Merge pull request #1521 from medizininformatik-initiative/renovate/g… #4874
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| push: | |
| tags: [ "v*.*.*" ] | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "**" ] | |
| merge_group: | |
| schedule: | |
| - cron: '45 1 * * *' | |
| # Declare default permissions as read-only. | |
| permissions: read-all | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.ref || github.run_id }} | |
| cancel-in-progress: true | |
| env: | |
| BUILD_ID: build-${{ github.run_id }} | |
| REGISTRY: ghcr.io/${{ github.repository_owner }}/fts | |
| jobs: | |
| test: | |
| env: | |
| MAVEN_ARGS: -B -U -T1C -Dfts.retryTimeout=false --also-make --projects ${{ matrix.agent }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Used in `settings.xml` generated by actions/setup-java | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| agent: [ clinical-domain-agent, trust-center-agent, research-domain-agent ] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| cache: 'maven' | |
| cache-dependency-path: | | |
| pom.xml | |
| {api,util,test-util}/pom.xml | |
| ${{ matrix.agent }}/pom.xml | |
| - name: Setup Keycloak | |
| working-directory: .github/test | |
| run: docker compose -f oauth2/compose.yaml up --build --wait | |
| - name: Run Tests | |
| run: | | |
| # shellcheck disable=SC2086 | |
| mvn ${MAVEN_ARGS} verify | |
| - name: Generate Code Coverage Report | |
| run: | | |
| # shellcheck disable=SC2086 | |
| mvn ${MAVEN_ARGS} jacoco:report-aggregate@report | |
| - name: Upload Coverage to Codecov | |
| uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| fail_ci_if_error: true | |
| build-jar: | |
| env: | |
| MAVEN_ARGS: -B -U -T1C -Dfts.retryTimeout=false --also-make --projects ${{ matrix.agent }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Used in `settings.xml` generated by actions/setup-java | |
| COMMIT_TAG: ${{ github.ref_type == 'tag' && github.ref_name || '' }} | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| agent: [ clinical-domain-agent, trust-center-agent, research-domain-agent ] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| cache: 'maven' | |
| cache-dependency-path: | | |
| pom.xml | |
| {api,util}/pom.xml | |
| ${{ matrix.agent }}/pom.xml | |
| - name: Build Agent | |
| run: | | |
| # shellcheck disable=SC2086 | |
| mvn ${MAVEN_ARGS} -DskipTests package ${COMMIT_TAG:+-Drevision=${COMMIT_TAG#v}} \ | |
| -Dproject.build.outputTimestamp="$(git log -1 --date="iso-strict-local" --format="%cd")" | |
| - name: Upload Jar | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: ${{ matrix.agent }}-jar | |
| path: ${{ matrix.agent }}/target/${{ matrix.agent }}.jar | |
| if-no-files-found: error | |
| retention-days: 7 | |
| - name: Upload Maven SBOM | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: ${{ matrix.agent }}-sbom-mvn | |
| path: ${{ matrix.agent }}/target/sbom-mvn.json | |
| if-no-files-found: error | |
| retention-days: 7 | |
| build-image: | |
| needs: [ build-jar ] | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| agent: [ clinical-domain-agent, trust-center-agent, research-domain-agent ] | |
| permissions: | |
| packages: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Download Jar | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: ${{ matrix.agent }}-jar | |
| path: ${{ matrix.agent }}/target | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 | |
| - name: Login to GHCR | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Collect Info | |
| id: info | |
| run: | | |
| date="$(git log -1 --date="iso-strict-local" --format="%cd")" | |
| echo "commit_date=${date}" >>"${GITHUB_OUTPUT}" | |
| title="$(echo "${{ matrix.agent }}" | tr '-' ' ' | sed -E 's/(^| )([a-z])/\1\u\2/g')" | |
