terraform-aws-github-runner/.github/workflows/release.yml at efbaa6f23c7572b0a8973f5333e435e5e2def9b7 · github-aws-runners/terraform-aws-github-runner · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
name: Release build
on:
  push:
    branches:
      - main
  workflow_dispatch:

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: false

permissions:
  contents: read

jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    permissions:
      contents: write # for release-please-action to create releases and update changelogs
      actions: write # for release-please-action to trigger other workflows
      id-token: write # for actions/attest-build-provenance to generate attestations
      attestations: write # for actions/attest-build-provenance to write attestations
    environment: release
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
        with:
          egress-policy: audit

      - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
        with:
          node-version: 24
          package-manager-cache: false
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Build dist
        working-directory: lambdas
        run: yarn install --frozen-lockfile && yarn run test && yarn dist
      - name: Get installation token
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
        id: token
        with:
          app-id: ${{ vars.RELEASER_APP_ID }}
          private-key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }}
      - name: Extract branch name
        id: branch
        shell: bash
        run: echo "name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
      - name: Release
        id: release
        uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
        with:
          target-branch: ${{ steps.branch.outputs.name }}
          release-type: terraform-module
          token: ${{ steps.token.outputs.token }}
      - name: Attest
        if: ${{ steps.release.outputs.releases_created == 'true' }}
        id: attest
        uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
        with:
          subject-path: '${{ github.workspace }}/lambdas/functions/**/*.zip'
      - name: Update release notes with attestation
        if: ${{ steps.release.outputs.releases_created == 'true' }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          VERSION: ${{ github.event.inputs.version }}
          TAG_NAME: ${{ steps.release.outputs.tag_name }}
          ATTESTATION_URL: ${{ steps.attest.outputs.attestation-url }}
          REPOSITORY: ${{ github.repository }}
        run: |
          version="${VERSION}"
          tag_name="${TAG_NAME}"
          attestation_url="${ATTESTATION_URL}"
          repository="${REPOSITORY}"
          gh release view $version --json body -q '.body' > new-release-notes.md
          echo "## Attestation" >> new-release-notes.md
          echo "Attestation url: $attestation_url" >> new-release-notes.md
          echo "Verify the artifacts by running \`gh attestation verify <name_of_artifact> --repo ${repository}\`" >> new-release-notes.md
          gh release edit $tag_name -F new-release-notes.md -t $tag_name
      - name: Upload release assets
        if: ${{ steps.release.outputs.releases_created == 'true' }}
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAG_NAME: ${{ steps.release.outputs.tag_name }}
        run: |
          tag_name="${TAG_NAME}"
          for f in $(find . -name '*.zip'); do
            gh release upload $tag_name $f
          done
      - name: Attach attestation
        if: ${{ steps.release.outputs.releases_created == 'true' }}
        env:
          ATTESTATION_BUNDLE: ${{ steps.attest.outputs.bundle-path }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          TAG_NAME: ${{ steps.release.outputs.tag_name }}
          ATTESTATION_ID: ${{ steps.attest.outputs.attestation-id }}
        run: |
          # rename attest bundle to github-aws-runners-terraform-aws-github-runner-attestation-$attestation-id.sigstore
          # OpenSSF expects the attestation bundle to be named in this format (*.sigstore)
          SIGSTORE_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.sigstore
          INTOTO_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.intoto.jsonl
          mv ${ATTESTATION_BUNDLE} $SIGSTORE_BUNDLE
          if [ -z "$SIGSTORE_BUNDLE" ]; then
            echo "No attestation bundle found, skipping attachment."
            exit 0
          fi
          gh release upload $TAG_NAME "$SIGSTORE_BUNDLE"
          cat ${SIGSTORE_BUNDLE} | jq -r '.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq .> ${INTOTO_BUNDLE}
          gh release upload $TAG_NAME "${INTOTO_BUNDLE}"