-
Notifications
You must be signed in to change notification settings - Fork 205
43 lines (40 loc) · 1.47 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
name: Release
on:
push:
tags: ['v*.*.*']
permissions:
contents: read
jobs:
release:
env:
TAG: ${{ github.ref_name }}
permissions:
contents: write # Needed for creating and editing releases
id-token: write # Needed for cosigning build attestation files with tejolote
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
fetch-depth: 0
- name: Run vexctl
uses: openvex/generate-vex@31b415924ea0d72ed5f2640f1dee59dea6c2770b
with:
product: pkg:generic/karpenter@${{ env.TAG }}
file: karpenter.vex.json
- name: Create Github Release
uses: marvinpinto/action-automatic-releases@919008cf3f741b179569b7a6fb4d8860689ab7f0 # v1.2.1
with:
files: |
karpenter.vex.json
repo_token: "${{ secrets.GITHUB_TOKEN }}"
prerelease: false
- name: Install tejolote
uses: kubernetes-sigs/release-actions/setup-tejolote@2f8b9ec22aedc9ce15039b6c7716aa6c2907df1c # v0.2.0
- name: Run tejolote
run: |
tejolote attest "github://kubernetes-sigs/karpenter/${{ github.run_id }}" --artifacts "github://kubernetes-sigs/karpenter/$TAG" --output karpenter.intoto.json --sign
- name: Add the tejolote provenance attestation to release
env:
GH_TOKEN: ${{ github.token }}
run: |
gh release upload "$TAG" karpenter.intoto.json