| echo "agent_name=${title}" >>"${GITHUB_OUTPUT}" | |
| abbr="$(echo "${title}" | tr -cd '[:upper:]')" | |
| echo "agent_abbr=${abbr}" >>"${GITHUB_OUTPUT}" | |
| - name: Generate Container Image Metadata | |
| id: meta | |
| uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ matrix.agent }} | |
| labels: | | |
| org.opencontainers.image.description=SMITH FHIR Transfer Services ${{ steps.info.outputs.agent_name }} | |
| org.opencontainers.image.title=FTSnext ${{ steps.info.outputs.agent_abbr }} | |
| org.opencontainers.image.created=${{ steps.info.outputs.commit_date }} | |
| annotations: | | |
| org.opencontainers.image.description=SMITH FHIR Transfer Services ${{ steps.info.outputs.agent_name }} | |
| org.opencontainers.image.title=FTSnext ${{ steps.info.outputs.agent_abbr }} | |
| org.opencontainers.image.created=${{ steps.info.outputs.commit_date }} | |
| - name: Build and Push Container Image | |
| id: push | |
| uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 | |
| with: | |
| context: ${{ matrix.agent }} | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ env.REGISTRY }}/${{ matrix.agent }}:${{ env.BUILD_ID }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| annotations: ${{ steps.meta.outputs.annotations }} | |
| - name: Output Image Digest | |
| id: digest | |
| run: echo "${{ matrix.agent }}-digest=${{ steps.push.outputs.digest }}" >>"${GITHUB_OUTPUT}" | |
| outputs: | |
| clinical-domain-agent-digest: ${{ steps.digest.outputs.clinical-domain-agent-digest }} | |
| trust-center-agent-digest: ${{ steps.digest.outputs.trust-center-agent-digest }} | |
| research-domain-agent-digest: ${{ steps.digest.outputs.research-domain-agent-digest }} | |
| scan-image: | |
| needs: [ build-image ] | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| agent: [ clinical-domain-agent, trust-center-agent, research-domain-agent ] | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Run Trivy Vulnerability Scanner | |
| uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # 0.31.0 | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ matrix.agent }}:${{ env.BUILD_ID }} | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: 'CRITICAL,HIGH' | |
| timeout: '15m0s' | |
| - name: Upload Trivy Scan Results to GitHub Security Tab | |
| uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| - name: Generate SBOM | |
| uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # 0.31.0 | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ matrix.agent }}:${{ env.BUILD_ID }} | |
| format: cyclonedx | |
| output: sbom-trivy.json | |
| scan-type: image | |
| - name: Upload Trivy SBOM | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: ${{ matrix.agent }}-sbom-trivy | |
| path: sbom-trivy.json | |
| if-no-files-found: error | |
| retention-days: 7 | |
| agent-e2e-tests: | |
| needs: [ build-image ] | |
| env: | |
| MAVEN_ARGS: -B -U -T1C -Dfts.retryTimeout=false -Pe2e --also-make --projects ${{ matrix.agent }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Used in `settings.xml` generated by actions/setup-java | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| agent: [ clinical-domain-agent, trust-center-agent, research-domain-agent ] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Set up JDK 21 | |
| uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 | |
| with: | |
| distribution: 'temurin' | |
| java-version: 21 | |
| cache: 'maven' | |
| cache-dependency-path: | | |
| pom.xml | |
| {api,util,test-util}/pom.xml | |
| ${{ matrix.agent }}/pom.xml | |
| - name: Run Agent e2e Tests | |
| run: | | |
| # shellcheck disable=SC2086 | |
| mvn ${MAVEN_ARGS} verify | |
| e2e-tests: | |
| needs: [ build-image ] | |
| runs-on: ubuntu-24.04 | |
| defaults: | |
| run: | |
