Skip to content

build(deps): bump actions/attest-build-provenance (#2173) #203

build(deps): bump actions/attest-build-provenance (#2173)

build(deps): bump actions/attest-build-provenance (#2173) #203

Workflow file for this run

name: release
on:
push:
tags:
- "v*.*.*"
branches:
- main
permissions:
contents: read
jobs:
test:
uses: ./.github/workflows/test-release.yml
with:
full-matrix: true
enabled: ${{ startsWith(github.ref, 'refs/tags') }}
packages:
permissions:
attestations: write
id-token: write
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/packages
- name: generate build provenance
uses: actions/attest-build-provenance@c4fbc648846ca6f503a13a2281a5e7b98aa57202 # v2.0.1
with:
subject-path: "${{ github.workspace }}/dist/*"
publish-pypi:
needs:
- test
- packages
runs-on: ubuntu-latest
environment: release
permissions:
id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: packages
path: dist
- name: Upload pypi.org
if: startsWith(github.ref, 'refs/tags')
uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
with:
repository-url: https://upload.pypi.org/legacy/
- name: Upload test.pypi.org
if: ${{ ! startsWith(github.ref, 'refs/tags') }}
uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
with:
repository-url: https://test.pypi.org/legacy/
build-distribution:
permissions:
attestations: write
id-token: write
contents: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ./.github/actions/build-distribution
- name: generate build provenance
uses: actions/attest-build-provenance@c4fbc648846ca6f503a13a2281a5e7b98aa57202 # v2.0.1
with:
subject-path: "${{ github.workspace }}/build/dist/elastic-apm-python-lambda-layer.zip"
publish-lambda-layers:
permissions:
contents: read
id-token: write
needs:
- build-distribution
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: build-distribution
path: ./build
- uses: elastic/oblt-actions/aws/auth@v1
with:
aws-account-id: "267093732750"
- name: Publish lambda layers to AWS
if: startsWith(github.ref, 'refs/tags')
run: |
# Convert v1.2.3 to ver-1-2-3
VERSION=${GITHUB_REF_NAME/v/ver-}
VERSION=${VERSION//./-}
ELASTIC_LAYER_NAME="elastic-apm-python-${VERSION}" .ci/publish-aws.sh
- uses: actions/upload-artifact@v4
if: startsWith(github.ref, 'refs/tags')
with:
name: arn-file
path: ".arn-file.md"
if-no-files-found: error
publish-docker:
needs:
- build-distribution
runs-on: ubuntu-latest
permissions:
attestations: write
id-token: write
contents: write
strategy:
fail-fast: false
matrix:
dockerfile: [ 'Dockerfile', 'Dockerfile.wolfi' ]
env:
DOCKER_IMAGE_NAME: docker.elastic.co/observability/apm-agent-python
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Log in to the Elastic Container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ${{ secrets.ELASTIC_DOCKER_REGISTRY }}
username: ${{ secrets.ELASTIC_DOCKER_USERNAME }}
password: ${{ secrets.ELASTIC_DOCKER_PASSWORD }}
- uses: actions/download-artifact@v4
with:
name: build-distribution
path: ./build
- name: Extract metadata (tags, labels)
id: docker-meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: ${{ env.DOCKER_IMAGE_NAME }}
tags: |
type=raw,value=latest,prefix=test-,enable={{is_default_branch}}
type=semver,pattern={{version}}
flavor: |
suffix=${{ contains(matrix.dockerfile, 'wolfi') && '-wolfi' || '' }}
- name: Build and push image
id: docker-push
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
context: .
platforms: linux/amd64,linux/arm64
push: true
file: ${{ matrix.dockerfile }}
tags: ${{ steps.docker-meta.outputs.tags }}
labels: ${{ steps.docker-meta.outputs.labels }}
build-args: |
AGENT_DIR=./build/dist/package/python
- name: generate build provenance (containers)
uses: actions/attest-build-provenance@c4fbc648846ca6f503a13a2281a5e7b98aa57202 # v2.0.1
with:
subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
subject-digest: ${{ steps.docker-push.outputs.digest }}
push-to-registry: true
github-draft:
permissions:
contents: write
needs:
- publish-lambda-layers
if: startsWith(github.ref, 'refs/tags')
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: arn-file
- name: Create GitHub Draft Release
run: >-
gh release create "${GITHUB_REF_NAME}"
--title="${GITHUB_REF_NAME}"
--generate-notes
--notes-file=".arn-file.md"
--draft
env:
GH_TOKEN: ${{ github.token }}
notify:
runs-on: ubuntu-latest
if: always()
needs:
- publish-lambda-layers
- publish-pypi
- publish-docker
- github-draft
steps:
- id: check
uses: elastic/oblt-actions/check-dependent-jobs@v1
with:
jobs: ${{ toJSON(needs) }}
- if: startsWith(github.ref, 'refs/tags')
uses: elastic/oblt-actions/slack/notify-result@v1
with:
bot-token: ${{ secrets.SLACK_BOT_TOKEN }}
channel-id: "#apm-agent-python"
status: ${{ steps.check.outputs.status }}