239 lines
8.4 KiB
YAML
239 lines
8.4 KiB
YAML
# .gitea/workflows/release.yml
|
|
# Deterministic release pipeline producing signed images, SBOMs, provenance, and manifest
|
|
|
|
name: Release Bundle
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*'
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: 'Release version (overrides tag, e.g. 2025.10.0-edge)'
|
|
required: false
|
|
type: string
|
|
channel:
|
|
description: 'Release channel (edge|stable|lts)'
|
|
required: false
|
|
default: 'edge'
|
|
type: choice
|
|
options:
|
|
- edge
|
|
- stable
|
|
- lts
|
|
calendar:
|
|
description: 'Calendar tag (YYYY.MM) - optional override'
|
|
required: false
|
|
type: string
|
|
push_images:
|
|
description: 'Push container images to registry'
|
|
required: false
|
|
default: true
|
|
type: boolean
|
|
|
|
jobs:
|
|
build-release:
|
|
runs-on: ubuntu-22.04
|
|
env:
|
|
DOTNET_VERSION: '10.0.100-rc.1.25451.107'
|
|
REGISTRY: registry.stella-ops.org
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Validate NuGet restore source ordering
|
|
run: python3 ops/devops/validate_restore_sources.py
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
- name: Set up Node.js 20
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: '20.14.0'
|
|
|
|
- name: Set up .NET SDK
|
|
uses: actions/setup-dotnet@v4
|
|
with:
|
|
dotnet-version: ${{ env.DOTNET_VERSION }}
|
|
include-prerelease: true
|
|
|
|
- name: Install cross-arch objcopy tooling
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y --no-install-recommends binutils-aarch64-linux-gnu
|
|
|
|
- name: Publish Python analyzer plug-in
|
|
run: |
|
|
set -euo pipefail
|
|
dotnet publish src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Python/StellaOps.Scanner.Analyzers.Lang.Python.csproj \
|
|
--configuration Release \
|
|
--output out/analyzers/python \
|
|
--no-self-contained
|
|
mkdir -p plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python
|
|
cp out/analyzers/python/StellaOps.Scanner.Analyzers.Lang.Python.dll plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/
|
|
if [ -f out/analyzers/python/StellaOps.Scanner.Analyzers.Lang.Python.pdb ]; then
|
|
cp out/analyzers/python/StellaOps.Scanner.Analyzers.Lang.Python.pdb plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python/
|
|
fi
|
|
|
|
- name: Run Python analyzer smoke checks
|
|
run: |
|
|
dotnet run \
|
|
--project tools/LanguageAnalyzerSmoke/LanguageAnalyzerSmoke.csproj \
|
|
--configuration Release \
|
|
-- \
|
|
--repo-root .
|
|
|
|
# Note: this step enforces DEVOPS-REL-14-004 by signing the restart-only Python plug-in.
|
|
# Ensure COSIGN_KEY_REF or COSIGN_IDENTITY_TOKEN is configured, otherwise the job will fail.
|
|
- name: Sign Python analyzer artefacts
|
|
env:
|
|
COSIGN_KEY_REF: ${{ secrets.COSIGN_KEY_REF }}
|
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
|
COSIGN_IDENTITY_TOKEN: ${{ secrets.COSIGN_IDENTITY_TOKEN }}
|
|
run: |
|
|
set -euo pipefail
|
|
if [[ -z "${COSIGN_KEY_REF:-}" && -z "${COSIGN_IDENTITY_TOKEN:-}" ]]; then
|
|
echo "::error::COSIGN_KEY_REF or COSIGN_IDENTITY_TOKEN must be provided to sign analyzer artefacts." >&2
|
|
exit 1
|
|
fi
|
|
|
|
export COSIGN_PASSWORD="${COSIGN_PASSWORD:-}"
|
|
export COSIGN_EXPERIMENTAL=1
|
|
|
|
PLUGIN_DIR="plugins/scanner/analyzers/lang/StellaOps.Scanner.Analyzers.Lang.Python"
|
|
ARTIFACTS=(
|
|
"StellaOps.Scanner.Analyzers.Lang.Python.dll"
|
|
"manifest.json"
|
|
)
|
|
|
|
for artifact in "${ARTIFACTS[@]}"; do
|
|
FILE="${PLUGIN_DIR}/${artifact}"
|
|
if [[ ! -f "${FILE}" ]]; then
|
|
echo "::error::Missing analyzer artefact ${FILE}" >&2
|
|
exit 1
|
|
fi
|
|
|
|
sha256sum "${FILE}" | awk '{print $1}' > "${FILE}.sha256"
|
|
|
|
SIGN_ARGS=(--yes "${FILE}")
|
|
if [[ -n "${COSIGN_KEY_REF:-}" ]]; then
|
|