| working-directory: .github/test | |
| env: | |
| TEST_SET_SIZE: 100 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Pull Container Images | |
| run: make pull | |
| - name: Configure PATH | |
| run: echo "${GITHUB_WORKSPACE}/.github/scripts" >>"${GITHUB_PATH}" | |
| - name: Install Blazectl | |
| env: | |
| # renovate: datasource=github-release-attachments depName=samply/blazectl | |
| BLAZECTL_VERSION: v1.3.1 | |
| BLAZECTL_CHECKSUM: df1f0cc9bb7d2c249e77e560fbab8b0c7a24dae5ec503b6e8cc08362d9976c90 | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: install-blazectl.sh | |
| - name: Prepare Auth Failing Tests | |
| uses: mikefarah/yq@5a7e72a743649b1b3a47d1a1d8214f3453173c51 # v4.52.4 | |
| with: | |
| cmd: >- | |
| cd .github/test/cd-agent/projects && | |
| yq '.cohortSelector.trustCenterAgent.server.auth.basic.password = "wrong-password"' gics-consent-example.yaml >basic-fail.yaml && | |
| yq 'del(.bundleSender.researchDomainAgent.server.auth)' gics-consent-example.yaml >oauth2-fail.yaml | |
| - name: Start Test Environment | |
| run: make generate-certs start | |
| - name: Download Test Data Checksums | |
| run: | | |
| make download-test-data-checksums | |
| - name: Cache Test Data | |
| id: cache-test-data | |
| uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3 | |
| with: | |
| path: .github/test/test-data | |
| key: test-data:${{ env.TEST_SET_SIZE }}@${{ hashFiles('.github/test/test-data/**/checksums.*') }} | |
| - name: Check Test Data | |
| id: check-test-data | |
| continue-on-error: true | |
| run: make check-test-data | |
| - name: Download Test Data | |
| if: steps.cache-test-data.outputs.cache-hit != 'true' | |
| || steps.check-test-data.outcome != 'success' | |
| run: make download-test-data | |
| - name: Upload Test Data | |
| run: make upload-test-data | |
| - name: Check Consent | |
| run: make check-consent | |
| - name: Run e2e with failing Basic Auth | |
| run: | | |
| LAST_UPDATED=$(date -u +%Y-%m-%dT%H:%M:%S.%3NZ) | |
| make transfer-all PROJECT=basic-fail | |
| make wait | |
| make check-status RESULTS_FILE=basic-fail.json | |
| check-resources.sh basic-fail.json "${LAST_UPDATED}" | |
| - name: Run e2e with failing OAuth2 Auth | |
| run: | | |
| LAST_UPDATED=$(date -u +%Y-%m-%dT%H:%M:%S.%3NZ) | |
| make transfer-all PROJECT=oauth2-fail | |
| make wait | |
| make check-status RESULTS_FILE=oauth2-fail.json | |
| check-resources.sh oauth2-fail.json "${LAST_UPDATED}" | |
| - name: Run e2e for all Consented Patients with gICS Consent | |
| run: | | |
| LAST_UPDATED=$(date -u +%Y-%m-%dT%H:%M:%S.%3NZ) | |
| make transfer-all PROJECT=gics-consent-example | |
| make wait | |
| make check-status RESULTS_FILE=example.json | |
| check-resources.sh example.json "${LAST_UPDATED}" | |
| check-pseudonymization.sh | |
| - name: Run e2e for 10 Consented Patients with FHIR Consent | |
| run: | | |
| LAST_UPDATED=$(date -u +%Y-%m-%dT%H:%M:%S.%3NZ) | |
| make transfer-with-fhir-consent-list PROJECT=fhir-consent-example TEST_SET_SIZE=10 | |
| make wait | |
| make check-status RESULTS_FILE=example-with-fhir-consent.json | |
| check-resources.sh example-with-fhir-consent.json "${LAST_UPDATED}" | |
| check-pseudonymization.sh | |
| - name: Collect Agent Logs | |
| if: failure() || cancelled() | |
| run: docker compose logs cd-agent tc-agent rd-agent | |
| - name: Collect MOSAIC Logs | |
| if: failure() || cancelled() | |
| run: docker compose logs gics gpas | |
| - name: Collect HDS Logs | |
| if: failure() || cancelled() | |
| run: docker compose logs cd-hds rd-hds | |
| - name: Collect DB Logs | |
| if: failure() || cancelled() | |
| run: docker compose logs gics-db gpas-db keystore | |
| - name: Collect OAuth2 Server Logs | |
| if: failure() || cancelled() | |
