From 22dcde86afcc1c4c2361b5dfd3e777cdc608be34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <66256922+daniel-weisse@users.noreply.github.com> Date: Mon, 11 Dec 2023 15:00:08 +0100 Subject: [PATCH] terraform-provider: create release in provider repo on Constellation release (#2686) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Create release in Terraform provider repo with provider binaries * Set target_commitish to input ref for easier release workflow * Rename release-cli workflow to draft-release * Update release guide --------- Signed-off-by: Daniel Weiße --- .../download_release_binaries/action.yml | 60 +++++ .github/workflows/build-binaries.yml | 7 +- .../{release-cli.yml => draft-release.yml} | 237 +++++++++++------- .github/workflows/release-tf-provider.yml | 70 ------ .github/workflows/release.yml | 8 +- dev-docs/workflows/release.md | 8 +- 6 files changed, 222 insertions(+), 168 deletions(-) create mode 100644 .github/actions/download_release_binaries/action.yml rename .github/workflows/{release-cli.yml => draft-release.yml} (65%) delete mode 100644 .github/workflows/release-tf-provider.yml diff --git a/.github/actions/download_release_binaries/action.yml b/.github/actions/download_release_binaries/action.yml new file mode 100644 index 0000000000..ed3f5103dd --- /dev/null +++ b/.github/actions/download_release_binaries/action.yml @@ -0,0 +1,60 @@ +name: Download release binaries +description: "Downloads all binaries created by a different job (and therefore not available in this job) in the release pipeline." + +runs: + using: "composite" + steps: + - name: Download CLI binaries darwin-amd64 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: constellation-darwin-amd64 + + - name: Download CLI binaries darwin-arm64 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: constellation-darwin-arm64 + + - name: Download CLI binaries linux-amd64 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: constellation-linux-amd64 + + - name: Download CLI binaries linux-arm64 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: constellation-linux-arm64 + + - name: Download CLI binaries windows-amd64 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: constellation-windows-amd64 + + - name: Download Terraform module + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: terraform-module + + - name: Download Terraform provider binary darwin-amd64 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: terraform-provider-constellation-darwin-amd64 + + - name: Download Terraform provider binary darwin-arm64 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: terraform-provider-constellation-darwin-arm64 + + - name: Download Terraform provider binary linux-amd64 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: terraform-provider-constellation-linux-amd64 + + - name: Download Terraform provider binary linux-arm64 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: terraform-provider-constellation-linux-arm64 + + - name: Download Terraform provider binary windows-amd64 + uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + with: + name: terraform-provider-constellation-windows-amd64 diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml index 949f36dd4d..46fd9cab82 100644 --- a/.github/workflows/build-binaries.yml +++ b/.github/workflows/build-binaries.yml @@ -42,6 +42,7 @@ jobs: disk_mapper: "//disk-mapper/cmd:disk-mapper_linux_amd64" measurement_reader: "//measurement-reader/cmd:measurement-reader_linux_amd64" cli: "//cli:all" + terraform_provider: "//terraform-provider-constellation:all" run: | bazel build \ @@ -51,7 +52,5 @@ jobs: "${cdbg}" \ "${disk_mapper}" \ "${measurement_reader}" \ - "${cli}" - - - name: Build Terraform Provider Binary - uses: ./.github/actions/build_tf_provider + "${cli}" \ + "${terraform_provider}" diff --git a/.github/workflows/release-cli.yml b/.github/workflows/draft-release.yml similarity index 65% rename from .github/workflows/release-cli.yml rename to .github/workflows/draft-release.yml index 023a9d8410..29814a8eb0 100644 --- a/.github/workflows/release-cli.yml +++ b/.github/workflows/draft-release.yml @@ -1,4 +1,4 @@ -name: Build CLI and prepare release +name: Draft release on: workflow_dispatch: @@ -109,6 +109,61 @@ jobs: build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe build/constellation-${{ matrix.os }}-${{ matrix.arch }}.exe.sig + build-terraform-provider: + runs-on: ubuntu-22.04 + strategy: + fail-fast: false + matrix: + include: + - arch: amd64 + os: linux + + - arch: amd64 + os: darwin + + # No Windows release until we have a test suite for it + #- arch: amd64 + # os: windows + + - arch: arm64 + os: linux + + - arch: arm64 + os: darwin + steps: + - name: Checkout + id: checkout + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: ${{ inputs.ref || github.head_ref }} + + - name: Setup bazel + uses: ./.github/actions/setup_bazel_nix + with: + useCache: "false" + + - name: Build Terraform Provider Binary + uses: ./.github/actions/build_tf_provider + with: + targetOS: ${{ matrix.os }} + targetArch: ${{ matrix.arch }} + + - name: Upload Terraform Provider Binary as artifact (unix) + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + if : ${{ matrix.os != 'windows' }} + with: + name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }} + path: | + build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }} + + - name: Upload Terraform Provider Binary as artifact (windows) + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 + if : ${{ matrix.os == 'windows' }} + with: + name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }} + path: | + build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}.exe + upload-terraform-module: runs-on: ubuntu-22.04 steps: @@ -160,44 +215,24 @@ jobs: - build-cli - signed-sbom - upload-terraform-module + - build-terraform-provider outputs: provenance-subjects: ${{ steps.provenance-subjects.outputs.provenance-subjects }} steps: - - name: Download CLI binaries darwin-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: constellation-darwin-amd64 - - - name: Download CLI binaries darwin-arm64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: constellation-darwin-arm64 - - - name: Download CLI binaries linux-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: constellation-linux-amd64 - - - name: Download CLI binaries linux-arm64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - name: Checkout + id: checkout + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: - name: constellation-linux-arm64 + ref: ${{ inputs.ref || github.head_ref }} - - name: Download CLI binaries windows-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: constellation-windows-amd64 + - name: Download release binaries + uses: ./.github/actions/download_release_binaries - name: Download CLI SBOM uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation.spdx.sbom - - name: Download Terraform module - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: terraform-module - - name: Generate provenance subjects id: provenance-subjects run: | @@ -208,7 +243,12 @@ jobs: constellation-linux-arm64 \ constellation-windows-amd64.exe \ constellation.spdx.sbom \ - terraform-module.zip) + terraform-module.zip \ + terraform-provider-constellation-darwin-amd64 \ + terraform-provider-constellation-darwin-arm64 \ + terraform-provider-constellation-linux-amd64 \ + terraform-provider-constellation-linux-arm64) + # terraform-provider-constellation-windows-amd64.exe) HASHESB64=$(echo "${HASHES}" | base64 -w0) echo "${HASHES}" echo "${HASHESB64}" @@ -291,42 +331,22 @@ jobs: - build-cli - provenance - upload-terraform-module + - build-terraform-provider steps: - - name: Download CLI binaries darwin-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: constellation-darwin-amd64 - - - name: Download CLI binaries darwin-arm64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: constellation-darwin-arm64 - - - name: Download CLI binaries linux-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: constellation-linux-amd64 - - - name: Download CLI binaries linux-arm64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 + - name: Checkout + id: checkout + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: - name: constellation-linux-arm64 + ref: ${{ inputs.ref || github.head_ref }} - - name: Download CLI binaries windows-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: constellation-windows-amd64 + - name: Download release binaries + uses: ./.github/actions/download_release_binaries - name: Download CLI SBOM uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation.spdx.sbom - - name: Download Terraform module - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: terraform-module - - name: Download provenance uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: @@ -354,6 +374,23 @@ jobs: slsa-verifier verify-artifact constellation-windows-amd64.exe \ --provenance-path ${{ needs.provenance.outputs.provenance-name }} \ --source-uri github.com/edgelesssys/constellation + + slsa-verifier verify-artifact terraform-provider-constellation-darwin-amd64 \ + --provenance-path ${{ needs.provenance.outputs.provenance-name }} \ + --source-uri github.com/edgelesssys/constellation + slsa-verifier verify-artifact terraform-provider-constellation-darwin-arm64 \ + --provenance-path ${{ needs.provenance.outputs.provenance-name }} \ + --source-uri github.com/edgelesssys/constellation + slsa-verifier verify-artifact terraform-provider-constellation-linux-amd64 \ + --provenance-path ${{ needs.provenance.outputs.provenance-name }} \ + --source-uri github.com/edgelesssys/constellation + slsa-verifier verify-artifact terraform-provider-constellation-linux-arm64 \ + --provenance-path ${{ needs.provenance.outputs.provenance-name }} \ + --source-uri github.com/edgelesssys/constellation + #slsa-verifier verify-artifact terraform-provider-constellation-windows-amd64.exe \ + # --provenance-path ${{ needs.provenance.outputs.provenance-name }} \ + # --source-uri github.com/edgelesssys/constellation + slsa-verifier