-
Notifications
You must be signed in to change notification settings - Fork 47
75 lines (67 loc) · 2.67 KB
/
reusable-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
name: Cut Release
on:
workflow_call:
inputs:
release_tag:
required: false
type: string
description: 'Release tag. Will increment patch version if not specified.'
default: ''
key_ring:
required: false
type: string
description: 'Key ring for cosign key'
key_name:
required: false
type: string
description: 'Key name for cosign key'
workload_identity_provider:
required: true
type: string
description: 'Workload idenitty provider to authenticate acceses.'
service_account:
required: true
type: string
description: 'Service account to run the release.'
repo:
required: true
type: string
description: 'The Sigstore repo to release.'
jobs:
cut-release:
name: Cut release
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
env:
PROJECT_ID: 'projectsigstore'
RELEASE_TAG: ${{ inputs.release_tag }}
steps:
- name: Check actor access
if: ${{ !contains( fromJson('["bobcallaway","cpanato","lukehinds","priyawadhwa","haydentherapper"]'), github.actor ) }}
run: exit 1
- name: Checkout out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
path: ./src/github.com/sigstore/${{ inputs.repo }}
- name: Set release tag if not specified
if: ${{ inputs.release_tag == '' }}
run: |
git fetch --all --tags
LATEST_DIGEST=`git rev-list --tags --max-count=1`
LATEST_TAG=`git describe --tags ${LATEST_DIGEST}`
NEW_VERSION=`echo "${TAG}" | awk -F. '{$NF = $NF + 1;} 1' | sed 's/ /./g'`
echo "RELEASE_TAG=${NEW_VERSION}" >> $GITHUB_ENV
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@8254fb75a33b976a221574d287e93919e6a36f70 # v2.1.6
with:
workload_identity_provider: ${{ inputs.workload_identity_provider }}
service_account: ${{ inputs.service_account }}
- name: Setup gcloud
uses: google-github-actions/setup-gcloud@f0990588f1e5b5af6827153b93673613abdc6ec7 # v2.1.1
with:
project_id: ${{ env.PROJECT_ID }}
- name: Start cloudbuild job
working-directory: ./src/github.com/sigstore/${{ inputs.repo }}
run: gcloud builds submit --no-source --async --config release/cloudbuild.yaml --substitutions _GIT_TAG=${{ env.RELEASE_TAG }},_TOOL_ORG=sigstore,_TOOL_REPO=${{ inputs.repo }},_STORAGE_LOCATION=${{ inputs.repo }}-releases,_KEY_RING=release-cosign,_KEY_NAME=cosign,_GITHUB_USER=sigstore-bot --project=${{ env.PROJECT_ID }}