mirror of
https://github.com/edgelesssys/constellation.git
synced 2024-12-24 23:19:39 -05:00
terraform-provider: create release in provider repo on Constellation release (#2686)
* Create release in Terraform provider repo with provider binaries * Set target_commitish to input ref for easier release workflow * Rename release-cli workflow to draft-release * Update release guide --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
This commit is contained in:
parent
138057a2ee
commit
22dcde86af
60
.github/actions/download_release_binaries/action.yml
vendored
Normal file
60
.github/actions/download_release_binaries/action.yml
vendored
Normal file
@ -0,0 +1,60 @@
|
|||||||
|
name: Download release binaries
|
||||||
|
description: "Downloads all binaries created by a different job (and therefore not available in this job) in the release pipeline."
|
||||||
|
|
||||||
|
runs:
|
||||||
|
using: "composite"
|
||||||
|
steps:
|
||||||
|
- name: Download CLI binaries darwin-amd64
|
||||||
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
|
with:
|
||||||
|
name: constellation-darwin-amd64
|
||||||
|
|
||||||
|
- name: Download CLI binaries darwin-arm64
|
||||||
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
|
with:
|
||||||
|
name: constellation-darwin-arm64
|
||||||
|
|
||||||
|
- name: Download CLI binaries linux-amd64
|
||||||
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
|
with:
|
||||||
|
name: constellation-linux-amd64
|
||||||
|
|
||||||
|
- name: Download CLI binaries linux-arm64
|
||||||
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
|
with:
|
||||||
|
name: constellation-linux-arm64
|
||||||
|
|
||||||
|
- name: Download CLI binaries windows-amd64
|
||||||
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
|
with:
|
||||||
|
name: constellation-windows-amd64
|
||||||
|
|
||||||
|
- name: Download Terraform module
|
||||||
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
|
with:
|
||||||
|
name: terraform-module
|
||||||
|
|
||||||
|
- name: Download Terraform provider binary darwin-amd64
|
||||||
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
|
with:
|
||||||
|
name: terraform-provider-constellation-darwin-amd64
|
||||||
|
|
||||||
|
- name: Download Terraform provider binary darwin-arm64
|
||||||
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
|
with:
|
||||||
|
name: terraform-provider-constellation-darwin-arm64
|
||||||
|
|
||||||
|
- name: Download Terraform provider binary linux-amd64
|
||||||
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
|
with:
|
||||||
|
name: terraform-provider-constellation-linux-amd64
|
||||||
|
|
||||||
|
- name: Download Terraform provider binary linux-arm64
|
||||||
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
|
with:
|
||||||
|
name: terraform-provider-constellation-linux-arm64
|
||||||
|
|
||||||
|
- name: Download Terraform provider binary windows-amd64
|
||||||
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
|
with:
|
||||||
|
name: terraform-provider-constellation-windows-amd64
|
7
.github/workflows/build-binaries.yml
vendored
7
.github/workflows/build-binaries.yml
vendored
@ -42,6 +42,7 @@ jobs:
|
|||||||
disk_mapper: "//disk-mapper/cmd:disk-mapper_linux_amd64"
|
disk_mapper: "//disk-mapper/cmd:disk-mapper_linux_amd64"
|
||||||
measurement_reader: "//measurement-reader/cmd:measurement-reader_linux_amd64"
|
measurement_reader: "//measurement-reader/cmd:measurement-reader_linux_amd64"
|
||||||
cli: "//cli:all"
|
cli: "//cli:all"
|
||||||
|
terraform_provider: "//terraform-provider-constellation:all"
|
||||||
|
|
||||||
run: |
|
run: |
|
||||||
bazel build \
|
bazel build \
|
||||||
@ -51,7 +52,5 @@ jobs:
|
|||||||
"${cdbg}" \
|
"${cdbg}" \
|
||||||
"${disk_mapper}" \
|
"${disk_mapper}" \
|
||||||
"${measurement_reader}" \
