release.yml

name: policy-server release
on:
  push:
    tags:
      - "v*"

# Declare default permissions as read only.
permissions: read-all

jobs:
  ci:
    uses: ./.github/workflows/ci.yml
    permissions: read-all

  build:
    name: Build container image
    permissions:
      packages: write
      id-token: write
    runs-on: ubuntu-latest
    outputs:
      repository: ${{ steps.setoutput.outputs.repository }}
      tag: ${{ steps.setoutput.outputs.tag }}
      artifact: ${{ steps.setoutput.outputs.artifact }}
      digest: ${{ steps.setoutput.outputs.digest }}
    steps:
      - name: Checkout code
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Install cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

      - name: Set up QEMU
        uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Retrieve tag name (tag)
        run: |
          echo TAG_NAME=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") >> $GITHUB_ENV

      - name: Push and push container image
        id: build-image
        uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
        with:
          context: .
          file: ./Dockerfile
          platforms: linux/amd64, linux/arm64
          push: true
          sbom: true
          provenance: mode=max
          tags: |
            ghcr.io/${{github.repository_owner}}/policy-server:${{ env.TAG_NAME }}

      - name: Sign container image
        run: |
          cosign sign --yes ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }}
            
          cosign verify \
            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
            --certificate-identity="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/release.yml@${{ github.ref }}" \
            ghcr.io/${{github.repository_owner}}/policy-server@${{ steps.build-image.outputs.digest }}

      - id: setoutput
        name: Set output parameters
        run: |
          echo "digest=${{ steps.build-image.outputs.digest }}" >> $GITHUB_OUTPUT

  sbom:
    name: Fetch, sign and verify SBOM and provenance files
    strategy:
      matrix:
        arch: [amd64, arm64]
    permissions:
      packages: write
      id-token: write
    needs:
      - build

    runs-on: ubuntu-latest
    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

      - name: Install the crane command
        uses: kubewarden/github-actions/crane-installer@23f81f83e6392c869faacd8bfe86a8053d213d99 # v3.4.2

      - name: Login to GitHub Container Registry
        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Verify container image signature
        run: |
          cosign verify \
            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
            --certificate-identity="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/release.yml@${{ github.ref }}" \
            ghcr.io/${{ github.repository_owner }}/policy-server@${{ needs.build.outputs.digest }}

      - name: Find platform digest
        shell: bash
        run: |
          set -e
          DIGEST=$(crane digest \
            --platform "linux/${{ matrix.arch }}" \
            ghcr.io/${{ github.repository_owner }}/policy-server@${{ needs.build.outputs.digest }})
          echo "PLATFORM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"

      - name: Find attestation digest
        run: |
          set -e
          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-server@${{ needs.build.outputs.digest }} \
            | jq '.manifests[] | select(.annotations["vnd.docker.reference.type"]=="attestation-manifest") | select(.annotations["vnd.docker.reference.digest"]=="${{ env.PLATFORM_DIGEST }}") | .digest'
          )
          echo "ATTESTATION_MANIFEST_DIGEST=${DIGEST}" >> "$GITHUB_ENV"

      - name: Find provenance manifest digest
        run: |
          set -e
          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-server@${{ env.ATTESTATION_MANIFEST_DIGEST}} | \
            jq '.layers[] | select(.annotations["in-toto.io/predicate-type"] == "https://slsa.dev/provenance/v0.2") | .digest')
          echo "PROVENANCE_DIGEST=${DIGEST}" >> "$GITHUB_ENV"

      - name: Find SBOM manifest layers digest
        run: |
          set -e
          DIGEST=$(crane manifest ghcr.io/${{github.repository_owner}}/policy-server@${{ env.ATTESTATION_MANIFEST_DIGEST}} |  \
            jq '.layers | map(select(.annotations["in-toto.io/predicate-type"] == "https://spdx.dev/Document")) | map(.digest) | join(" ")')
          echo "SBOM_DIGEST=${DIGEST}" >> "$GITHUB_ENV"

