fabric-chaincode-node/.github/workflows/release.yaml at d054c98b24b209a6501f7d0bf6e4ec9b7736ffed · hyperledger/fabric-chaincode-node · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
# Copyright the Hyperledger Fabric contributors. All rights reserved.
# SPDX-License-Identifier: Apache-2.0

name: Release

on:
  push:
    tags:
      - "v[0-9]+.[0-9]+.[0-9]+"
      - "v[0-9]+.[0-9]+.[0-9]+-*"

# ---- Global permissions for Trusted Publishing & attestations ----
# id-token:write is required for OIDC (npm trusted publishing, keyless attestations)
# packages:write for GHCR; attestations:write for GitHub artifact attestations (optional but recommended)
permissions:
  contents: read
  packages: write
  id-token: write
  attestations: write

env:
  IMAGE_NAME: ${{ github.repository_owner }}/fabric-nodeenv

jobs:
  test:
    uses: ./.github/workflows/test.yaml

  # =============== npm (Trusted Publisher via OIDC) ==================
  # Pre-req (one-time): In npm, enable "Trusted publishing" for the package
  # and link this repo/workflow. Then you no longer need NPM_TOKEN.  [oai_citation:0‡npm Docs](https://docs.npmjs.com/trusted-publishers/?utm_source=chatgpt.com)
  publishnpm:
    runs-on: ubuntu-24.04
    needs: test
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
        with:
          node-version: "18.x"
          registry-url: "https://registry.npmjs.org"
      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          name: node-tgzs
          path: build/
      - name: Publish packages with provenance (OIDC)
        # No NODE_AUTH_TOKEN needed when Trusted Publishing is enabled.
        # --provenance tells npm to attach SLSA provenance to the package.  [oai_citation:1‡The GitHub Blog](https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/?utm_source=chatgpt.com)
        run: |
          set -xev
          ls -lart build/
          cd build
          find . -type f -name 'fabric-*.tgz' -print0 | xargs -0 -I{} npm publish {} --provenance --access public

  # ========= Build & push per-arch images (with provenance/SBOM) =========
  docker-build-push:
    name: Build & Push Docker image (per-arch)
    needs: test
    runs-on: ${{ matrix.arch.runner }}
    permissions:
      contents: read
      packages: write     # for ghcr.io
      id-token: write     # for provenance/attestations
    strategy:
      fail-fast: false
      matrix:
        arch:
          - platform: linux-amd64
            runner: ubuntu-24.04
          - platform: linux-arm64
            runner: ubuntu-24.04-arm
    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Get commit timestamp
        run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV}"

      # ---- GHCR login via GITHUB_TOKEN (already short-lived/trusted) ----
      - name: Login to GitHub Container Registry (ghcr.io)
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      # ---- Optional: Docker Hub login (kept for now) ----
      # If your Docker Hub org enables its own trusted/OIDC flow later, you can
      # replace this with that method; until then PAT is required.  [oai_citation:2‡Docker Documentation](https://docs.docker.com/docker-hub/image-library/trusted-content/?utm_source=chatgpt.com)
      - name: Login to Docker Hub
        if: ${{ secrets.DOCKERHUB_USERNAME && secrets.DOCKERHUB_TOKEN }}
        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
        with:
          registry: docker.io
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build image (per-arch) with provenance + SBOM
        id: build
        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          file: docker/fabric-nodeenv/Dockerfile
          context: docker/fabric-nodeenv
          platforms: ${{ matrix.arch.platform }}
          # Generate and attach provenance/SBOM at build time.  [oai_citation:3‡Docker Documentation](https://docs.docker.com/build/metadata/attestations/slsa-provenance/?utm_source=chatgpt.com)
          provenance: true
          sbom: true
          outputs: type=registry,"name=${{ format('ghcr.io/{0},docker.io/{0}', env.IMAGE_NAME) }}",push-by-digest=true,name-canonical=true
        env:
          SOURCE_DATE_EPOCH: ${{ env.SOURCE_DATE_EPOCH }}

      - name: Export digest
        run: |
          mkdir -p ${{ runner.temp }}/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "${{ runner.temp }}/digests/${digest#sha256:}"

      - name: Upload digest
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        with:
          name: digest-${{ matrix.arch.platform }}
          path: ${{ runner.temp }}/digests/*
          if-no-files-found: error

  # =============== Manifest + tags publishing ==================
  docker-meta:
    needs: docker-build-push
    name: Publish Docker metadata
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
    strategy:
      fail-fast: false
      matrix:
        registry:
          - docker.io
          - ghcr.io
    steps:
      - name: Download digests
        uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
        with:
          path: ${{ runner.temp }}/digests
          pattern: digest-*
          merge-multiple: true

      - name: Login to ${{ matrix.registry }}
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ${{ matrix.registry }}
          username: ${{ matrix.registry == 'docker.io' && secrets.DOCKERHUB_USERNAME || github.actor }}
          password: ${{ matrix.registry == 'docker.io' && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }}

      - name: Docker metadata
        id: meta
        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
        with:
          images: ${{ matrix.registry }}/${{ env.IMAGE_NAME }}
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=semver,pattern={{major}}.{{minor}}.{{patch}}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Create and push manifest list
        working-directory: ${{ runner.temp }}/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("--tag " + .) | join(" ")' <<< "${DOCKER_METADATA_OUTPUT_JSON}") \
            $(printf '${{ matrix.registry }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)

      - name: Inspect image
        run: docker buildx imagetools inspect '${{ matrix.registry }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}'