|
"${measurement_reader}" \
|
||||||
"${cli}"
|
"${cli}" \
|
||||||
|
"${terraform_provider}"
|
||||||
- name: Build Terraform Provider Binary
|
|
||||||
uses: ./.github/actions/build_tf_provider
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
name: Build CLI and prepare release
|
name: Draft release
|
||||||
|
|
||||||
on:
|
on:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
@ -109,6 +109,61 @@ jobs:
|
|||||||
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe
|
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe
|
||||||
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe.sig
|
build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe.sig
|
||||||
|
|
||||||
|
build-terraform-provider:
|
||||||
|
runs-on: ubuntu-22.04
|
||||||
|
strategy:
|
||||||
|
fail-fast: false
|
||||||
|
matrix:
|
||||||
|
include:
|
||||||
|
- arch: amd64
|
||||||
|
os: linux
|
||||||
|
|
||||||
|
- arch: amd64
|
||||||
|
os: darwin
|
||||||
|
|
||||||
|
# No Windows release until we have a test suite for it
|
||||||
|
#- arch: amd64
|
||||||
|
# os: windows
|
||||||
|
|
||||||
|
- arch: arm64
|
||||||
|
os: linux
|
||||||
|
|
||||||
|
- arch: arm64
|
||||||
|
os: darwin
|
||||||
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
id: checkout
|
||||||
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
||||||
|
with:
|
||||||
|
ref: ${{ inputs.ref || github.head_ref }}
|
||||||
|
|
||||||
|
- name: Setup bazel
|
||||||
|
uses: ./.github/actions/setup_bazel_nix
|
||||||
|
with:
|
||||||
|
useCache: "false"
|
||||||
|
|
||||||
|
- name: Build Terraform Provider Binary
|
||||||
|
uses: ./.github/actions/build_tf_provider
|
||||||
|
with:
|
||||||
|
targetOS: ${{ matrix.os }}
|
||||||
|
targetArch: ${{ matrix.arch }}
|
||||||
|
|
||||||
|
- name: Upload Terraform Provider Binary as artifact (unix)
|
||||||
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||||
|
if : ${{ matrix.os != 'windows' }}
|
||||||
|
with:
|
||||||
|
name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
|
||||||
|
path: |
|
||||||
|
build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
|
||||||
|
|
||||||
|
- name: Upload Terraform Provider Binary as artifact (windows)
|
||||||
|
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
||||||
|
if : ${{ matrix.os == 'windows' }}
|
||||||
|
with:
|
||||||
|
name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
|
||||||
|
path: |
|
||||||
|
build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}.exe
|
||||||
|
|
||||||
upload-terraform-module:
|
upload-terraform-module:
|
||||||
runs-on: ubuntu-22.04
|
runs-on: ubuntu-22.04
|
||||||
steps:
|
steps:
|
||||||
@ -160,44 +215,24 @@ jobs:
|
|||||||
- build-cli
|
- build-cli
|
||||||
- signed-sbom
|
- signed-sbom
|
||||||
- upload-terraform-module
|
- upload-terraform-module
|
||||||
|
- build-terraform-provider
|
||||||
outputs:
|
outputs:
|
||||||
provenance-subjects: ${{ steps.provenance-subjects.outputs.provenance-subjects }}
|
provenance-subjects: ${{ steps.provenance-subjects.outputs.provenance-subjects }}
|
||||||
steps:
|
steps:
|
||||||
- name: Download CLI binaries darwin-amd64
|
- name: Checkout
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
id: checkout
|
||||||
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
||||||
with:
|
with:
|
||||||
name: constellation-darwin-amd64
|
ref: ${{ inputs.ref || github.head_ref }}
|
||||||
|
|
||||||
- name: Download CLI binaries darwin-arm64
|
- name: Download release binaries
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
uses: ./.github/actions/download_release_binaries
|
||||||
with:
|
|
||||||
name: constellation-darwin-arm64
|
|
||||||
|
|
||||||
- name: Download CLI binaries linux-amd64
|
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
||||||
with:
|
|
||||||
