Skip to content
release

attestation for the zip file #70

Sign in to view logs

attestation for the zip file

attestation for the zip file #70

Workflow file for this run

.github/workflows/release.yml at 6dbf25c
name: release
on:
push:
tags:
- "v*.*.*"
branches:
- main
- feature/sbom
permissions:
contents: read
jobs:
test:
uses: ./.github/workflows/test-release.yml
with:
full-matrix: true
enabled: ${{ startsWith(github.ref, 'refs/tags') }}
packages:
permissions:
id-token: write
contents: write
runs-on: ubuntu-latest
# Override the version if there is no tag release.
env:
ELASTIC_CI_POST_VERSION: ${{ startsWith(github.ref, 'refs/tags') && '' || github.run_id }}
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Build packages
run: ./dev-utils/make-packages.sh
- name: Upload Packages
uses: actions/upload-artifact@v4
with:
name: packages
path: |
dist/*.whl
dist/*tar.gz
- name: generate build provenance
uses: github-early-access/generate-build-provenance@main
with:
subject-path: "${{ github.workspace }}/dist/*"
publish-pypi:
needs:
- test
- packages
runs-on: ubuntu-latest
environment: release
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: packages
path: dist
- name: Upload pypi.org
if: startsWith(github.ref, 'refs/tags')
uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450
with:
repository-url: https://upload.pypi.org/legacy/
- name: Upload test.pypi.org
if: ${{ ! startsWith(github.ref, 'refs/tags') }}
uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450
with:
repository-url: https://test.pypi.org/legacy/
build-distribution:
permissions:
id-token: write
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Build lambda layer zip
run: ./dev-utils/make-distribution.sh
- uses: actions/upload-artifact@v4
with:
name: build-distribution
path: ./build/
if-no-files-found: error
- name: generate build provenance
uses: github-early-access/generate-build-provenance@main
with:
subject-path: "${{ github.workspace }}/build/dist/elastic-apm-python-lambda-layer.zip"
publish-lambda-layers:
needs:
- build-distribution
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: hashicorp/vault-action@v3.0.0
with:
url: ${{ secrets.VAULT_ADDR }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
secrets: |
secret/observability-team/ci/service-account/apm-agent-python access_key_id | AWS_ACCESS_KEY_ID ;
secret/observability-team/ci/service-account/apm-agent-python secret_access_key | AWS_SECRET_ACCESS_KEY
- uses: actions/download-artifact@v3
with:
name: build-distribution
path: ./build
- name: Publish lambda layers to AWS
if: startsWith(github.ref, 'refs/tags')
run: |
# Convert v1.2.3 to ver-1-2-3
VERSION=${GITHUB_REF_NAME/v/ver-}
VERSION=${VERSION//./-}
ELASTIC_LAYER_NAME="elastic-apm-python-${VERSION}" .ci/publish-aws.sh
- uses: actions/upload-artifact@v4
if: startsWith(github.ref, 'refs/tags')
with:
name: arn-file
path: ".arn-file.md"
if-no-files-found: error
publish-docker:
needs:
- build-distribution
runs-on: ubuntu-latest
env:
DOCKER_IMAGE_NAME: docker.elastic.co/observability/apm-agent-python
steps:
- uses: actions/checkout@v4
- uses: elastic/apm-pipeline-library/.github/actions/docker-login@current
with:
registry: docker.elastic.co
secret: secret/observability-team/ci/docker-registry/prod
url: ${{ secrets.VAULT_ADDR }}
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
- uses: actions/download-artifact@v4
with:
name: build-distribution
path: ./build
- id: setup-docker
name: Set up docker variables
run: |-
if [ "${{ startsWith(github.ref, 'refs/tags') }}" == "false" ] ; then
# for testing purposes
echo "tag=test" >> "${GITHUB_OUTPUT}"
echo "latest=test-latest" >> "${GITHUB_OUTPUT}"
else
# version without v prefix (e.g. 1.2.3)
echo "tag=${GITHUB_REF_NAME/v/}" >> "${GITHUB_OUTPUT}"
echo "latest=latest" >> "${GITHUB_OUTPUT}"
fi
- name: Build and push image
id: push
uses: docker/build-push-action@v5.3.0
with:
context: .
push: true
tags: |
${{ env.DOCKER_IMAGE_NAME }}:${{ steps.setup-docker.outputs.tag }}
${{ env.DOCKER_IMAGE_NAME }}:${{ steps.setup-docker.outputs.latest }}
build-args: |
AGENT_DIR=./build/dist/package/python
- name: Attest image
uses: github-early-access/generate-build-provenance@main
with:
subject-name: "${{ env.DOCKER_IMAGE_NAME }}:${{ steps.setup-docker.outputs.tag }}"
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: false
github-draft:
permissions:
contents: write
needs:
- publish-lambda-layers
if: startsWith(github.ref, 'refs/tags')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: arn-file
- name: Create GitHub Draft Release
run: >-
gh release create "${GITHUB_REF_NAME}"
--title="${GITHUB_REF_NAME}"
--generate-notes
--notes-file=".arn-file.md"
--draft
env:
GH_TOKEN: ${{ github.token }}
notify:
runs-on: ubuntu-latest
if: always()
needs:
- publish-lambda-layers
- publish-pypi
- publish-docker
- github-draft
steps:
- id: check
uses: elastic/apm-pipeline-library/.github/actions/check-dependent-jobs@current
with:
needs: ${{ toJSON(needs) }}
- uses: elastic/apm-pipeline-library/.github/actions/notify-build-status@current
if: startsWith(github.ref, 'refs/tags')
with:
status: ${{ steps.check.outputs.status }}
vaultUrl: ${{ secrets.VAULT_ADDR }}
vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
slackChannel: "#apm-agent-python"