Release 1.13.8 (#477) #13

name: create release on new tags
# This workflow is triggered by new version tags (e.g. "1.12.2" without leading "v") on the main
# branch.
# Tagging should be automatic after each merged PR release (see the build.yaml workflow).
# Alternatively, this workflow can be triggered by manually creating a tag on the main branch with
# the aforementioned format. Note that the tests are *not* run by this workflow, and that you
# should therefore apply caution before manually tagging the main branch in order to trigger it.
# This workflow contains a check that the tag matches the version set in
# ./pkg/chartverifier/version/version_info.json.
# In order to recreate a GitHub release and rebuild its associated assets, first the tag needs to
# be manually deleted (e.g `git tag --delete 1.12.2 && git push --delete origin 1.12.2`). The
# GitHub release that was created for this tag automatically turns into a "Draft" release and will
# need to be manually cleaned up, though it doesn't constitute a blocker for this workflow to run.
# Finally, as mentioned above, create a new tag (e.g. `git tag 1.12.2 && git push --tags`) to
# recreate the release.
# This workflow builds all release assets (the tarball and the container images), creates the
# Github release and attaches the tarball to it.
# Publish semver tags as releases.
tags: '[0-9]+.[0-9]+.[0-9]+'
IMAGE_NAME: chart-verifier
name: Create GitHub release
runs-on: ubuntu-latest
contents: write
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
go-version-file: go.mod
- name: Install cosign
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 #v3.5.0
cosign-release: 'v2.2.4'
- name: Print tag to GITHUB_OUTPUT
id: get_tag
run: |
echo "release_version=${GITHUB_REF#refs/*/}" | tee -a $GITHUB_OUTPUT
- name: Build binary and make tarball
id: build_bin
run: |
make bin
TARBALL_NAME="chart-verifier-${{ steps.get_tag.outputs.release_version }}.tgz"
tar -zcvf $TARBALL_NAME -C out/ chart-verifier
export TARBALL_PATH=$(realpath $TARBALL_NAME)
echo "tarball_path=$TARBALL_PATH" | tee -a $GITHUB_OUTPUT
- name: Check that the tag matches the current version
id: check_tag_and_version
run: |
release_version=${{ steps.get_tag.outputs.release_version }}
bin_version=$(out/chart-verifier version --as-data | jq -r .version)
if [[ "$release_version" != "$bin_version" ]]; then
echo "Binary version ($bin_version) doesn't match tag ($release_version)" && exit 1
- name: Generate SBOM filename
id: generate_sbom_filename
run: echo sbom_filename="${{ }}-${{ steps.get_tag.outputs.release_version }}-sbom.spdx.json" | tee -a $GITHUB_OUTPUT
- name: Generate SBOM
continue-on-error: true
id: generate_sbom
uses: anchore/sbom-action@v0
# Setting path to null works around this bug:
path: null
file: go.mod
format: spdx-json
output-file: ${{ steps.generate_sbom_filename.outputs.sbom_filename }}
artifact-name: ${{ steps.generate_sbom_filename.outputs.sbom_filename }}
upload-release-assets: false
- name: Set up Python 3.x
uses: ./.github/actions/setup-python
- name: Set up Python scripts
run: |
# set up python requirements and scripts on PR branch
python3 -m venv ve1
cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd ..
cd scripts && ../ve1/bin/pip3 install . && cd ..
- name: Generate release body
id: release_body
run: echo "release_body=$(ve1/bin/print-release-body)" | tee -a $GITHUB_OUTPUT
- name: Create the release
id: create_release
uses: softprops/action-gh-release@v2
tag_name: ${{ steps.get_tag.outputs.release_version }}
body: ${{ steps.release_body.outputs.release_body }}
files: |
${{ steps.build_bin.outputs.tarball_path }}
${{ steps.generate_sbom_filename.outputs.sbom_filename }}
- name: Build container images
id: build_container_images
run: |
# Build podman images locally
make build-image IMAGE_TAG=${{ steps.get_tag.outputs.release_version }} IMAGE_REPO=${{ secrets.IMAGE_REGISTRY }}
podman tag \
${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_tag.outputs.release_version }} \
${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Push to
id: push_to_quay
uses: redhat-actions/push-to-registry@v2
image: ${{ env.IMAGE_NAME }}
tags: |
${{ steps.get_tag.outputs.release_version }}
registry: ${{ secrets.IMAGE_REGISTRY }}
username: ${{ secrets.QUAY_BOT_USERNAME }}
password: ${{ secrets.QUAY_BOT_TOKEN }}
- name: Sign published image
id: sign-image
run: |
cosign sign \
--yes \
--registry-username ${{ secrets.QUAY_BOT_USERNAME }} \
--registry-password ${{ secrets.QUAY_BOT_TOKEN }} \
${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push_to_quay.outputs.digest }}
- name: Verify the image signature
run: |
cosign verify \
--certificate-identity${{ github.repository }}/.github/workflows/release.yaml@refs/tags/${{ steps.get_tag.outputs.release_version }} \
--certificate-oidc-issuer \
${{ secrets.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.get_tag.outputs.release_version }}