name: constellation-linux-amd64
|
|
||||||
|
|
||||||
- name: Download CLI binaries linux-arm64
|
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
||||||
with:
|
|
||||||
name: constellation-linux-arm64
|
|
||||||
|
|
||||||
- name: Download CLI binaries windows-amd64
|
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
||||||
with:
|
|
||||||
name: constellation-windows-amd64
|
|
||||||
|
|
||||||
- name: Download CLI SBOM
|
- name: Download CLI SBOM
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
name: constellation.spdx.sbom
|
name: constellation.spdx.sbom
|
||||||
|
|
||||||
- name: Download Terraform module
|
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
||||||
with:
|
|
||||||
name: terraform-module
|
|
||||||
|
|
||||||
- name: Generate provenance subjects
|
- name: Generate provenance subjects
|
||||||
id: provenance-subjects
|
id: provenance-subjects
|
||||||
run: |
|
run: |
|
||||||
@ -208,7 +243,12 @@ jobs:
|
|||||||
constellation-linux-arm64 \
|
constellation-linux-arm64 \
|
||||||
constellation-windows-amd64.exe \
|
constellation-windows-amd64.exe \
|
||||||
constellation.spdx.sbom \
|
constellation.spdx.sbom \
|
||||||
terraform-module.zip)
|
terraform-module.zip \
|
||||||
|
terraform-provider-constellation-darwin-amd64 \
|
||||||
|
terraform-provider-constellation-darwin-arm64 \
|
||||||
|
terraform-provider-constellation-linux-amd64 \
|
||||||
|
terraform-provider-constellation-linux-arm64)
|
||||||
|
# terraform-provider-constellation-windows-amd64.exe)
|
||||||
HASHESB64=$(echo "${HASHES}" | base64 -w0)
|
HASHESB64=$(echo "${HASHES}" | base64 -w0)
|
||||||
echo "${HASHES}"
|
echo "${HASHES}"
|
||||||
echo "${HASHESB64}"
|
echo "${HASHESB64}"
|
||||||
@ -291,42 +331,22 @@ jobs:
|
|||||||
- build-cli
|
- build-cli
|
||||||
- provenance
|
- provenance
|
||||||
- upload-terraform-module
|
- upload-terraform-module
|
||||||
|
- build-terraform-provider
|
||||||
steps:
|
steps:
|
||||||
- name: Download CLI binaries darwin-amd64
|
- name: Checkout
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
id: checkout
|
||||||
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
||||||
with:
|
with:
|
||||||
name: constellation-darwin-amd64
|
ref: ${{ inputs.ref || github.head_ref }}
|
||||||
|
|
||||||
- name: Download CLI binaries darwin-arm64
|
- name: Download release binaries
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
uses: ./.github/actions/download_release_binaries
|
||||||
with:
|
|
||||||
name: constellation-darwin-arm64
|
|
||||||
|
|
||||||
- name: Download CLI binaries linux-amd64
|
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
||||||
with:
|
|
||||||
name: constellation-linux-amd64
|
|
||||||
|
|
||||||
- name: Download CLI binaries linux-arm64
|
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
||||||
with:
|
|
||||||
name: constellation-linux-arm64
|
|
||||||
|
|
||||||
- name: Download CLI binaries windows-amd64
|
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
||||||
with:
|
|
||||||
name: constellation-windows-amd64
|
|
||||||
|
|
||||||
- name: Download CLI SBOM
|
- name: Download CLI SBOM
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
name: constellation.spdx.sbom
|
name: constellation.spdx.sbom
|
||||||
|
|
||||||
- name: Download Terraform module
|
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
||||||
with:
|
|
||||||
name: terraform-module
|
|
||||||
|
|
||||||
- name: Download provenance
|
- name: Download provenance
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
@ -354,6 +374,23 @@ jobs:
|
|||||||
slsa-verifier verify-artifact constellation-windows-amd64.exe \
|
slsa-verifier verify-artifact constellation-windows-amd64.exe \
|
||||||
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
||||||
--source-uri github.com/edgelesssys/constellation
