Skip to content
Release build

chore(main): release 6.7.2 (#4686) #2444

Sign in to view logs

chore(main): release 6.7.2 (#4686)

chore(main): release 6.7.2 (#4686) #2444

Workflow file for this run

.github/workflows/release.yml at 4b33b88
name: Release build
on:
push:
branches:
- main
- v1
workflow_dispatch:
permissions:
contents: read
jobs:
release:
name: Release
runs-on: ubuntu-latest
permissions:
contents: write
actions: write
id-token: write
attestations: write
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
with:
egress-policy: audit
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 22
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Build dist
working-directory: lambdas
run: yarn install --frozen-lockfile && yarn run test && yarn dist
- name: Get installation token
uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2.0.6
id: token
with:
app-id: ${{ vars.RELEASER_APP_ID }}
private-key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }}
- name: Extract branch name
id: branch
shell: bash
run: echo "name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
- name: Release
id: release
uses: googleapis/release-please-action@a02a34c4d625f9be7cb89156071d8567266a2445 # v4.2.0
with:
target-branch: ${{ steps.branch.outputs.name }}
release-type: terraform-module
token: ${{ steps.token.outputs.token }}
- name: Attest
if: ${{ steps.release.outputs.releases_created == 'true' }}
id: attest
uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
with:
subject-path: '${{ github.workspace }}/lambdas/functions/**/*.zip'
- name: Update release notes with attestation
if: ${{ steps.release.outputs.releases_created == 'true' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VERSION: ${{ github.event.inputs.version }}
TAG_NAME: ${{ steps.release.outputs.tag_name }}
ATTESTATION_URL: ${{ steps.attest.outputs.attestation-url }}
run: |
version="${VERSION}"
tag_name="${TAG_NAME}"
attestation_url="${ATTESTATION_URL}"
gh release view $version --json body -q '.body' > new-release-notes.md
echo "## Attestation" >> new-release-notes.md
echo "Attestation url: $attestation_url" >> new-release-notes.md
echo "Verify the artifacts by running \`gh attestation verify <name_of_artifact> --repo ${{ github.repository }}\`" >> new-release-notes.md
gh release edit $tag_name -F new-release-notes.md -t $tag_name
- name: Upload release assets
if: ${{ steps.release.outputs.releases_created == 'true' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG_NAME: ${{ steps.release.outputs.tag_name }}
run: |
tag_name="${TAG_NAME}"
for f in $(find . -name '*.zip'); do
gh release upload $tag_name $f
done
- name: Attach attestation
if: ${{ steps.release.outputs.releases_created == 'true' }}
env:
ATTESTATION_BUNDLE: ${{ steps.attest.outputs.bundle-path }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG_NAME: ${{ steps.release.outputs.tag_name }}
ATTESTATION_ID: ${{ steps.attest.outputs.attestation-id }}
run: |
# rename attest bundle to github-aws-runners-terraform-aws-github-runner-attestation-$attestation-id.sigstore
# OpenSSF expects the attestation bundle to be named in this format (*.sigstore)
SIGSTORE_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.sigstore
INTOTO_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.intoto.jsonl
mv ${ATTESTATION_BUNDLE} $SIGSTORE_BUNDLE
if [ -z "$SIGSTORE_BUNDLE" ]; then
echo "No attestation bundle found, skipping attachment."
exit 0
fi
gh release upload $TAG_NAME "$SIGSTORE_BUNDLE"
cat ${SIGSTORE_BUNDLE} | jq -r '.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq .> ${INTOTO_BUNDLE}
gh release upload $TAG_NAME "${INTOTO_BUNDLE}"