-
Notifications
You must be signed in to change notification settings - Fork 49
77 lines (69 loc) · 2.7 KB
/
reusable-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
name: Cut Release
on:
workflow_call:
inputs:
release_tag:
required: false
type: string
description: 'Release tag. Will increment patch version if not specified.'
default: ''
key_ring:
required: false
type: string
description: 'Key ring for cosign key'
key_name:
required: false
type: string
description: 'Key name for cosign key'
workload_identity_provider:
required: true
type: string
description: 'Workload idenitty provider to authenticate acceses.'
service_account:
required: true
type: string
description: 'Service account to run the release.'
repo:
required: true
type: string
description: 'The Sigstore repo to release.'
jobs:
cut-release:
name: Cut release
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
env:
PROJECT_ID: 'projectsigstore'
RELEASE_TAG: ${{ inputs.release_tag }}
REPO: ${{ inputs.repo }}
steps:
- name: Check actor access
if: ${{ !contains( fromJson('["bobcallaway","cpanato","lukehinds","priyawadhwa","haydentherapper"]'), github.actor ) }}
run: exit 1
- name: Checkout out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: ./src/github.com/sigstore/${{ inputs.repo }}
persist-credentials: false
- name: Set release tag if not specified
if: ${{ inputs.release_tag == '' }}
run: |
git fetch --all --tags
LATEST_DIGEST=`git rev-list --tags --max-count=1`
LATEST_TAG=`git describe --tags ${LATEST_DIGEST}`
NEW_VERSION=`echo "${TAG}" | awk -F. '{$NF = $NF + 1;} 1' | sed 's/ /./g'`
echo "RELEASE_TAG=${NEW_VERSION}" >> $GITHUB_ENV
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
with:
workload_identity_provider: ${{ inputs.workload_identity_provider }}
service_account: ${{ inputs.service_account }}
- name: Setup gcloud
uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2
with:
project_id: ${{ env.PROJECT_ID }}
- name: Start cloudbuild job
working-directory: ./src/github.com/sigstore/${{ inputs.repo }}
run: gcloud builds submit --no-source --async --config release/cloudbuild.yaml --substitutions _GIT_TAG=${RELEASE_TAG},_TOOL_ORG=sigstore,_TOOL_REPO=${REPO},_STORAGE_LOCATION=${REPO}-releases,_KEY_RING=release-cosign,_KEY_NAME=cosign,_GITHUB_USER=sigstore-bot --project=${PROJECT_ID}