|
--source-uri github.com/edgelesssys/constellation
|
||||||
|
|
||||||
|
slsa-verifier verify-artifact terraform-provider-constellation-darwin-amd64 \
|
||||||
|
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
||||||
|
--source-uri github.com/edgelesssys/constellation
|
||||||
|
slsa-verifier verify-artifact terraform-provider-constellation-darwin-arm64 \
|
||||||
|
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
||||||
|
--source-uri github.com/edgelesssys/constellation
|
||||||
|
slsa-verifier verify-artifact terraform-provider-constellation-linux-amd64 \
|
||||||
|
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
||||||
|
--source-uri github.com/edgelesssys/constellation
|
||||||
|
slsa-verifier verify-artifact terraform-provider-constellation-linux-arm64 \
|
||||||
|
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
||||||
|
--source-uri github.com/edgelesssys/constellation
|
||||||
|
#slsa-verifier verify-artifact terraform-provider-constellation-windows-amd64.exe \
|
||||||
|
# --provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
||||||
|
# --source-uri github.com/edgelesssys/constellation
|
||||||
|
|
||||||
slsa-verifier verify-artifact constellation.spdx.sbom \
|
slsa-verifier verify-artifact constellation.spdx.sbom \
|
||||||
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
--provenance-path ${{ needs.provenance.outputs.provenance-name }} \
|
||||||
--source-uri github.com/edgelesssys/constellation
|
--source-uri github.com/edgelesssys/constellation
|
||||||
@ -370,38 +407,23 @@ jobs:
|
|||||||
- provenance
|
- provenance
|
||||||
- signed-sbom
|
- signed-sbom
|
||||||
- upload-terraform-module
|
- upload-terraform-module
|
||||||
|
- build-terraform-provider
|
||||||
steps:
|
steps:
|
||||||
|
- name: Checkout
|
||||||
|
id: checkout
|
||||||
|
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
||||||
|
with:
|
||||||
|
ref: ${{ inputs.ref || github.head_ref }}
|
||||||
|
|
||||||
- name: Write cosign public key
|
- name: Write cosign public key
|
||||||
run: echo "$COSIGN_PUBLIC_KEY" > cosign.pub
|
run: echo "$COSIGN_PUBLIC_KEY" > cosign.pub
|
||||||
env:
|
env:
|
||||||
COSIGN_PUBLIC_KEY: ${{ inputs.key == 'release' && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
COSIGN_PUBLIC_KEY: ${{ inputs.key == 'release' && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }}
|
||||||
|
|
||||||
- name: Download CLI binaries darwin-amd64
|
- name: Download binaries
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
uses: ./.github/actions/download_release_binaries
|
||||||
with:
|
|
||||||
name: constellation-darwin-amd64
|
|
||||||
|
|
||||||
- name: Download CLI binaries darwin-arm64
|
- name: Download CLI SBOM
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
||||||
with:
|
|
||||||
name: constellation-darwin-arm64
|
|
||||||
|
|
||||||
- name: Download CLI binaries linux-amd64
|
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
||||||
with:
|
|
||||||
name: constellation-linux-amd64
|
|
||||||
|
|
||||||
- name: Download CLI binaries linux-arm64
|
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
||||||
with:
|
|
||||||
name: constellation-linux-arm64
|
|
||||||
|
|
||||||
- name: Download CLI binaries windows-amd64
|
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
||||||
with:
|
|
||||||
name: constellation-windows-amd64
|
|
||||||
|
|
||||||
- name: Download Constellation CLI SBOM
|
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
||||||
with:
|
with:
|
||||||
name: constellation.spdx.sbom
|
name: constellation.spdx.sbom
|
||||||
@ -416,22 +438,51 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
name: ${{ needs.provenance.outputs.provenance-name }}
|
name: ${{ needs.provenance.outputs.provenance-name }}
|
||||||
|
|
||||||
