[DMS-292] Adding Release / Pre-release workflows (#7)

Ed-Fi-Alliance-OSS · Sep 6, 2024 · 3c7ef8a · 3c7ef8a
1 parent 06f036f
commit 3c7ef8a
Show file tree

Hide file tree

Showing 5 changed files with 213 additions and 1 deletion.
diff --git a/.github/workflows/on-prerelease.yml b/.github/workflows/on-prerelease.yml
@@ -0,0 +1,122 @@
+# SPDX-License-Identifier: Apache-2.0
+# Licensed to the Ed-Fi Alliance under one or more agreements.
+# The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0.
+# See the LICENSE and NOTICES files in the project root for more information.
+
+name: On Pre-Release
+on:
+  release:
+    types:
+      - prereleased
+  workflow_dispatch:
+
+env:
+  MANIFEST_FILE: "Ed-Fi-Kafka-Connect-sbom-create.spdx.json"  
+  PACKAGE_NAME: "ed-fi-kafka-connect-transforms"
+  REF: ${{ github.ref_name }}
+
+permissions: read-all
+
+jobs:
+  pack:
+    name: Build and Pack
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: pwsh
+        working-directory: kafka/ed-fi-kafka-connect-transforms
+    outputs:
+      hash-code: ${{ steps.hash-code.outputs.hash-code }}
+      dms-version: ${{ steps.versions.outputs.connector-v }}
+
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
+
+      - name: Set Version Numbers      
+        id: versions
+        working-directory: ./
+        run: |
+          Import-Module ./package-helpers.psm1
+          Get-VersionNumber
+
+      - name: Setup Java
+        uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
+        with: 
+          java-version: '17'
+          distribution: 'temurin'
+
+      - name: Setup Gradle
+        uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 # v3.5.0
+
+      - name: Generate Gradle wrapper
+        run: gradle wrapper        
+
+      - name: Make gradlew executable
+        run: chmod +x ./gradlew   
+
+      - name: Build with Gradle
+        run: |
+          $packageVersion = "${{ steps.versions.outputs.connector-semver }}"
+          ./gradlew clean build -Pversion="${{ steps.versions.outputs.connector-semver }}"  
+        
+      - name: Generate hash for the jar file
+        id: hash-code
+        run: |
+          $jarPath = "${{ github.workspace }}/kafka/ed-fi-kafka-connect-transforms/build/libs/*.jar"        
+          "hash-code=$(sha256sum $jarPath | base64 -w0)" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+
+      - name: Upload Packages as Artifacts
+        if: success()
+        uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0
+        with:
+          name: ${{ env.PACKAGE_NAME }}
+          path: ${{ github.workspace }}/kafka/ed-fi-kafka-connect-transforms/build/libs/*.jar
+          if-no-files-found: error
+          retention-days: 30
+
+  sbom-create:
+    name: Create SBOM
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        shell: pwsh
+    needs: pack
+    permissions:
+      actions: read
+      contents: write
+      attestations: write
+      id-token: write
+    outputs:
+      sbom-hash-code: ${{ steps.sbom-hash-code.outputs.sbom-hash-code }}
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Get Artifacts
+        uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 #v4.1.1
+        with:
+          name: ${{ env.PACKAGE_NAME }}
+
+      - name: Generate SBOM
+        uses: anchore/sbom-action@61119d458adab75f756bc0b9e4bde25725f86a7a
+        with:
+          format: 'spdx-json'
+          output-file: ${{ env.PACKAGE_NAME }}-SBOM
+          upload-release-assets: true
+          upload-artifact: true
+
+  provenance-create:    
+    name: Create Provenance
+    needs: pack
+    permissions:
+      actions: read
+      id-token: write
+      contents: write      
+    uses: Ed-Fi-Alliance-OSS/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@main
+    with:
+      base64-subjects: ${{ needs.pack.outputs.hash-code }}
+      provenance-name: kafkaconnect.intoto.jsonl
+      upload-assets: true
+      # TODO: remove this after this issue is resolved: https://github.com/slsa-framework/slsa-github-generator/issues/876
+      compile-generator: true      
diff --git a/.github/workflows/on-release.yml b/.github/workflows/on-release.yml
@@ -0,0 +1,55 @@
+# SPDX-License-Identifier: Apache-2.0
+# Licensed to the Ed-Fi Alliance under one or more agreements.
+# The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0.
+# See the LICENSE and NOTICES files in the project root for more information.
+
+name: On Release
+on:
+  release:
+    types:
+      - released
+
+env:
+  ARTIFACTS_PACKAGES_URL: ${{ vars.ARTIFACTS_PACKAGES_URL }}
+
+permissions: read-all
+
+jobs:
+  delete-pre-releases:
+    name: Delete Unnecessary Pre-Releases
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Delete other pre-releases and their tags
+        shell: pwsh
+        run: |
+          $release = "${{ github.ref_name }}"
+          $repo = "${{ github.repository }}"
+          $token = "${{ secrets.GITHUB_TOKEN }}"
+
+          $page = 1
+          $release_list = @()
+
+          Do {
+
+            $url = "https://api.github.com/repos/$repo/releases?per_page=100&page=$page"
+            $gh_headers = @{
+                "Accept"        = "application/vnd.github+json"
+                "Authorization" = "Bearer $token"
+            }
+
+            $release_list = Invoke-RestMethod $url -Headers $gh_headers
+
+            $release_list | ForEach-Object {
+                if ($_.tag_name -like "Pre-Release-*" -and $_.prerelease) {
+                    "Deleting pre-release $($_.tag_name)" | Write-Output
+                    Invoke-RestMethod -Method Delete -Uri $_.url -Headers $gh_headers
+                }
+            }
+
+            $page += 1
+          } While ($release_list.count -gt 0)
diff --git a/SECURITY.md b/SECURITY.md
@@ -48,4 +48,8 @@ auditing.
 ### Binaries
 
 1. Binaries are built and managed directly inside GitHub, not by developers.
-2. Docker images are pinned to specific known SHA256 hash values.
+2. Releases contain provenance
+   [attestations](https://slsa.dev/attestation-model) and a [software bill of
+   materials](https://www.cisa.gov/sbom) (SBOM) files describing the build
+   process and dependencies.
+3. Docker images are pinned to specific known SHA256 hash values.
diff --git a/kafka/ed-fi-kafka-connect-transforms/.gitignore b/kafka/ed-fi-kafka-connect-transforms/.gitignore
@@ -7,3 +7,6 @@ gradle
 
 gradlew
 gradlew.bat
+
+# Mac OS
+.DS_Store
diff --git a/package-helpers.psm1 b/package-helpers.psm1
@@ -0,0 +1,28 @@
+# SPDX-License-Identifier: Apache-2.0
+# Licensed to the Ed-Fi Alliance under one or more agreements.
+# The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0.
+# See the LICENSE and NOTICES files in the project root for more information.
+
+#requires -version 7
+
+$ErrorActionPreference = "Stop"
+
+<#
+.DESCRIPTION
+Builds a pre-release version number based on the last tag in the commit history
+and the number of commits since then.
+#>
+function Get-VersionNumber {
+
+    $prefix = "v"
+
+    # Install the MinVer CLI tool
+    &dotnet tool install --global minver-cli
+
+    $version = $(&minver -t $prefix)
+
+    "connector-v=$version" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+    "connector-semver=$($version -Replace $prefix)" | Out-File -FilePath $env:GITHUB_OUTPUT -Append
+}
+
+Export-ModuleMember -Function Get-VersionNumber