Skip to content

github-action: add attestations scope (#252) #38

github-action: add attestations scope (#252)

github-action: add attestations scope (#252) #38

Workflow file for this run

---
name: snapshot
on:
push:
branches:
- "main"
workflow_dispatch:
inputs:
dry_run:
description: If set, run a dry-run snapshot
default: false
type: boolean
permissions:
contents: read
jobs:
validate:
runs-on: ubuntu-latest
outputs:
is-snapshot: ${{ steps.validate.outputs.is-snapshot }}
steps:
- uses: actions/checkout@v4
- name: Validate version is a snapshot version
id: validate
run: |
output=false
if [[ "$(./mvnw -q help:evaluate -Dexpression=project.version -DforceStdout)" =~ "-SNAPSHOT" ]]; then
echo "This is a snapshot version"
output=true
fi
echo "is-snapshot=$output" >> "$GITHUB_OUTPUT"
deploy:
name: Deploy
runs-on: ubuntu-latest
needs: validate
if: ${{ contains(needs.validate.outputs.is-snapshot, 'true') }}
permissions:
attestations: write
contents: write
id-token: write
env:
TARBALL_FILE: artifacts.tar
steps:
- id: buildkite
name: Run Deploy
uses: elastic/apm-pipeline-library/.github/actions/buildkite@current
with:
vaultUrl: ${{ secrets.VAULT_ADDR }}
vaultRoleId: ${{ secrets.VAULT_ROLE_ID }}
vaultSecretId: ${{ secrets.VAULT_SECRET_ID }}
pipeline: ecs-logging-java-snapshot
artifactName: snapshots
artifactPath: ${{ env.TARBALL_FILE }}
waitFor: true
printBuildLogs: false
buildEnvVars: |
dry_run=${{ inputs.dry_run || 'false' }}
TARBALL_FILE=${{ env.TARBALL_FILE }}
- uses: actions/download-artifact@v3
with:
name: snapshots
- name: untar the buildkite tarball
run: tar xvf ${{ env.TARBALL_FILE }}
- name: generate build provenance
uses: github-early-access/generate-build-provenance@main
with:
subject-path: "${{ github.workspace }}/**/target/*.jar"
- if: ${{ failure() }}
uses: elastic/apm-pipeline-library/.github/actions/slack-message@current
with:
url: ${{ secrets.VAULT_ADDR }}
roleId: ${{ secrets.VAULT_ROLE_ID }}
secretId: ${{ secrets.VAULT_SECRET_ID }}
channel: "#apm-agent-java"
message: |
:ghost: [${{ github.repository }}] Snapshot *${{ github.ref_name }}* didn't get triggered in Buildkite.
Build: (<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|here>)