github-action: provenance generation (#2315)

elastic · Jun 6, 2024 · b12e219 · b12e219
1 parent 09ce76b
commit b12e219
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 20 deletions.
diff --git a/.github/workflows/release-main.yml b/.github/workflows/release-main.yml
@@ -5,9 +5,11 @@ on:
     branches: [ "main" ]
 
 permissions:
-    contents: write
-    issues: write
-    packages: write
+  attestations: write
+  contents: write
+  id-token: write
+  issues: write
+  packages: write
 
 env:
   NUGET_PACKAGES: ${{ github.workspace }}/.nuget/packages
@@ -26,7 +28,12 @@ jobs:
 
     - name: Package with canary suffix
       run: ./build.sh pack
-
+
+    - name: generate build provenance
+      uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919  # v1.2.0
+      with:
+        subject-path: "${{ github.workspace }}/build/output/_packages/*.nupkg"
+
     # Github packages requires authentication, this is likely going away in the future so for now we publish to feedz.io
     - name: publish canary packages to feedz.io
       run: dotnet nuget push 'build/output/_packages/*.nupkg' -k ${{ secrets.FEEDZ_IO_API_KEY }} -s ${{ secrets.FEEDZ_IO_API_URL }} --skip-duplicate --no-symbols

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -17,45 +17,91 @@ env:
 jobs:
   release:
     runs-on: ubuntu-latest
-
+    env:
+      PREFIX_APM_AGENT: "build/output/ElasticApmAgent_"
+      PREFIX_APM_PROFILER: "build/output/elastic_apm_profiler_"
+      SUFFIX_APM_AGENT: ".zip"
+      SUFFIX_APM_PROFILER: "-linux-x64.zip"
+      DOCKER_IMAGE_NAME: "docker.elastic.co/observability/apm-agent-dotnet"
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
     steps:
     - uses: actions/checkout@v4
     - name: Bootstrap Action Workspace
       id: bootstrap
       uses: ./.github/workflows/bootstrap
       with:
-          rust: 'true'
+        rust: 'true'
 
     - name: Package
       run: ./build.sh pack
 
     - name: Release to Nuget
       run: .ci/linux/deploy.sh ${{ secrets.NUGET_API_KEY }} ${{ secrets.NUGET_API_URL }}
 
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+
     - name: Log in to the Elastic Container registry
       uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
       with:
         registry: ${{ secrets.ELASTIC_DOCKER_REGISTRY }}
         username: ${{ secrets.ELASTIC_DOCKER_USERNAME }}
         password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }}
 
-    - name: Build Profiler Docker Image
-      continue-on-error: true #continue for now until we see it working in action
-      run: |
-        docker build . -t docker.elastic.co/observability/apm-agent-dotnet:${{ steps.bootstrap.outputs.agent-version }} \
-            --build-arg AGENT_ZIP_FILE=build/output/elastic_apm_profiler_${{ steps.bootstrap.outputs.agent-version }}-linux-x64.zip
-        
-    - name: Push Profiler Docker Image
-      continue-on-error: true #continue for now until we see it working in action
-      run: |
-        for i in $(seq 1 3); do [ $i -gt 1 ] && sleep 15; docker push docker.elastic.co/observability/apm-agent-dotnet:${{ steps.bootstrap.outputs.agent-version }} && s=0 && break || s=$?; done; (exit $s)
-        
+    - name: Extract metadata (tags, labels)
+      id: docker-meta
+      uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
+      with:
+        images: ${{ env.DOCKER_IMAGE_NAME }}
+        flavor: |
+          latest=auto
+        tags: |
+          # "1.2.3" and "latest" Docker tags on push of git tag "v1.2.3"
+          type=raw,value=${{ steps.bootstrap.outputs.agent-version }}
+          # "edge" Docker tag on git push to default branch
+          type=edge
+
+    - name: Build and Push Profiler Docker Image
+      id: docker-push
+      continue-on-error: true # continue for now until we see it working in action
+      uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0  # v5.3.0
+      with:
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+        context: .
+        push: true
+        tags: ${{ steps.docker-meta.outputs.tags }}
+        labels: ${{ steps.docker-meta.outputs.labels }}
+        build-args: |
+          AGENT_ZIP_FILE=${{ env.PREFIX_APM_PROFILER }}${{ steps.bootstrap.outputs.agent-version }}${{ env.SUFFIX_APM_PROFILER }}
+
+    - name: Attest image
+      uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919  # v1.2.0
+      continue-on-error: true # continue for now until we see it working in action
+      with:
+        subject-name: ${{ env.DOCKER_IMAGE_NAME }}
+        subject-digest: ${{ steps.docker-push.outputs.digest }}
+        push-to-registry: true
+
+    - name: generate build provenance (APM Agent)
+      uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919  # v1.2.0
+      with:
+        subject-path: "${{ github.workspace }}/${{ env.PREFIX_APM_AGENT }}${{ steps.bootstrap.outputs.agent-version }}${{ env.SUFFIX_APM_AGENT }}"
+
+    - name: generate build provenance (APM Profiler)
+      uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919  # v1.2.0
+      with:
+        subject-path: "${{ github.workspace }}/${{ env.PREFIX_APM_PROFILER }}${{ steps.bootstrap.outputs.agent-version }}${{ env.SUFFIX_APM_PROFILER }}"
+
     - name: Attach Profiler And Startup Hooks
       continue-on-error: true #continue for now until we see it working in action
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: |
-        gh release upload ${{ github.ref_name }} "build/output/ElasticApmAgent_${{ steps.bootstrap.outputs.agent-version }}.zip" "build/output/elastic_apm_profiler_${{ steps.bootstrap.outputs.agent-version }}-linux-x64.zip"
+        gh release upload ${{ github.ref_name }} "${{ env.PREFIX_APM_AGENT }}${{ steps.bootstrap.outputs.agent-version }}${{ env.SUFFIX_APM_AGENT }}" "${{ env.PREFIX_APM_PROFILER }}${{ steps.bootstrap.outputs.agent-version }}${{ env.SUFFIX_APM_PROFILER }}"
 
     - if: ${{ success() }}
       uses: elastic/oblt-actions/slack/[email protected]
@@ -82,7 +128,13 @@ jobs:
     outputs:
       agent-version: ${{ steps.bootstrap.outputs.agent-version }}
       major-version: ${{ steps.bootstrap.outputs.major-version }}
-
+    env:
+      PREFIX_ZIP_FILE: "build/output/elastic_apm_profiler_"
+      SUFFIX_ZIP_FILE: "-win-x64.zip"
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       - name: Bootstrap Action Workspace
@@ -94,12 +146,17 @@ jobs:
       - name: Build profiler
         run: ./build.bat profiler-zip
 
+      - name: generate build provenance (APM Profiler)
+        uses: actions/attest-build-provenance@49df96e17e918a15956db358890b08e61c704919  # v1.2.0
+        with:
+          subject-path: "${{ github.workspace }}/${{ env.PREFIX_ZIP_FILE }}${{ steps.bootstrap.outputs.agent-version }}${{ env.SUFFIX_ZIP_FILE }}"
+
       - name: Attach Profiler
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         continue-on-error: true #continue for now until we see it working in action
         run: |
-          gh release upload ${{ github.ref_name }} "build/output/elastic_apm_profiler_${{ steps.bootstrap.outputs.agent-version }}-win-x64.zip"
+          gh release upload ${{ github.ref_name }} "${{ env.PREFIX_ZIP_FILE }}${{ steps.bootstrap.outputs.agent-version }}${{ env.SUFFIX_ZIP_FILE }}"
 
   post-release:
     needs: [ 'release-windows']