Verify base & sign commits/tags #98

Workflow file for this run

.github/workflows/release.yaml at db5adc0

	name: Release

	on:
	push:
	# release:
	# types:
	# - released
	# workflow_dispatch:
	# inputs:
	# tag_name:
	# description: "Tag to release"
	# required: true

	permissions:
	contents: read

	jobs:
	image:
	runs-on: ubuntu-24.04
	name: Build release image
	permissions:
	contents: read
	packages: write
	id-token: write
	attestations: write
	environment:
	name: dockerhub
	url: https://hub.docker.com/r/danielflook/terraform-github-actions-dev/tags?name="test"
	outputs:
	digest: ${{ steps.image_build.outputs.digest }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	persist-credentials: false

	- name: Check action documentation is up-to-date
	run: \|
	PYTHONPATH=docs-gen python3 docs-gen/generate.py
	git diff --exit-code

	- name: Registry login
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	DOCKER_TOKEN: ${{ secrets.DOCKER_TOKEN }}
	run: \|
	echo $GITHUB_TOKEN \| docker login ghcr.io --username dflook --password-stdin
	echo $DOCKER_TOKEN \| docker login --username danielflook --password-stdin

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v2

	- name: Build action image
	id: image_build
	env:
	RELEASE_TAG: "test.0.0"
	GH_TOKEN: ${{ github.token }}
	run: \|
	BASE_TAG=$(docker buildx imagetools inspect danielflook/terraform-github-actions-base:latest --format '{{json .}}' \| jq -r '.manifest.annotations."ref.tag"')
	BASE_DIGEST=$(docker buildx imagetools inspect danielflook/terraform-github-actions-base:$BASE_TAG --format '{{json .}}' \| jq -r '.manifest.digest')

	gh attestation verify --repo dflook/terraform-github-actions "oci://index.docker.io/danielflook/terraform-github-actions-base@$BASE_DIGEST"

	sed -i "s\|FROM danielflook/terraform-github-actions-base:latest\|FROM danielflook/terraform-github-actions-base@$BASE_DIGEST\|" "image/Dockerfile"

	docker buildx build \
	--build-arg FETCH_CHECKSUMS=yes \
	--build-arg VERSION="${RELEASE_TAG:1}" \
	--tag "danielflook/terraform-github-actions-dev:$RELEASE_TAG" \
	--tag "ghcr.io/dflook/terraform-github-actions-dev:$RELEASE_TAG" \
	--platform linux/amd64,linux/arm64 \
	--attest type=provenance,mode=max,builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID \
	--annotation "index,manifest:org.opencontainers.image.created=$(date '+%Y-%m-%dT%H:%M:%S%z')" \
	--annotation "index,manifest:org.opencontainers.image.source=https://github.com/${{ github.repository }}" \
	--annotation "index,manifest:org.opencontainers.image.revision=${{ github.sha }}" \
	--annotation "index,manifest:org.opencontainers.image.version=$RELEASE_TAG" \
	--annotation "index,manifest:org.opencontainers.image.title=terraform-github-actions" \
	--annotation "index,manifest:org.opencontainers.image.description=GitHub actions for terraform" \
	--annotation "index:org.opencontainers.image.ref.name=docker.io/danielflook/terraform-github-actions-dev:$RELEASE_TAG" \
	--annotation "index,manifest:builder-id=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" \
	--annotation "index,manifest:ref.tag=$RELEASE_TAG" \
	--annotation "index,manifest:org.opencontainers.image.base.name=docker.io/danielflook/terraform-github-actions-base" \
	--annotation "index:org.opencontainers.image.base.ref=$BASE_TAG" \
	--push \
	--iidfile manifest-list-digest.txt \
	image

	echo "digest=$(<manifest-list-digest.txt)" >> "$GITHUB_OUTPUT"

	- name: Dockerhub ref attestation
	uses: actions/attest-build-provenance@v2
	with:
	subject-name: index.docker.io/danielflook/terraform-github-actions-dev
	subject-digest: ${{ steps.image_build.outputs.digest }}