- name: Download Terraform module
|
|
||||||
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
|
|
||||||
with:
|
|
||||||
name: terraform-module
|
|
||||||
|
|
||||||
- name: Rename provenance file
|
- name: Rename provenance file
|
||||||
run: |
|
run: |
|
||||||
mv ${{ needs.provenance.outputs.provenance-name }} constellation.intoto.jsonl
|
mv ${{ needs.provenance.outputs.provenance-name }} constellation.intoto.jsonl
|
||||||
|
|
||||||
|
- name: Create Terraform provider release files
|
||||||
|
run: |
|
||||||
|
# Remove the "v" prefix from the version as required by the Terraform registry
|
||||||
|
version="${{ inputs.versionName }}"
|
||||||
|
version="${version#v}"
|
||||||
|
|
||||||
|
# Create a zip file with the Terraform provider binaries
|
||||||
|
for file in terraform-provider-constellation-*; do
|
||||||
|
# Special case for Windows binaries: They need to keep the .exe extension
|
||||||
|
ext="${file##*.}"
|
||||||
|
distribution_arch="${file#terraform-provider-constellation-}"
|
||||||
|
distribution_arch="${distribution_arch%.exe}"
|
||||||
|
folder_name="terraform-provider-constellation_${version}_${distribution_arch//-/_}"
|
||||||
|
|
||||||
|
mkdir -p "${folder_name}"
|
||||||
|
if [[ "${ext}" = "exe" ]]; then
|
||||||
|
cp "${file}" "${folder_name}/terraform-provider-constellation_${version}.exe"
|
||||||
|
else
|
||||||
|
cp "${file}" "${folder_name}/terraform-provider-constellation_${version}"
|
||||||
|
fi
|
||||||
|
zip -r "${folder_name}.zip" "${folder_name}"
|
||||||
|
rm -r "${folder_name}"
|
||||||
|
done
|
||||||
|
|
||||||
|
# Create a manifest file for the Terraform provider
|
||||||
|
echo '{"version":1,"metadata":{"protocol_versions":["6.0"]}}' > "terraform-provider-constellation_${version}_manifest.json"
|
||||||
|
|
||||||
|
# Create a SHA256SUMS file of the zip files and manifest, and sign it
|
||||||
|
shasum -a 256 "terraform-provider-constellation_${version}"* > "terraform-provider-constellation_${version}_SHA256SUMS"
|
||||||
|
echo "${{ secrets.TERRAFORM_GPG_SIGNING_KEY }}" | gpg --import --batch --yes
|
||||||
|
gpg -u 3C75E56351F8F3F6 --batch --yes --detach-sign "terraform-provider-constellation_${version}_SHA256SUMS"
|
||||||
|
|
||||||
- name: Create release with artifacts
|
- name: Create release with artifacts
|
||||||
|
id: create-release
|
||||||
# GitHub endorsed release project. See: https://github.com/actions/create-release
|
# GitHub endorsed release project. See: https://github.com/actions/create-release
|
||||||
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
|
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
|
||||||
with:
|
with:
|
||||||
draft: true
|
draft: true
|
||||||
generate_release_notes: true
|
generate_release_notes: true
|
||||||
tag_name: ${{ inputs.versionName || inputs.ref || github.head_ref }}
|
tag_name: ${{ inputs.versionName || inputs.ref || github.head_ref }}
|
||||||
|
target_commitish: ${{ inputs.ref }}
|
||||||
files: |
|
files: |
|
||||||
constellation-*
|
constellation-*
|
||||||
cosign.pub
|
cosign.pub
|
||||||
@ -439,3 +490,17 @@ jobs:
|
|||||||
constellation.spdx.sbom.sig
|
constellation.spdx.sbom.sig
|
||||||
constellation.intoto.jsonl
|
constellation.intoto.jsonl
|
||||||
terraform-module.zip
|
terraform-module.zip
|
||||||
|
|
||||||
|
- name: Create Terraform provider release with artifcats
|
||||||
|
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
|
||||||
|
with:
|
||||||
|
draft: true
|
||||||
|
generate_release_notes: false
|
||||||
|
body: |
|
||||||
|
This release contains the Terraform provider binaries for Constellation ${{ inputs.versionName }}.
|
||||||
|
Check out [the release page](https://github.com/edgelesssys/constellation/releases/tag/${{ inputs.versionName }}) for more information and a full changelog.
