-
Notifications
You must be signed in to change notification settings - Fork 225
126 lines (109 loc) · 4.22 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
name: release
on:
push:
tags:
- v*.*.*
branches:
- main
permissions:
attestations: write
contents: write
id-token: write
pull-requests: read
jobs:
release:
runs-on: ubuntu-latest
env:
DOCKER_IMAGE_NAME: docker.elastic.co/observability/apm-agent-nodejs
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: 'v16.20.2'
- uses: elastic/apm-pipeline-library/.github/actions/docker-login@current
with:
registry: docker.elastic.co
secret: secret/observability-team/ci/docker-registry/prod
url: ${{ secrets.VAULT_ADDR }}
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
- run: make -C .ci env
- run: make -C .ci dist
- name: Attest Lambda layer zip
uses: github-early-access/generate-build-provenance@main
with:
subject-path: "${{ github.workspace }}/build/aws/elastic-apm-node-lambda-layer-*.zip"
- id: docker-vars
name: Set up docker variables
run: |-
if [ "${{ startsWith(github.ref, 'refs/tags') }}" == "false" ] ; then
# for testing purposes
echo "tag=test" >> "${GITHUB_OUTPUT}"
echo "latest=test-latest" >> "${GITHUB_OUTPUT}"
else
# version without v prefix (e.g. 1.2.3)
echo "tag=${GITHUB_REF_NAME/v/}" >> "${GITHUB_OUTPUT}"
echo "latest=latest" >> "${GITHUB_OUTPUT}"
fi
- name: Build and Push Docker Image
id: docker-push
uses: docker/[email protected]
with:
context: .
push: true
tags: |
${{ env.DOCKER_IMAGE_NAME }}:${{ steps.docker-vars.outputs.tag }}
${{ env.DOCKER_IMAGE_NAME }}:${{ steps.docker-vars.outputs.latest }}
build-args: |
AGENT_DIR=/build/dist/nodejs
- name: Attest Docker image
uses: github-early-access/generate-build-provenance@main
with:
subject-name: "${{ env.DOCKER_IMAGE_NAME }}"
subject-digest: ${{ steps.docker-push.outputs.digest }}
push-to-registry: true
- name: Read AWS vault secrets
uses: hashicorp/[email protected]
with:
url: ${{ secrets.VAULT_ADDR }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
secrets: |
secret/observability-team/ci/service-account/apm-aws-lambda access_key_id | AWS_ACCESS_KEY_ID ;
secret/observability-team/ci/service-account/apm-aws-lambda secret_access_key | AWS_SECRET_ACCESS_KEY
- name: Publish AWS lambda (only for tag release)
if: startsWith(github.ref, 'refs/tags')
run: make -C .ci publish-in-all-aws-regions create-arn-file
env:
GH_TOKEN: ${{ github.token }}
- name: create github release (only for tag release)
run: make -C .ci github-release
if: startsWith(github.ref, 'refs/tags')
env:
GH_TOKEN: ${{ github.token }}
- name: Read NPM vault secrets
uses: hashicorp/[email protected]
with:
url: ${{ secrets.VAULT_ADDR }}
method: approle
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
secrets: |
secret/jenkins-ci/npmjs/elasticmachine token | NPMJS_TOKEN ;
totp/code/npmjs-elasticmachine code | TOTP_CODE
- name: npm publish (only for tag release)
if: startsWith(github.ref, 'refs/tags')
run: |-
echo "//registry.npmjs.org/:_authToken=${{ env.NPMJS_TOKEN }}" > .npmrc
npm publish --otp=${{ env.TOTP_CODE }} --provenance
- if: ${{ always() && startsWith(github.ref, 'refs/tags') }}
uses: elastic/apm-pipeline-library/.github/actions/notify-build-status@current
with:
vaultUrl: ${{ secrets.VAULT_ADDR }}
vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
slackChannel: "#apm-agent-node"
message: '[${{ github.repository }}] Release *${{ github.ref_name }}*'