
name: cve-report
path: build/zarf-known-cves.csv
- name: "Cleanup"
run: sudo make destroy