|
||||||
|
token: ${{ secrets.CI_GITHUB_REPOSITORY }}
|
||||||
|
repository: edgelesssys/terraform-provider-constellation
|
||||||
|
tag_name: ${{ inputs.versionName || inputs.ref || github.head_ref }}
|
||||||
|
files: |
|
||||||
|
terraform-provider-constellation_*
|
70
.github/workflows/release-tf-provider.yml
vendored
70
.github/workflows/release-tf-provider.yml
vendored
@ -1,70 +0,0 @@
|
|||||||
name: Build Terraform provider and prepare release
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
inputs:
|
|
||||||
ref:
|
|
||||||
type: string
|
|
||||||
description: "Git ref to checkout"
|
|
||||||
required: false
|
|
||||||
workflow_call:
|
|
||||||
inputs:
|
|
||||||
ref:
|
|
||||||
type: string
|
|
||||||
description: "Git ref to checkout"
|
|
||||||
required: true
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
build-tf-provider:
|
|
||||||
runs-on: ubuntu-22.04
|
|
||||||
strategy:
|
|
||||||
fail-fast: false
|
|
||||||
matrix:
|
|
||||||
include:
|
|
||||||
- arch: amd64
|
|
||||||
os: linux
|
|
||||||
|
|
||||||
- arch: amd64
|
|
||||||
os: darwin
|
|
||||||
|
|
||||||
- arch: amd64
|
|
||||||
os: windows
|
|
||||||
|
|
||||||
- arch: arm64
|
|
||||||
os: linux
|
|
||||||
|
|
||||||
- arch: arm64
|
|
||||||
os: darwin
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
id: checkout
|
|
||||||
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
|
|
||||||
with:
|
|
||||||
ref: ${{ inputs.ref || github.head_ref }}
|
|
||||||
|
|
||||||
- name: Setup bazel
|
|
||||||
uses: ./.github/actions/setup_bazel_nix
|
|
||||||
with:
|
|
||||||
useCache: "false"
|
|
||||||
|
|
||||||
- name: Build Terraform Provider Binary
|
|
||||||
uses: ./.github/actions/build_tf_provider
|
|
||||||
with:
|
|
||||||
targetOS: ${{ matrix.os }}
|
|
||||||
targetArch: ${{ matrix.arch }}
|
|
||||||
|
|
||||||
- name: Upload Terraform Provider Binary as artifact (unix)
|
|
||||||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
||||||
if : ${{ matrix.os != 'windows' }}
|
|
||||||
with:
|
|
||||||
name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
|
|
||||||
path: |
|
|
||||||
build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
|
|
||||||
|
|
||||||
- name: Upload Terraform Provider Binary as artifact (windows)
|
|
||||||
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
||||||
if : ${{ matrix.os == 'windows' }}
|
|
||||||
with:
|
|
||||||
name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}
|
|
||||||
path: |
|
|
||||||
build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}.exe
|
|
8
.github/workflows/release.yml
vendored
8
.github/workflows/release.yml
vendored
@ -253,10 +253,10 @@ jobs:
|
|||||||
git commit -m "attestation: hardcode measurements for ${VERSION}"
|
git commit -m "attestation: hardcode measurements for ${VERSION}"
|
||||||
git push
|
git push
|
||||||
|
|
||||||
draft-release-cli:
|
draft-release:
|
||||||
name: Draft release (CLI)
|
name: Draft release (CLI)
|
||||||
needs: [verify-inputs, update-hardcoded-measurements]
|
needs: [verify-inputs, update-hardcoded-measurements]
|
||||||
uses: ./.github/workflows/release-cli.yml
|
uses: ./.github/workflows/draft-release.yml
|
||||||
permissions:
|
permissions:
|
||||||
actions: read
|
actions: read
|
||||||
contents: write
|
contents: write
|
||||||
@ -271,7 +271,7 @@ jobs:
|
|||||||
|
|
||||||
e2e-tests:
|
e2e-tests:
|
||||||
name: Run E2E tests
|
name: Run E2E tests
|
||||||
needs: [verify-inputs, draft-release-cli]
|
needs: [verify-inputs, draft-release]
|
||||||
uses: ./.github/workflows/e2e-test-release.yml
|
uses: ./.github/workflows/e2e-test-release.yml
|
||||||
permissions:
|
permissions:
|
||||||
checks: write
|
checks: write
|
||||||
@ -285,7 +285,7 @@ jobs:
|
|||||||
|
|
||||||
mini-e2e:
|
mini-e2e:
|
||||||
name: Run mini E2E tests
|
name: Run mini E2E tests
|
||||||
needs: [verify-inputs, draft-release-cli]
|
needs: [verify-inputs, draft-release]
|
||||||
uses: ./.github/workflows/e2e-mini.yml
|
uses: ./.github/workflows/e2e-mini.yml
|
||||||
permissions:
|
permissions:
|
||||||
checks: write
|
checks: write
|
||||||
|
@ -41,10 +41,10 @@ Releases should be performed using [the automated release pipeline](https://gith
|
|||||||
```
|
```
|
||||||
|
|
||||||
3. wait for the pipeline to finish
|
3. wait for the pipeline to finish
|
||||||
4. Check the s3proxy PR in the [helm chart repository](https://github.com/edgelesssys/helm/pull/) and approve it if things (esp. the version) look correct. Correct example for reference: https://github.com/edgelesssys/helm/pull/19/files
|
4. Check the s3proxy PR in the [helm chart repository](https://github.com/edgelesssys/helm/pull/) and approve it if things (esp. the version) look correct. Correct example for reference: <https://github.com/edgelesssys/helm/pull/19/files>
|
||||||
5. while in editing mode for the release, clear the textbox, select the last patch release for the current release branch and click "Generate release notes".
