release: add provenance with GitHub actions (#3938)

elastic · Apr 26, 2024 · 8b8d1fe · 8b8d1fe
1 parent b822ffd
commit 8b8d1fe
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 54 deletions.
diff --git a/.ci/Makefile b/.ci/Makefile
@@ -1,10 +1,7 @@
 SHELL = /bin/bash -eo pipefail
 MAKEFLAGS += --no-print-directory
 AWS_FOLDER = ../build/aws
-DIST_DIR = /build/dist/nodejs
 LAMBDA_LAYER_ZIP_FILE = ../build/dist/elastic-apm-node-lambda-layer.zip
-DOCKER_IMAGE_NAME = observability/apm-agent-nodejs
-DOCKER_REGISTRY = docker.elastic.co
 SUFFIX_ARN_FILE = arn-file.md
 AGENT_VERSION = $(subst v,,$(GITHUB_REF_NAME))
 MAJOR_VERSION = $(shell cut -d '.' -f 1 <<< $(AGENT_VERSION))
@@ -35,14 +32,6 @@ clean:
 env:
 	@env | sort
 
-# Create Docker image
-build-docker: validate-version
-	docker build -t $(DOCKER_REGISTRY)/$(DOCKER_IMAGE_NAME):$(AGENT_VERSION) \
-  --build-arg AGENT_DIR=$(DIST_DIR) ..
-
-push-docker: build-docker
-	../dev-utils/push-docker.sh $(DOCKER_REGISTRY) $(DOCKER_IMAGE_NAME) $(AGENT_VERSION)
-
 # List all the AWS regions
 get-all-aws-regions:
 	@mkdir -p $(AWS_FOLDER)
@@ -99,11 +88,6 @@ create-arn-file: validate-release-notes-url
 github-release: validate-ref-name
 	../dev-utils/github-release.sh "$(GITHUB_REF_NAME)" "$(AWS_FOLDER)/$(SUFFIX_ARN_FILE)"
 
-validate-version:
-ifndef AGENT_VERSION
-	$(error AGENT_VERSION is undefined)
-endif
-
 validate-ref-name:
 ifndef GITHUB_REF_NAME
 	$(error GITHUB_REF_NAME is undefined)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,14 +4,20 @@ on:
   push:
     tags:
       - v*.*.*
+    branches:
+      - main
 
 permissions:
+  attestations: write
   contents: write
+  id-token: write
   pull-requests: read
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    env:
+      DOCKER_IMAGE_NAME: docker.elastic.co/observability/apm-agent-nodejs
     steps:
       - uses: actions/checkout@v4
         with:
@@ -33,7 +39,42 @@ jobs:
 
       - run: make -C .ci dist
 
-      - run: make -C .ci push-docker
+      - name: Attest Lambda layer zip
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-path: "${{ github.workspace }}/build/aws/elastic-apm-node-lambda-layer-*.zip"
+
+      - id: docker-vars
+        name: Set up docker variables
+        run: |-
+          if [ "${{ startsWith(github.ref, 'refs/tags') }}" == "false" ] ; then
+            # for testing purposes
+            echo "tag=test" >> "${GITHUB_OUTPUT}"
+            echo "latest=test-latest" >> "${GITHUB_OUTPUT}"
+          else
+            # version without v prefix (e.g. 1.2.3)
+            echo "tag=${GITHUB_REF_NAME/v/}" >> "${GITHUB_OUTPUT}"
+            echo "latest=latest" >> "${GITHUB_OUTPUT}"
+          fi
+
+      - name: Build and Push Docker Image
+        id: docker-push
+        uses: docker/[email protected]
+        with:
+          context: .
+          push: true
+          tags: |
+            ${{ env.DOCKER_IMAGE_NAME }}:${{ steps.docker-vars.outputs.tag }}
+            ${{ env.DOCKER_IMAGE_NAME }}:${{ steps.docker-vars.outputs.latest }}
+          build-args: |
+            AGENT_DIR=/build/dist/nodejs
+
+      - name: Attest Docker image
+        uses: github-early-access/generate-build-provenance@main
+        with:
+          subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
+          subject-digest: ${{ steps.docker-push.outputs.digest }}
+          push-to-registry: true
 
       - name: Read AWS vault secrets
         uses: hashicorp/[email protected]
@@ -46,12 +87,15 @@ jobs:
             secret/observability-team/ci/service-account/apm-aws-lambda access_key_id | AWS_ACCESS_KEY_ID ;
             secret/observability-team/ci/service-account/apm-aws-lambda secret_access_key | AWS_SECRET_ACCESS_KEY
 
-      - name: Publish AWS lambda
+      - name: Publish AWS lambda (only for tag release)
+        if: startsWith(github.ref, 'refs/tags')
         run: make -C .ci publish-in-all-aws-regions create-arn-file
         env:
           GH_TOKEN: ${{ github.token }}
 
-      - run: make -C .ci github-release
+      - name: create github release (only for tag release)
+        run: make -C .ci github-release
+        if: startsWith(github.ref, 'refs/tags')
         env:
           GH_TOKEN: ${{ github.token }}
 
@@ -66,12 +110,13 @@ jobs:
             secret/jenkins-ci/npmjs/elasticmachine token | NPMJS_TOKEN ;
             totp/code/npmjs-elasticmachine code | TOTP_CODE
 
-      - name: npm publish
+      - name: npm publish (only for tag release)
+        if: startsWith(github.ref, 'refs/tags')
         run: |-
           echo "//registry.npmjs.org/:_authToken=${{ env.NPMJS_TOKEN }}" > .npmrc
-          npm publish --otp=${{ env.TOTP_CODE }}
+          npm publish --otp=${{ env.TOTP_CODE }} --provenance
 
-      - if: always()
+      - if: ${{ always() && startsWith(github.ref, 'refs/tags') }}
         uses: elastic/apm-pipeline-library/.github/actions/notify-build-status@current
         with:
           vaultUrl: ${{ secrets.VAULT_ADDR }}

diff --git a/dev-utils/push-docker.sh b/dev-utils/push-docker.sh