| run: docker compose logs keycloak | |
| combine-sboms: | |
| needs: [ build-jar, scan-image ] | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| agent: [ clinical-domain-agent, trust-center-agent, research-domain-agent ] | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Install CycloneDX CLI | |
| env: | |
| # Check the cyclonedx binary against a pinned checksum here, it must be updated accordingly | |
| # renovate: datasource=github-release-attachments depName=CycloneDX/cyclonedx-cli | |
| CDX_CLI_VERSION: v0.30.0 | |
| CDX_CLI_CHECKSUM: f89876326620f5fc78a9b27cc1af57d6ed13d019aab87490e1246a44a910babb | |
| run: .github/scripts/install-cyclonedx.sh | |
| - name: Download SBOMs | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: ${{ matrix.agent }}-sbom-* | |
| path: . | |
| merge-multiple: true | |
| - name: Merge SBOMS | |
| run: cyclonedx merge --input-files sbom-mvn.json sbom-trivy.json --output-file sbom.json | |
| - name: Upload Combined SBOM | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: ${{ matrix.agent }}-sbom | |
| path: sbom.json | |
| if-no-files-found: error | |
| retention-days: 7 | |
| tag-image: | |
| if: github.event_name != 'pull_request' || !github.event.pull_request.head.repo.fork | |
| # `test` must succeed before finally tagging (i.e., publishing) the image | |
| needs: [ test, build-image, scan-image, e2e-tests ] | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| packages: write | |
| strategy: | |
| matrix: | |
| agent: [ clinical-domain-agent, trust-center-agent, research-domain-agent ] | |
| env: | |
| DIGEST: ${{ needs.build-image.outputs[format('{0}-digest', matrix.agent )]}} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Install SLSA Verifier | |
| uses: slsa-framework/slsa-verifier/actions/installer@ea584f4502babc6f60d9bc799dbbb13c1caa9ee6 # v2.7.1 | |
| - name: Install crane | |
| uses: iarekylew00t/crane-installer@65372ffaef057f1714fed388fc3df3ad2c441aef # v4.0.10 | |
| - name: Login to GHCR | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate Container Image Metadata | |
| id: meta | |
| uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 | |
| with: | |
| images: ghcr.io/${{ github.repository_owner }}/fts/${{ matrix.agent }} | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Retag and Push Container Image | |
| run: | | |
| while read -r tag; do | |
| echo "${tag}" | cut -d: -f2 | xargs crane tag "${REGISTRY}/${{ matrix.agent }}@${DIGEST}" | |
| done <<<"${{ steps.meta.outputs.tags }}" | |
| sign-image: | |
| needs: [ build-image, combine-sboms ] | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| packages: write | |
| id-token: write | |
| strategy: | |
| matrix: | |
| agent: [ clinical-domain-agent, trust-center-agent, research-domain-agent ] | |
| env: | |
| DIGEST: ${{ needs.build-image.outputs[format('{0}-digest', matrix.agent )]}} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0 | |
| - name: Download SBOM | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: ${{ matrix.agent }}-sbom | |
| path: . | |
| - name: Login to GHCR | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Sign Image | |
| env: | |
| IMAGE_REF: ${{ env.REGISTRY }}/${{ matrix.agent }}@${{ env.DIGEST }} | |
| run: cosign sign --yes "${IMAGE_REF}" | |
| - name: Attest Image SBOM | |
| env: | |
| IMAGE_REF: ${{ env.REGISTRY }}/${{ matrix.agent }}@${{ env.DIGEST }} | |
| run: cosign attest --yes --predicate "sbom.json" --type cyclonedx "${IMAGE_REF}" | |
| attest-image: | |
| needs: [ build-image ] | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| id-token: write | |
| packages: write # for uploading attestations. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.1.0 | |
| with: | |
| image: ghcr.io/${{ github.repository_owner }}/fts/${{ matrix.agent }} | |
