Skip to content

Commit 6a2093b

Browse files
rjaegersrjaegers
committed
chore: fix more issues
1 parent 70953c3 commit 6a2093b

1 file changed

Lines changed: 20 additions & 14 deletions

File tree

.github/workflows/release-build.yml

Lines changed: 20 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -35,50 +35,56 @@ jobs:
3535
- uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
3636
with:
3737
egress-policy: audit
38+
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
39+
with:
40+
persist-credentials: false
3841
- name: Amend release description
39-
env:
40-
GITHUB_TOKEN: ${{ github.token }}
4142
run: |
42-
CURRENT_NOTES=$(gh release view ${{ github.ref_name }} --json body -q '.body')
43+
set -Eeuo pipefail
44+
CURRENT_NOTES=$(gh release view "${REF_NAME}" --json body -q '.body')
4345
HEADER=$(echo "$CURRENT_NOTES" | awk '/^## / {print; exit}')
4446
TEMPLATE=$(cat "$GITHUB_WORKSPACE/.github/RELEASE_TEMPLATE.md")
4547
BODY=$(echo "$CURRENT_NOTES" | sed "0,/^## /d")
46-
gh release edit ${{ github.ref_name }} --notes "${HEADER}${TEMPLATE}${BODY}"
48+
gh release edit "${REF_NAME}" --notes "${HEADER}${TEMPLATE}${BODY}"
49+
env:
50+
GITHUB_TOKEN: ${{ github.token }}
51+
REF_NAME: ${{ github.ref_name }}
4752
update-release-notes:
4853
strategy:
4954
matrix:
5055
flavor: [cpp, rust]
5156
runs-on: ubuntu-latest
52-
needs: build-push-test
57+
needs: [build-push-test, apply-release-notes-template]
5358
env:
5459
CONTAINER_FLAVOR: ${{ matrix.flavor }}
5560
REF_NAME: ${{ github.ref_name }}
5661
REGISTRY: ghcr.io
5762
steps:
58-
- uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
63+
- uses: step-security/harden-runner@002fdce3c6a235733a90a27c80493a3241e56863 # v2.12.1
5964
with:
6065
egress-policy: audit
6166
- name: Inspect manifest and extract digest
6267
id: inspect-manifest
6368
run: |
6469
set -Eeuo pipefail
65-
output=$(docker buildx imagetools inspect ${REGISTRY}/${{ github.repository }}-${CONTAINER_FLAVOR}:${REF_NAME} --format '{{json .}}')
70+
output=$(docker buildx imagetools inspect "${REGISTRY}/${{ github.repository }}-${CONTAINER_FLAVOR}:${REF_NAME}" --format '{{json .}}')
6671
echo "digest=$(echo "$output" | jq -r '.manifest.digest // .manifests[0].digest')" >> "$GITHUB_OUTPUT"
6772
- name: Upload provenance to release
6873
run: |
6974
set -Eeuo pipefail
70-
RAW_SHA=${{ steps.inspect-manifest.outputs.digest }}
71-
FORMATTED_SHA=${RAW_SHA//:/_}
72-
gh attestation verify --repo ${{ github.repository }} oci://${REGISTRY}/${{ github.repository }}-${CONTAINER_FLAVOR}@${{ steps.inspect-manifest.outputs.digest }} --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${{ github.repository_owner }}-${{ github.event.repository.name }}-${CONTAINER_FLAVOR}_${FORMATTED_SHA}.intoto.jsonl"
73-
gh release upload ${REF_NAME} ./*.intoto.jsonl
75+
FORMATTED_DIGEST=${DIGEST//:/_}
76+
gh attestation verify --repo ${{ github.repository }} "oci://${REGISTRY}/${{ github.repository }}-${CONTAINER_FLAVOR}@${DIGEST}" --format json --jq '.[] | .attestation.bundle.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq . > "${{ github.repository_owner }}-${{ github.event.repository.name }}-${CONTAINER_FLAVOR}_${FORMATTED_DIGEST}.intoto.jsonl"
77+
gh release upload "${REF_NAME}" ./*.intoto.jsonl
7478
env:
79+
DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
7580
GH_TOKEN: ${{ github.token }}
7681
- name: Update package details in release
7782
run: |
7883
set -Eeuo pipefail
7984
UPDATED_NOTES=$(gh release view ${REF_NAME} --json body -q '.body')
80-
UPDATED_NOTES=${UPDATED_NOTES//'{{ amp-devcontainer-${CONTAINER_FLAVOR}-version }}'/'${REF_NAME}'}
81-
UPDATED_NOTES=${UPDATED_NOTES//'{{ amp-devcontainer-${CONTAINER_FLAVOR}-sha }}'/'${{ steps.inspect-manifest.outputs.digest }}'}
82-
gh release edit ${REF_NAME} --notes "${UPDATED_NOTES}"
85+
UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-version }}"/"${REF_NAME}"}
86+
UPDATED_NOTES=${UPDATED_NOTES//"{{ amp-devcontainer-${CONTAINER_FLAVOR}-sha }}"/"${DIGEST}"}
87+
gh release edit "${REF_NAME}" --notes "${UPDATED_NOTES}"
8388
env:
89+
DIGEST: ${{ steps.inspect-manifest.outputs.digest }}
8490
GH_TOKEN: ${{ github.token }}

0 commit comments

Comments
 (0)