|
5. while in editing mode for the release, clear the textbox, select the last patch release for the current release branch and click "Generate release notes".
|
||||||
6. look over the autogenerated draft release. When fixing the changelog, prioritize updating the PR title/labels/description and regenerating the changelog over fixing things in the final changelog. The changelog should be primarily aimed at users. Rule of thumb: first part of the sentence should describe what changed for the user, second part can describe what has been changed to achieve this.
|
6. look over the autogenerated draft release. When fixing the changelog, prioritize updating the PR title/labels/description and regenerating the changelog over fixing things in the final changelog. The changelog should be primarily aimed at users. Rule of thumb: first part of the sentence should describe what changed for the user, second part can describe what has been changed to achieve this.
|
||||||
7. in the GitHub release UI, set the tag to create on publish to `$ver`.
|
7. in the GitHub release UI, make sure the tag to create on release is set to `$ver`, and the target commit is set to the temporary release branch.
|
||||||
8. publish.
|
8. publish.
|
||||||
|
|
||||||
### Minor release
|
### Minor release
|
||||||
@ -72,11 +72,11 @@ Releases should be performed using [the automated release pipeline](https://gith
|
|||||||
./constellation status
|
./constellation status
|
||||||
```
|
```
|
||||||
|
|
||||||
5. Check the s3proxy PR in the [helm chart repository](https://github.com/edgelesssys/helm/pull/) and approve it if things (esp. the version) look correct. Correct example for reference: https://github.com/edgelesssys/helm/pull/19/files
|
5. Check the s3proxy PR in the [helm chart repository](https://github.com/edgelesssys/helm/pull/) and approve it if things (esp. the version) look correct. Correct example for reference: <https://github.com/edgelesssys/helm/pull/19/files>
|
||||||
6. while in editing mode for the release, clear the textbox, select the last minor release and click "Generate release notes".
|
6. while in editing mode for the release, clear the textbox, select the last minor release and click "Generate release notes".
|
||||||
7. look over the autogenerated draft release. When fixing the changelog, prioritize updating the PR title/labels/description and regenerating the changelog over fixing things in the final changelog. The changelog should be primarily aimed at users. Rule of thumb: first part of the sentence should describe what changed for the user, second part can describe what has been changed to achieve this.
|
7. look over the autogenerated draft release. When fixing the changelog, prioritize updating the PR title/labels/description and regenerating the changelog over fixing things in the final changelog. The changelog should be primarily aimed at users. Rule of thumb: first part of the sentence should describe what changed for the user, second part can describe what has been changed to achieve this.
|
||||||
8. set the Target to `tmp/${ver}`
|
8. set the Target to `tmp/${ver}`
|
||||||
9. in the GitHub release UI, set the tag to create on publish to `$ver`.
|
9. in the GitHub release UI, make sure the tag to create on release is set to `$ver`, and the target commit is set to the temporary release branch.
|
||||||
10. publish.
|
10. publish.
|
||||||
|
|
||||||
## Post release steps
|
## Post release steps
|
||||||
|
Loading…
Reference in New Issue
Block a user