| digest: ${{ needs.build-image.outputs[format('{0}-digest', matrix.agent)] }} | |
| registry-username: ${{ github.repository_owner }} | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| strategy: | |
| matrix: | |
| agent: [ clinical-domain-agent, trust-center-agent, research-domain-agent ] | |
| create-release: | |
| needs: [ build-image ] | |
| runs-on: ubuntu-24.04 | |
| defaults: | |
| run: | |
| working-directory: .github/release | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Check Link Targets | |
| run: make check-links | |
| - name: Create Release Archives | |
| id: create | |
| env: | |
| COMMIT_TAG: ${{ github.ref_type == 'tag' && github.ref_name || '' }} | |
| CD_AGENT_DIGEST: ${{ needs.build-image.outputs.clinical-domain-agent-digest }} | |
| TC_AGENT_DIGEST: ${{ needs.build-image.outputs.trust-center-agent-digest }} | |
| RD_AGENT_DIGEST: ${{ needs.build-image.outputs.research-domain-agent-digest }} | |
| run: | | |
| make cd-agent tc-agent rd-agent | |
| # shellcheck disable=SC2016 | |
| checksums="$(cat ./*.tar.gz.sha256 | xargs -L1 bash -c 'echo -n "{\"$(echo $1 | cut -d. -f1)\": \"$(echo "$0 $1" | base64 -w0)\"}"' | jq -sc 'add')" | |
| echo "checksums-b64=${checksums}" >>"${GITHUB_OUTPUT}" | |
| files="$(find . -name "*.tar.gz.sha256" -printf "%f\n" | cut -d. -f1 | jq -R | jq -sc)" | |
| echo "files=${files}" >>"${GITHUB_OUTPUT}" | |
| - name: Upload Release Archives | |
| uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 | |
| with: | |
| name: release-archives | |
| path: | | |
| .github/release/*.tar.gz | |
| .github/release/*.tar.gz.sha256 | |
| if-no-files-found: error | |
| retention-days: 7 | |
| outputs: | |
| checksums-b64: ${{ steps.create.outputs.checksums-b64 }} | |
| files: ${{ steps.create.outputs.files }} | |
| attest-release: | |
| needs: [ create-release ] | |
| permissions: | |
| actions: read | |
| contents: write | |
| id-token: write | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 | |
| strategy: | |
| matrix: | |
| file: ${{ fromJson(needs.create-release.outputs.files) }} | |
| with: | |
| base64-subjects: ${{ fromJson(needs.create-release.outputs.checksums-b64)[matrix.file] }} | |
| upload-assets: false | |
| publish-release: | |
| needs: [ attest-release, tag-image ] | |
| runs-on: ubuntu-24.04 | |
| if: github.ref_type == 'tag' | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| - name: Download Release Archives | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: release-archives | |
| path: . | |
| - name: Download Provenance | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| pattern: "*-agent.tar.gz.intoto.jsonl" | |
| merge-multiple: true | |
| path: . | |
| - name: Recognize Prerelease | |
| id: prerelease | |
| env: | |
| GITHUB_REF: ${{ github.ref_name }} | |
| # In SemVer 2.0, a prerelease version is always indicated by the presence of a hyphen | |
| run: | | |
| if [[ "${GITHUB_REF}" == *-* ]]; then | |
| echo "is-prerelease=true" >>"${GITHUB_OUTPUT}" | |
| fi | |
| - name: Generate Release Notes | |
| id: notes | |
| working-directory: .github/release | |
| env: | |
| GH_REPO: ${{ github.repository }} | |
| MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }} | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| file="$(./generate-notes.sh ${{ github.ref_name }})" | |
| echo "Release notes generated: ${file}" | |
| echo "file=${file}" >>"${GITHUB_OUTPUT}" | |
| - name: Release | |
| uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1 | |
| with: | |
| files: | | |
| *.tar.gz | |
| *.tar.gz.sha256 | |
| *.tar.gz.intoto.jsonl | |
| draft: true | |
| prerelease: ${{ steps.prerelease.outputs.is-prerelease }} | |
| body_path: ${{ steps.notes.outputs.file }} |