feat/ci: add support for attesting release assets (#12851)

* feat: add support for attesting release assets

---------

Signed-off-by: K.B.Dharun Krishna <kbdharunkrishna@gmail.com>
Co-authored-by: Lena <126529524+acuteenvy@users.noreply.github.com>
Co-authored-by: Sebastiaan Speck <12570668+sebastiaanspeck@users.noreply.github.com>
pull/28/head
K.B.Dharun Krishna 2024-05-30 11:05:32 +05:30 committed by GitHub
parent e90697af1e
commit 862591ca18
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 86 additions and 14 deletions

View File

@ -2,14 +2,14 @@ name: CI
on: ['push', 'pull_request'] on: ['push', 'pull_request']
permissions:
contents: write # to upload assets to releases
jobs: jobs:
ci: ci:
runs-on: ubuntu-latest
name: CI name: CI
runs-on: ubuntu-latest
permissions:
contents: write # to upload assets to releases
attestations: write # to upload assets attestation for build provenance
id-token: write # grant additional permission to attestation action to mint the OIDC token permission
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
@ -53,3 +53,53 @@ jobs:
env: env:
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }} DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Check for generated files
if: github.repository == 'tldr-pages/tldr' && github.ref == 'refs/heads/main'
id: check-files
run: |
if [[ -n $(find language_archives -name "*.zip" -print -quit) ]]; then
echo "zip_exists=true" >> $GITHUB_ENV
else
echo "zip_exists=false" >> $GITHUB_ENV
fi
if [[ -n $(find scripts/pdf -name "*.pdf" -print -quit) ]]; then
echo "pdf_exists=true" >> $GITHUB_ENV
else
echo "pdf_exists=false" >> $GITHUB_ENV
fi
if [[ -f tldr.sha256sums ]]; then
echo "checksums_exist=true" >> $GITHUB_ENV
else
echo "checksums_exist=false" >> $GITHUB_ENV
fi
- name: Construct subject-path for attest
if: github.repository == 'tldr-pages/tldr' && github.ref == 'refs/heads/main'
id: construct-subject-path
run: |
subject_path=""
if [[ ${{ env.zip_exists }} == 'true' ]]; then
zip_files=$(find language_archives -name '*.zip' -printf '%p,')
subject_path+="${zip_files::-1}"
fi
if [[ ${{ env.pdf_exists }} == 'true' ]]; then
if [[ -n $subject_path ]]; then subject_path+=","; fi
pdf_files=$(find scripts/pdf -name '*.pdf' -printf '%p,')
subject_path+="${pdf_files::-1}"
fi
if [[ ${{ env.checksums_exist }} == 'true' ]]; then
if [[ -n $subject_path ]]; then subject_path+=","; fi
subject_path+='tldr.sha256sums'
fi
echo "subject_path=$subject_path" >> $GITHUB_ENV
- name: Attest generated files
if: github.repository == 'tldr-pages/tldr' && github.ref == 'refs/heads/main'
id: attest
uses: actions/attest-build-provenance@v1
continue-on-error: true # prevent failing when no pages are modified
with:
subject-path: ${{ env.subject_path }}

View File

@ -4,28 +4,50 @@ on:
release: release:
types: published types: published
permissions:
contents: write
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs: jobs:
release: release:
name: Copy assets to the new release name: Copy release assets
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: write # to upload assets to releases
attestations: write # to upload assets attestation for build provenance
id-token: write # grant additional permission to attestation action to mint the OIDC token permission
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Download and upload - name: Set tag names
run: | run: |
LATEST="$(git describe --tags --abbrev=0)" echo "LATEST=$(git describe --tags --abbrev=0)" >> $GITHUB_ENV
PREVIOUS="$(git describe --tags --abbrev=0 "$LATEST"^)" echo "PREVIOUS=$(git describe --tags --abbrev=0 $(git describe --tags --abbrev=0)^)" >> $GITHUB_ENV
- name: Download assets
run: |
mkdir release-assets && cd release-assets mkdir release-assets && cd release-assets
gh release download "$PREVIOUS" gh release download "$PREVIOUS"
gh release upload "$LATEST" -- *
- name: Construct subject-path for attest
if: github.repository == 'tldr-pages/tldr'
id: construct-subject-path
run: |
zip_files=$(find release-assets -name '*.zip' -printf '%p,')
pdf_files=$(find release-assets -name '*.pdf' -printf '%p,')
subject_path="${zip_files::-1},${pdf_files::-1},release-assets/tldr.sha256sums"
echo "subject_path=$subject_path" >> $GITHUB_ENV
- name: Attest copied assets
if: github.repository == 'tldr-pages/tldr'
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-path: ${{ env.subject_path }}
- name: Upload assets
if: github.repository == 'tldr-pages/tldr'
working-directory: release-assets
run: gh release upload "$LATEST" -- *