      - name: Download provenance and SBOM files
        run: |
          set -e
          crane blob ghcr.io/${{github.repository_owner}}/policy-server@${{ env.PROVENANCE_DIGEST}} > policy-server-attestation-${{ matrix.arch }}-provenance.json
          sha256sum policy-server-attestation-${{ matrix.arch }}-provenance.json >> policy-server-attestation-${{ matrix.arch }}-checksum.txt


          for sbom_digest in "${{ env.SBOM_DIGEST }}"; do
            crane blob ghcr.io/${{github.repository_owner}}/policy-server@$sbom_digest > policy-server-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json
            sha256sum policy-server-attestation-${{ matrix.arch }}-sbom-${sbom_digest#"sha256:"}.json >> policy-server-attestation-${{ matrix.arch }}-checksum.txt
          done
            
      - name: Sign checksum file
        run: |
          cosign sign-blob --yes \
            --bundle policy-server-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
            policy-server-attestation-${{ matrix.arch }}-checksum.txt
            
          cosign verify-blob \
            --bundle policy-server-attestation-${{ matrix.arch }}-checksum-cosign.bundle \
            --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
            --certificate-identity="https://github.com/${{github.repository_owner}}/policy-server/.github/workflows/release.yml@${{ github.ref }}" \
            policy-server-attestation-${{ matrix.arch }}-checksum.txt

      - name: Upload SBOMs as artifacts
        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
        with:
          name: attestation-${{ matrix.arch }}
          path: policy-server-attestation-${{ matrix.arch }}*

  release:
    name: Create release
    needs:
      - ci
      - build
      - sbom
    permissions:
      contents: write
    runs-on: ubuntu-latest
    steps:
      - name: Retrieve tag name
        if: ${{ startsWith(github.ref, 'refs/tags/') }}
        run: |
          echo TAG_NAME=$(echo ${{ github.ref_name }}) >> $GITHUB_ENV

      - name: Get latest release tag
        id: get_last_release_tag
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            let release = await github.rest.repos.getLatestRelease({
               owner: context.repo.owner,
               repo: context.repo.repo,
            });

            if (release.status  === 200 ) {
              core.setOutput('old_release_tag', release.data.tag_name)
              return
            }
            core.setFailed("Cannot find latest release")

      - name: Get release ID from the release created by release drafter
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            let releases = await github.rest.repos.listReleases({
               owner: context.repo.owner,
               repo: context.repo.repo,
            });
            for (const release of releases.data) {
              if (release.draft) {
                      core.info(release)
                      core.exportVariable('RELEASE_ID', release.id)
                      return
              }
            }
            core.setFailed(`Draft release not found`)

      - name: Checkout code for kubewarden-dashboard.json
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Download attestation artifact
        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
        with:
          pattern: attestation-*
          path: ./
          merge-multiple: true

      - name: Display structure of downloaded files
        run: ls -R

      - name: Create tarball for the attestation files
        run: |
          for arch in "amd64" "arm64"; do
            tar -czf attestation-$arch.tar.gz $(ls policy-server-attestation-$arch-*)
          done

      - name: Upload release assets
        id: upload_release_assets
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            let fs = require('fs');
            let path = require('path');

            let files = [
              'attestation-amd64.tar.gz',
              'attestation-arm64.tar.gz',
              'kubewarden-dashboard.json']
            const {RELEASE_ID} = process.env

            for (const file of files) {
              let file_data = fs.readFileSync(file);

              let response = await github.rest.repos.uploadReleaseAsset({
                owner: context.repo.owner,
                repo: context.repo.repo,
                release_id: `${RELEASE_ID}`,
                name: path.basename(file),
                data: file_data,
              });
            }

      - name: Publish release
        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
        with:
          script: |
            const {RELEASE_ID} = process.env
            const {TAG_NAME} = process.env
            isPreRelease = ${{ contains(github.ref_name, '-alpha') || contains(github.ref_name, '-beta') || contains(github.ref_name, '-rc') }}
            github.rest.repos.updateRelease({
              owner: context.repo.owner,
              repo: context.repo.repo,
              release_id: `${RELEASE_ID}`,
              draft: false,
              tag_name: `${TAG_NAME}`,
              name: `${TAG_NAME}`,
              prerelease: isPreRelease,
              make_latest: !isPreRelease
            });

      - name: Trigger chart update
        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
        with:
          token: ${{ secrets.WORKFLOW_PAT }}
          repository: "${{github.repository_owner}}/helm-charts"
          event-type: update-chart
          client-payload: '{"version": "${{ github.ref_name }}", "oldVersion": "${{ steps.get_last_release_tag.outputs.old_release_tag }}", "repository": "${{ github.repository }}"}'