Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(workflows): Reusable workflow to attest GitHub Releases #18

Merged
merged 3 commits into from
May 30, 2024
Merged

feat(workflows): Reusable workflow to attest GitHub Releases #18

merged 3 commits into from
May 30, 2024

Conversation

javirln
Copy link
Member

@javirln javirln commented May 29, 2024

This creates a reusable workflow that automatically attest a GitHub release based on its content. It's possible to also pass additional materials to be added to the attestation. Additionally it will try to create a workflow if it does not exist.

By default it will attest:

  • All assets within a GitHub Release
  • The source code in a .tar.gz

Required parameters:

  • API Token: Chainloop API token to perform the attestation
  • Cosign key and password: To sign the final attestation
    Optional parameters:
  • Workflow name: Name of the target workflow to be attested
  • Project: Name of the project
  • Additional materials: Comma separated list of values to be added to the attestation

Closes chainloop-dev/chainloop#844

@javirln javirln requested review from migmartri and jiparis May 29, 2024 14:46
@javirln javirln self-assigned this May 29, 2024
@javirln
Copy link
Member Author

javirln commented May 29, 2024

Check if we can have set a constraint to only use this workflow on release events.

@javirln
Copy link
Member Author

javirln commented May 30, 2024

Example of input interpolation:
Give the following job:

name: Release

on:
  pull_request:

permissions:
  contents: read

jobs:
  testing-echo:
    name: echo
    runs-on: ubuntu-latest
    outputs:
        additional_materials: ${{ steps.echo.outputs.additional_materials }}
    steps:
      - name: Echo
        id: echo
        run: |
            echo "additional_materials="ghcr.io/chainloop-dev/chainloop/control-plane:v0.88.0,ghcr.io/chainloop-dev/chainloop/artifact-cas:v0.88.0"" >> $GITHUB_OUTPUT

  github_release:
    name: GitHub Release
    uses: ./.github/workflows/chainloop_github_release.yml
    needs: testing-echo
    with:
      project: "chainloop"
      workflow_name: "javi-github-release"
      additional_materials: ${{ needs.testing-echo.outputs.additional_materials }}
    secrets:
      api_token: ${{ secrets.CHAINLOOP_API_TOKEN }}

The additional_materials variable has been passed correctly:
Screenshot 2024-05-30 at 07 56 33

@migmartri
Copy link
Member

I'd appreciate if you can mark the PR as draft while you do testing/add changes. I am not sure if I should review this now or wait.

Thanks!

@javirln
remove fetch depth
0d93648 
Signed-off-by: Javier Rodriguez <[email protected]>
@javirln
Copy link
Member Author

javirln commented May 30, 2024

I'd appreciate if you can mark the PR as draft while you do testing/add changes. I am not sure if I should review this now or wait.

Thanks!

It can be reviewed.

@javirln
add comment
9e93f2a 
Signed-off-by: Javier Rodriguez <[email protected]>
@javirln javirln merged commit fe6a2af into main May 30, 2024
@javirln javirln deleted the feat/844-new branch May 30, 2024 07:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@migmartri migmartri migmartri approved these changes

@jiparis jiparis Awaiting requested review from jiparis

Assignees

@javirln javirln

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make it a reusable workflow, implement it and document it
2 participants
@javirln @migmartri