	- name: GHCR ref attestation
	uses: actions/attest-build-provenance@v2
	with:
	subject-name: ghcr.io/dflook/terraform-github-actions-dev
	subject-digest: ${{ steps.image_build.outputs.digest }}

	actions:
	runs-on: ubuntu-24.04
	name: Release Actions
	needs:
	- image
	environment:
	name: release
	url: https://github.com/dflook/terraform-github-actions/releases/tag/test.0.0"
	steps:
	- name: Checkout
	uses: actions/checkout@v4
	with:
	fetch-depth: 0
	persist-credentials: false

	- name: Configure git
	env:
	GPG_KEY: ${{ secrets.RELEASE_GPG_KEY }}
	run: \|
	echo "$GPG_KEY" \| gpg --import
	git config --global user.name "Daniel Flook"
	git config --global user.email "daniel@flook.org"
	git config --global user.signingkey "26AAA6B35318E5B7CF0823170FDD1CF4BEE12274"
	git config --global commit.gpgSign true
	git config --global tag.gpgSign true

	- name: Release actions
	env:
	GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
	RELEASE_TAG: "test.0.0"
	IMAGE_DIGEST: ${{ needs.image.outputs.digest }}
	run: \|
	export major=$(echo "$RELEASE_TAG" \| cut -d. -f1)
	export minor=$(echo "$RELEASE_TAG" \| cut -d. -f2)

	function prepare_release() {
	rsync -r "$GITHUB_WORKSPACE/$action/" "$HOME/$action"
	rm -rf "$HOME/$action/.github"
	mkdir "$HOME/$action/.github"
	cp "$GITHUB_WORKSPACE/.github/FUNDING.yml" "$HOME/$action/.github/FUNDING.yml"
	}

	for action in $(cd "$GITHUB_WORKSPACE" && find . -name action.yml -printf "%h\n" \| sed 's/^.\///'); do

	if git clone "https://dflook:$GITHUB_TOKEN@github.com/dflook/$action.git" "$HOME/$action"; then
	echo "Releasing dflook/$action@$RELEASE_TAG"

	# git tags that use DockerHub for the image
	prepare_release
	sed -i "s\| image:.*\| image: docker://danielflook/terraform-github-actions-dev@$IMAGE_DIGEST\|" "$HOME/$action/action.yaml"

	git -C "$HOME/$action" add -A
	git -C "$HOME/$action" commit -m "$RELEASE_TAG"
	git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$RELEASE_TAG"
	git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major"
	git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major.$minor"
	git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$RELEASE_TAG-dockerhub"
	git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major-dockerhub"
	git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major.$minor-dockerhub"
	git -C "$HOME/$action" push --force
	git -C "$HOME/$action" push --force --tags

	# git tags that use GitHub Container Registry for the image
	git -C "$HOME/$action" checkout ghcr \|\| git -C "$HOME/$action" checkout -b ghcr
	prepare_release
	sed -i "s\| image:.*\| image: docker://ghcr.io/dflook/terraform-github-actions-dev@$IMAGE_DIGEST\|" "$HOME/$action/action.yaml"

	git -C "$HOME/$action" add -A
	git -C "$HOME/$action" commit -m "$RELEASE_TAG-ghcr"
	git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$RELEASE_TAG-ghcr"
	git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major-ghcr"
	git -C "$HOME/$action" tag --force -a -m"$RELEASE_TAG" "$major.$minor-ghcr"
	git -C "$HOME/$action" push --set-upstream origin ghcr --force
	git -C "$HOME/$action" push --force --tags

	# Create the github release
	cat "$GITHUB_WORKSPACE/.github/release_template.md" \
	\| envsubst \
	\| jq --slurp --raw-input --arg RELEASE_TAG "$RELEASE_TAG" '{"tag_name": $RELEASE_TAG, "name": $RELEASE_TAG, "body": . }' \
	\| curl -X POST \
	--user "dflook:$GITHUB_TOKEN" \
	--header "Content-Type: application/json" \
	--data-binary @- \
	"https://api.github.com/repos/dflook/$action/releases"

	else
	echo "Skipping dflook/$action"
	fi
	done

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Verify base & sign commits/tags #98

Workflow file

Verify base & sign commits/tags #98

Uh oh!

Jobs

Run details

Workflow file for this run