diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b21d1cb..ae88a49 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,110 +2,29 @@ on: push: branches: - main - - master tags: - 'v*' -name: Publish Wasm module +name: Release policy jobs: + test: - name: Test Suite - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - override: true - - uses: actions-rs/cargo@v1 - with: - command: test + name: run tests and linters + uses: kubewarden/github-actions/.github/workflows/reusable-test-policy-rust.yml@v1 - build: - name: Build and publish policy - runs-on: ubuntu-latest + release: needs: test - env: - WASM_BINARY_NAME: readonly_root_filesystem_psp_policy - OCI_TARGET: ghcr.io/kubewarden/policies/readonly-root-filesystem-psp - METADATA_FILE: metadata.yml - KWCTL_VERSION: v0.1.9 - steps: - - - name: Checkout code - uses: actions/checkout@v2 - - - name: Prepare Rust environment - uses: actions-rs/toolchain@v1 - with: - profile: minimal - toolchain: stable - target: wasm32-unknown-unknown - - - name: Download kwctl - run: | - curl -L https://github.com/kubewarden/kwctl/releases/download/${{env.KWCTL_VERSION}}/kwctl-linux-amd64.zip -o kwctl.zip - unzip kwctl.zip - chmod 755 kwctl - - - name: Build Wasm module - uses: actions-rs/cargo@v1 - with: - command: build - args: --target=wasm32-unknown-unknown --release - - - name: Annotate Wasm module - run: | - ./kwctl annotate -m ${{ env.METADATA_FILE }} -o policy-annotated.wasm target/wasm32-unknown-unknown/release/${WASM_BINARY_NAME}.wasm + permissions: + # Required to push to GHCR + contents: write + packages: write + # Required by cosign keyless signing + id-token: write - - - name: Login to GitHub Container Registry - uses: docker/login-action@v1 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Publish Wasm policy artifact to OCI registry with the 'latest' tag - if: ${{ startsWith(github.ref, 'refs/heads/') }} - run: | - ./kwctl push policy-annotated.wasm ${{ env.OCI_TARGET }}:latest - - - name: Publish Wasm policy artifact to OCI registry with the version tag and 'latest' - if: ${{ startsWith(github.ref, 'refs/tags/') }} - run: | - export OCI_TAG=$(echo $GITHUB_REF | sed -e "s|refs/tags/||") - ./kwctl push policy-annotated.wasm ${{ env.OCI_TARGET }}:${OCI_TAG} - - - name: Create Release - if: ${{ startsWith(github.ref, 'refs/tags/') }} - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ github.ref }} - release_name: Release ${{ github.ref }} - draft: false - prerelease: false - - - name: Upload Release Asset - if: ${{ startsWith(github.ref, 'refs/tags/') }} - id: upload-release-asset - uses: actions/upload-release-asset@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - upload_url: ${{ steps.create_release.outputs.upload_url }} - asset_path: policy-annotated.wasm - asset_name: policy.wasm - asset_content_type: application/wasm - - - name: Notify policy-hub - if: ${{ startsWith(github.ref, 'refs/tags/') }} - uses: kubewarden/notify-policy-hub@main - with: - USERNAME: chimera-kube-bot - PAT: ${{ secrets.WORKFLOW_PAT }} + uses: kubewarden/github-actions/.github/workflows/reusable-release-policy-rust.yml@v1 + with: + input-wasm: readonly_root_filesystem_psp_policy + oci-target: ghcr.io/${{ github.repository_owner }}/policies/readonly-root-filesystem-psp + secrets: + workflow-pat: ${{ secrets.WORKFLOW_PAT }}