From 57da2055a3f57d48a644abdb1e1136a7c798990d Mon Sep 17 00:00:00 2001
From: Markus Rudy <webmaster@burgerdev.de>
Date: Wed, 14 Feb 2024 11:44:53 +0100
Subject: [PATCH] ci: publish release-quality artifacts

This commit makes Nunki releases self-contained, in the sense that users
only need the published artifacts in order to get a working coordinator,
by making the following changes to the release process.

* Update the embeddable coordinator policy hash on the release branch.
* Publish the release variant of the CLI, including the embedded policy
  hash.
* Include a coordinator deployment definition in the release that is
  compatible to the embedded coordinator hash.

This does not address the users' need for initializers and service mesh
sidecars yet.
---
 .github/workflows/release.yml | 19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 23d1279306..676899802d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -170,9 +170,23 @@ jobs:
         run: |
           nix run .#push-coordinator -- "$container_registry/nunki/coordinator"
           nix run .#push-initializer -- "$container_registry/nunki/initializer"
+      - name: Create portable coordinator resource definitions
+        run: |
+          mkdir -p workspace
+          nix run .#write-coordinator-yaml -- "${container_registry}/nunki/coordinator" > workspace/coordinator.yaml
+      - name: Update coordinator policy hash
+        run: |
+          yq < workspace/coordinator.yaml \
+            'select(.kind == "Deployment") | .spec.template.metadata.annotations["io.katacontainers.config.agent.policy"]' |
+            base64 -d | sha256sum | cut -d " " -f1 > cli/assets/coordinator-policy-hash
+
+          git config --global user.name "edgelessci"
+          git config --global user.email "edgelessci@users.noreply.github.com"
+          git add cli/assets/coordinator-policy-hash
+          git diff --staged --quiet || git commit -m "release: update coordinator policy hash"
       - name: Build CLI
         run: |
-          nix build .#cli
+          nix build .#cli-release
       - name: Create draft release
         uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
         with:
@@ -181,7 +195,8 @@ jobs:
           tag_name: ${{ inputs.version }}
           target_commitish: ${{ needs.process-inputs.outputs.WORKING_BRANCH }}
           files: |
-            result-cli/bin/nunki
+            result/bin/nunki
+            workspace/coordinator.yaml
       - name: Reset temporary changes
         run: |
           git reset --hard ${{ needs.process-inputs.outputs.WORKING_BRANCH }}