Merge pull request #2117 from atsign-foundation/update_enrollment_err… #36
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: promote_canary | |
| # Workflow to promote a canary release to production | |
| on: | |
| push: | |
| tags: | |
| - 'p*.*.*' | |
| workflow_dispatch: | |
| permissions: # added using https://github.com/step-security/secure-workflows | |
| contents: read | |
| jobs: | |
| # Add layer to canary secondary image with prod pubspec.yaml | |
| deploy_canary_secondary_to_prod_image: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| outputs: | |
| digest: ${{ steps.docker_build_canary_to_prod.outputs.digest }} | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
| # Extract version for docker tag | |
| - name: Get version | |
| run: echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
| - name: Login to DockerHub | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # Builds and pushes the secondary server image to docker hub. | |
| - name: Build and push secondary image for amd64 and arm64 | |
| id: docker_build_canary_to_prod | |
| uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
| with: | |
| push: true | |
| provenance: false | |
| file: tools/build_secondary/Dockerfile.canary_to_prod | |
| context: . | |
| tags: | | |
| atsigncompany/secondary:dess | |
| atsigncompany/secondary:latest | |
| atsigncompany/secondary:prod | |
| atsigncompany/secondary:prod-${{ env.VERSION }} | |
| platforms: | | |
| linux/amd64 | |
| linux/arm64/v8 | |
| linux/arm/v7 | |
| prod_secondary_provenance: | |
| needs: [deploy_canary_secondary_to_prod_image] | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| id-token: write # for creating OIDC tokens for signing. | |
| packages: write # for uploading attestations. | |
| if: startsWith(github.ref, 'refs/tags/') | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 | |
| with: | |
| image: "atsigncompany/secondary" | |
| digest: ${{ needs.deploy_canary_secondary_to_prod_image.outputs.digest }} | |
| secrets: | |
| registry-username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| registry-password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # Add layer to canary virtualenv image with prod pubspec.yaml | |
| deploy_canary_virtualenv_to_prod_image: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| outputs: | |
| digest: ${{ steps.docker_build_canary_to_vip.outputs.digest }} | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
| # Extract version for docker tag | |
| - name: Get version | |
| run: echo "VERSION=${GITHUB_REF##*/}" >> $GITHUB_ENV | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
| - name: Login to DockerHub | |
| uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # Builds and pushes the secondary server image to docker hub. | |
| - name: Build and push virtualenv image for amd64 and arm64 | |
| id: docker_build_canary_to_vip | |
| uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
| with: | |
| push: true | |
| file: tools/build_virtual_environment/ve/Dockerfile.canary_to_vip | |
| context: . | |
| tags: | | |
| atsigncompany/virtualenv:latest | |
| atsigncompany/virtualenv:vip | |
| atsigncompany/virtualenv:vip-${{ env.VERSION }} | |
| platforms: | | |
| linux/amd64 | |
| linux/arm64/v8 | |
| prod_virtualenv_provenance: | |
| needs: [deploy_canary_virtualenv_to_prod_image] | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| id-token: write # for creating OIDC tokens for signing. | |
| packages: write # for uploading attestations. | |
| if: startsWith(github.ref, 'refs/tags/') | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 | |
| with: | |
| image: "atsigncompany/virtualenv" | |
| digest: ${{ needs.deploy_canary_virtualenv_to_prod_image.outputs.digest }} | |
| secrets: | |
| registry-username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| registry-password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| get_canary_sboms: | |
| name: Get the Canary SBOMs | |
| runs-on: ubuntu-latest | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| permissions: | |
| contents: write # IMPORTANT: mandatory for making GitHub Releases | |
| id-token: write # IMPORTANT: mandatory for sigstore | |
| attestations: write | |
| steps: | |
| - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get latest canary tag | |
| run: | | |
| CANARY=$(git tag --sort=-version:refname -l c*.*.* | head -1) | |
| echo ${CANARY} | |
| mkdir sboms | |
| cd sboms | |
| wget https://github.com/atsign-foundation/at_server/releases/download/${CANARY}/atserver_sbom.spdx.json | |
| wget https://github.com/atsign-foundation/at_server/releases/download/${CANARY}/atserver_sbom.cyclonedx.json | |
| sha256sum * > checksums.txt | |
| - name: Upload artifacts to GitHub Release | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| # Upload to GitHub Release using the `gh` CLI. | |
| run: >- | |
| gh release upload | |
| '${{ github.ref_name }}' sboms/** | |
| --repo '${{ github.repository }}' | |
| - id: hash | |
| name: Pass artifact hashes for SLSA provenance | |
| working-directory: sboms | |
| run: | | |
| echo "hashes=$(cat checksums.txt | base64 -w0)" >> "$GITHUB_OUTPUT" | |
| - uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3 | |
| with: | |
| subject-path: 'sboms/**' | |
| sbom_provenance: | |
| needs: [get_canary_sboms] | |
| permissions: | |
| actions: read # Needed for detection of GitHub Actions environment. | |
| id-token: write # Needed for provenance signing and ID | |
| contents: write # Needed for release uploads | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 # 5a775b367a56d5bd118a224a811bba288150a563 | |
| with: | |
| base64-subjects: "${{ needs.get_canary_sboms.outputs.hashes }}" | |
| upload-assets: true |