SIGN_ARGS=(--key "${COSIGN_KEY_REF}" "${SIGN_ARGS[@]}")
|
|
fi
|
|
if [[ -n "${COSIGN_IDENTITY_TOKEN:-}" ]]; then
|
|
SIGN_ARGS=(--identity-token "${COSIGN_IDENTITY_TOKEN}" "${SIGN_ARGS[@]}")
|
|
fi
|
|
|
|
cosign sign-blob "${SIGN_ARGS[@]}" > "${FILE}.sig"
|
|
done
|
|
|
|
- name: Install Helm 3.16.0
|
|
run: |
|
|
curl -fsSL https://get.helm.sh/helm-v3.16.0-linux-amd64.tar.gz -o /tmp/helm.tgz
|
|
tar -xzf /tmp/helm.tgz -C /tmp
|
|
sudo install -m 0755 /tmp/linux-amd64/helm /usr/local/bin/helm
|
|
|
|
- name: Install Cosign
|
|
uses: sigstore/cosign-installer@v3.4.0
|
|
|
|
- name: Install Syft
|
|
run: |
|
|
set -euo pipefail
|
|
SYFT_VERSION="v1.21.0"
|
|
curl -fsSL "https://github.com/anchore/syft/releases/download/${SYFT_VERSION}/syft_${SYFT_VERSION#v}_linux_amd64.tar.gz" -o /tmp/syft.tgz
|
|
tar -xzf /tmp/syft.tgz -C /tmp
|
|
sudo install -m 0755 /tmp/syft /usr/local/bin/syft
|
|
|
|
- name: Determine release metadata
|
|
id: meta
|
|
run: |
|
|
set -euo pipefail
|
|
RAW_VERSION="${{ github.ref_name }}"
|
|
if [[ "${{ github.event_name }}" != "push" ]]; then
|
|
RAW_VERSION="${{ github.event.inputs.version }}"
|
|
fi
|
|
if [[ -z "$RAW_VERSION" ]]; then
|
|
echo "::error::Release version not provided" >&2
|
|
exit 1
|
|
fi
|
|
VERSION="${RAW_VERSION#v}"
|
|
CHANNEL="${{ github.event.inputs.channel || '' }}"
|
|
if [[ -z "$CHANNEL" ]]; then
|
|
CHANNEL="edge"
|
|
fi
|
|
CALENDAR_INPUT="${{ github.event.inputs.calendar || '' }}"
|
|
if [[ -z "$CALENDAR_INPUT" ]]; then
|
|
YEAR=$(echo "$VERSION" | awk -F'.' '{print $1}')
|
|
MONTH=$(echo "$VERSION" | awk -F'.' '{print $2}')
|
|
if [[ -n "$YEAR" && -n "$MONTH" ]]; then
|
|
CALENDAR_INPUT="$YEAR.$MONTH"
|
|
else
|
|
CALENDAR_INPUT=$(date -u +'%Y.%m')
|
|
fi
|
|
fi
|
|
PUSH_INPUT="${{ github.event.inputs.push_images || '' }}"
|
|
if [[ "${{ github.event_name }}" == "push" ]]; then
|
|
PUSH_INPUT="true"
|
|
elif [[ -z "$PUSH_INPUT" ]]; then
|
|
PUSH_INPUT="true"
|
|
fi
|
|
if [[ "$PUSH_INPUT" == "false" || "$PUSH_INPUT" == "0" ]]; then
|
|
PUSH_FLAG="false"
|
|
else
|
|
PUSH_FLAG="true"
|
|
fi
|
|
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
|
|
echo "channel=$CHANNEL" >> "$GITHUB_OUTPUT"
|
|
echo "calendar=$CALENDAR_INPUT" >> "$GITHUB_OUTPUT"
|
|
echo "push=$PUSH_FLAG" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Enforce CLI parity gate
|
|
run: |
|
|
python3 ops/devops/check_cli_parity.py
|
|
|
|
- name: Log in to registry
|
|
if: steps.meta.outputs.push == 'true'
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.REGISTRY }}
|
|
username: ${{ secrets.REGISTRY_USERNAME }}
|
|
password: ${{ secrets.REGISTRY_PASSWORD }}
|
|
|
|
- name: Prepare release output directory
|
|
run: |
|
|
rm -rf out/release
|
|
mkdir -p out/release
|
|
|
|
- name: Build release bundle
|
|
# NOTE (DEVOPS-REL-17-004): build_release.py now fails if out/release/debug is missing
|
|
env:
|
|
COSIGN_KEY_REF: ${{ secrets.COSIGN_KEY_REF }}
|
|
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
|
|
COSIGN_IDENTITY_TOKEN: ${{ secrets.COSIGN_IDENTITY_TOKEN }}
|
|
run: |
|
|
set -euo pipefail
|
|
EXTRA_ARGS=()
|
|
if [[ "${{ steps.meta.outputs.push }}" != "true" ]]; then
|
|
EXTRA_ARGS+=("--no-push")
|
|
fi
|
|
./ops/devops/release/build_release.py \
|
|
--version "${{ steps.meta.outputs.version }}" \
|
|
--channel "${{ steps.meta.outputs.channel }}" \
|
|
--calendar "${{ steps.meta.outputs.calendar }}" \
|
|
--git-sha "${{ github.sha }}" \
|
|
"${EXTRA_ARGS[@]}"
|
|
|
|
- name: Verify release artefacts
|
|
run: |
|
|
python ops/devops/release/verify_release.py --release-dir out/release
|
|
|
|
- name: Upload release artefacts
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: stellaops-release-${{ steps.meta.outputs.version }}
|
|
path: out/release
|
|
if-no-files-found: error
|