Skip to content

test

test #42

Workflow file for this run

name: release
on:
push:
tags:
- v*.*.*
branches:
- main
- test-provenance
permissions:
contents: write
id-token: write
pull-requests: read
jobs:
release:
runs-on: ubuntu-latest
env:
DOCKER_IMAGE_NAME: docker.elastic.co/observability/apm-agent-nodejs
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: 'v16.20.2'
- uses: elastic/apm-pipeline-library/.github/actions/docker-login@current
with:
registry: docker.elastic.co
secret: secret/observability-team/ci/docker-registry/prod
url: ${{ secrets.VAULT_ADDR }}
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
- run: make -C .ci env
- run: make -C .ci dist
- name: Attest Lambda layer zip
uses: github-early-access/generate-build-provenance@main
with:
subject-path: "${{ github.workspace }}/build/aws/elastic-apm-node-lambda-layer-*.zip"
- id: docker-vars
name: Set up docker variables
run: |-
if [ "${{ startsWith(github.ref, 'refs/tags') }}" == "false" ] ; then
# for testing purposes
echo "tag=test" >> "${GITHUB_OUTPUT}"
echo "latest=test-latest" >> "${GITHUB_OUTPUT}"
else
# version without v prefix (e.g. 1.2.3)
echo "tag=${GITHUB_REF_NAME/v/}" >> "${GITHUB_OUTPUT}"
echo "latest=latest" >> "${GITHUB_OUTPUT}"
fi
# Use docker/[email protected] in conjunction with github-early-access/generate-build-provenance@main
- name: Build and Push Docker Image
id: docker-push
uses: docker/[email protected]
with:
context: .
push: true
tags: |
${{ env.DOCKER_IMAGE_NAME }}:${{ steps.docker-vars.outputs.tag }}
${{ env.DOCKER_IMAGE_NAME }}:${{ steps.docker-vars.outputs.latest }}
build-args: |
AGENT_DIR=/build/dist/nodejs
- name: Attest Docker image
uses: github-early-access/generate-build-provenance@main
with:
subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
subject-digest: ${{ steps.docker-push.outputs.digest }}
push-to-registry: false
- name: Read AWS vault secrets
uses: hashicorp/[email protected]
with:
url: ${{ secrets.VAULT_ADDR }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
secrets: |
secret/observability-team/ci/service-account/apm-aws-lambda access_key_id | AWS_ACCESS_KEY_ID ;
secret/observability-team/ci/service-account/apm-aws-lambda secret_access_key | AWS_SECRET_ACCESS_KEY
- name: Publish AWS lambda (only for tag release)
if: startsWith(github.ref, 'refs/tags')
run: make -C .ci publish-in-all-aws-regions create-arn-file
env:
GH_TOKEN: ${{ github.token }}
- name: create github release (only for tag release)
run: make -C .ci github-release
if: startsWith(github.ref, 'refs/tags')
env:
GH_TOKEN: ${{ github.token }}
- name: Read NPM vault secrets
uses: hashicorp/[email protected]
with:
url: ${{ secrets.VAULT_ADDR }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
secrets: |
secret/jenkins-ci/npmjs/elasticmachine token | NPMJS_TOKEN ;
totp/code/npmjs-elasticmachine code | TOTP_CODE
- name: npm publish (only for tag release)
if: startsWith(github.ref, 'refs/tags')
run: |-
echo "//registry.npmjs.org/:_authToken=${{ env.NPMJS_TOKEN }}" > .npmrc
npm publish --otp=${{ env.TOTP_CODE }} --provenance
- if: ${{ always() && startsWith(github.ref, 'refs/tags') }}
uses: elastic/apm-pipeline-library/.github/actions/notify-build-status@current
with:
vaultUrl: ${{ secrets.VAULT_ADDR }}
vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
slackChannel: "#apm-agent-node"
message: '[${{ github.repository }}] Release *${{ github.ref_name }}*'