verify-artifact constellation.spdx.sbom \ --provenance-path ${{ needs.provenance.outputs.provenance-name }} \ --source-uri github.com/edgelesssys/constellation @@ -370,38 +407,23 @@ jobs: - provenance - signed-sbom - upload-terraform-module + - build-terraform-provider steps: + - name: Checkout + id: checkout + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 + with: + ref: ${{ inputs.ref || github.head_ref }} + - name: Write cosign public key run: echo "$COSIGN_PUBLIC_KEY" > cosign.pub env: COSIGN_PUBLIC_KEY: ${{ inputs.key == 'release' && secrets.COSIGN_PUBLIC_KEY || secrets.COSIGN_DEV_PUBLIC_KEY }} - - name: Download CLI binaries darwin-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: constellation-darwin-amd64 - - - name: Download CLI binaries darwin-arm64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: constellation-darwin-arm64 - - - name: Download CLI binaries linux-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: constellation-linux-amd64 - - - name: Download CLI binaries linux-arm64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: constellation-linux-arm64 - - - name: Download CLI binaries windows-amd64 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: constellation-windows-amd64 + - name: Download binaries + uses: ./.github/actions/download_release_binaries - - name: Download Constellation CLI SBOM + - name: Download CLI SBOM uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: constellation.spdx.sbom @@ -416,22 +438,51 @@ jobs: with: name: ${{ needs.provenance.outputs.provenance-name }} - - name: Download Terraform module - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 - with: - name: terraform-module - - name: Rename provenance file run: | mv ${{ needs.provenance.outputs.provenance-name }} constellation.intoto.jsonl + - name: Create Terraform provider release files + run: | + # Remove the "v" prefix from the version as required by the Terraform registry + version="${{ inputs.versionName }}" + version="${version#v}" + + # Create a zip file with the Terraform provider binaries + for file in terraform-provider-constellation-*; do + # Special case for Windows binaries: They need to keep the .exe extension + ext="${file##*.}" + distribution_arch="${file#terraform-provider-constellation-}" + distribution_arch="${distribution_arch%.exe}" + folder_name="terraform-provider-constellation_${version}_${distribution_arch//-/_}" + + mkdir -p "${folder_name}" + if [[ "${ext}" = "exe" ]]; then + cp "${file}" "${folder_name}/terraform-provider-constellation_${version}.exe" + else + cp "${file}" "${folder_name}/terraform-provider-constellation_${version}" + fi + zip -r "${folder_name}.zip" "${folder_name}" + rm -r "${folder_name}" + done + + # Create a manifest file for the Terraform provider + echo '{"version":1,"metadata":{"protocol_versions":["6.0"]}}' > "terraform-provider-constellation_${version}_manifest.json" + + # Create a SHA256SUMS file of the zip files and manifest, and sign it + shasum -a 256 "terraform-provider-constellation_${version}"* > "terraform-provider-constellation_${version}_SHA256SUMS" + echo "${{ secrets.TERRAFORM_GPG_SIGNING_KEY }}" | gpg --import --batch --yes + gpg -u 3C75E56351F8F3F6 --batch --yes --detach-sign "terraform-provider-constellation_${version}_SHA256SUMS" + - name: Create release with artifacts + id: create-release # GitHub endorsed release project. See: https://github.com/actions/create-release uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 with: draft: true generate_release_notes: true tag_name: ${{ inputs.versionName || inputs.ref || github.head_ref }} + target_commitish: ${{ inputs.ref }} files: | constellation-* cosign.pub @@ -439,3 +490,17 @@ jobs: constellation.spdx.sbom.sig constellation.intoto.jsonl terraform-module.zip + + - name: Create Terraform provider release with artifcats + uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 + with: + draft: true + generate_release_notes: false + body: | + This release contains the Terraform provider binaries for Constellation ${{ inputs.versionName }}. + Check out [the release page](https://github.com/edgelesssys/constellation/releases/tag/${{ inputs.versionName }}) for more information and a full changelog. + token: ${{ secrets.CI_GITHUB_REPOSITORY }} + repository: edgelesssys/terraform-provider-constellation + tag_name: ${{ inputs.versionName || inputs.ref || github.head_ref }} + files: | + terraform-provider-constellation_* diff --git a/.github/workflows/release-tf-provider.yml b/.github/workflows/release-tf-provider.yml deleted file mode 100644 index 09f66a3c62..0000000000 --- a/.github/workflows/release-tf-provider.yml +++ /dev/null @@ -1,70 +0,0 @@ -name: Build Terraform provider and prepare release - -on: - workflow_dispatch: - inputs: - ref: - type: string - description: "Git ref to checkout" - required: false - workflow_call: - inputs: - ref: - type: string - description: "Git ref to checkout" - required: true - -jobs: - build-tf-provider: - runs-on: ubuntu-22.04 - strategy: - fail-fast: false - matrix: - include: - - arch: amd64 - os: linux - - - arch: amd64 - os: darwin - - - arch: amd64 - os: windows - - - arch: arm64 - os: linux - - - arch: arm64 - os: darwin - steps: - - name: Checkout - id: checkout - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - with: - ref: ${{ inputs.ref || github.head_ref }} - - - name: Setup bazel - uses: ./.github/actions/setup_bazel_nix - with: - useCache: "false" - - - name: Build Terraform Provider Binary - uses: ./.github/actions/build_tf_provider - with: - targetOS: ${{ matrix.os }} - targetArch: ${{ matrix.arch }} - - - name: Upload Terraform Provider Binary as artifact (unix) - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - if : ${{ matrix.os != 'windows' }} - with: - name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }} - path: | - build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }} - - - name: Upload Terraform Provider Binary as artifact (windows) - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 - if : ${{ matrix.os == 'windows' }} - with: - name: terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }} - path: | - build/terraform-provider-constellation-${{ matrix.os }}-${{ matrix.arch }}.exe diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 49f39ce106..bacf65af36 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -253,10 +253,10 @@ jobs: git commit -m "attestation: hardcode measurements for ${VERSION}" git push - draft-release-cli: + draft-release: name: Draft release (CLI) needs: [verify-inputs, update-hardcoded-measurements] - uses: ./.github/workflows/release-cli.yml + uses: ./.github/workflows/draft-release.yml permissions: actions: read contents: write @@ -271,7 +271,7 @@ jobs: e2e-tests: name: Run E2E tests - needs: [verify-inputs, draft-release-cli] + needs: [verify-inputs, draft-release] uses: ./.github/workflows/e2e-test-release.yml permissions: checks: write @@ -285,7 +285,7 @@ jobs: mini-e2e: name: Run mini E2E tests - needs: [verify-inputs, draft-release-cli] + needs: [verify-inputs, draft-release] uses: ./.github/workflows/e2e-mini.yml permissions: checks: write diff --git a/dev-docs/workflows/release.md b/dev-docs/workflows/release.md index d601215952..12d841dc58 100644 --- a/dev-docs/workflows/release.md +++ b/dev-docs/workflows/release.md @@ -41,10 +41,10 @@ Releases should be performed using [the automated release pipeline](https://gith ``` 3. wait for the pipeline to finish -4. Check the s3proxy PR in the [helm chart repository](https://github.com/edgelesssys/helm/pull/) and approve it if things (esp. the version) look correct. Correct example for reference: https://github.com/edgelesssys/helm/pull/19/files +4. Check the s3proxy PR in the [helm chart repository](https://github.com/edgelesssys/helm/pull/) and approve it if things (esp. the version) look correct. Correct example for reference: 5. while in editing mode for the release, clear the textbox, select the last patch release for the current release branch and click "Generate release notes". 6. look over the autogenerated draft release. When fixing the changelog, prioritize updating the PR title/labels/description and regenerating the changelog over fixing things in the final changelog. The changelog should be primarily aimed at users. Rule of thumb: first part of the sentence should describe what changed for the user, second part can describe what has been changed to achieve this. -7. in the GitHub release UI, set the tag to create on publish to `$ver`. +7. in the GitHub release UI, make sure the tag to create on release is set to `$ver`, and the target commit is set to the temporary release branch. 8. publish. ### Minor release @@ -72,11 +72,11 @@ Releases should be performed using [the automated release pipeline](https://gith ./constellation status ``` -5. Check the s3proxy PR in the [helm chart repository](https://github.com/edgelesssys/helm/pull/) and approve it if things (esp. the version) look correct. Correct example for reference: https://github.com/edgelesssys/helm/pull/19/files +5. Check the s3proxy PR in the [helm chart repository](https://github.com/edgelesssys/helm/pull/) and approve it if things (esp. the version) look correct. Correct example for reference: 6. while in editing mode for the release, clear the textbox, select the last minor release and click "Generate release notes". 7. look over the autogenerated draft release. When fixing the changelog, prioritize updating the PR title/labels/description and regenerating the changelog over fixing things in the final changelog. The changelog should be primarily aimed at users. Rule of thumb: first part of the sentence should describe what changed for the user, second part can describe what has been changed to achieve this. 8. set the Target to `tmp/${ver}` -9. in the GitHub release UI, set the tag to create on publish to `$ver`. +9. in the GitHub release UI, make sure the tag to create on release is set to `$ver`, and the target commit is set to the temporary release branch. 10. publish. ## Post release steps