KubeRocketCI · SergK · Jun 4, 2025 · Jun 3, 2025
@@ -0,0 +1,38 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ main ]
+env:
+  GOLANG_VERSION: '1.24'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    - name: Set up Go
+      uses: actions/setup-go@v5
+      with:
+        go-version: ${{ env.GOLANG_VERSION }}
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2
@@ -0,0 +1,88 @@
+name: Create KRCI release
+on:
+  push:
+    tags:
+      - 'v*'
+
+env:
+    GOLANG_VERSION: '1.24'
+
+jobs:
+  prepare-release:
+    name: Perform automatic release on trigger ${{ github.ref }}
+    runs-on: ubuntu-latest
+    env:
+      # The name of the tag as supplied by the GitHub event
+      SOURCE_TAG: ${{ github.ref }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: '0'
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GOLANG_VERSION }}
+
+      - name: Check if the published tag is well formed and setup vars
+        run: |
+          set -xue
+
+          # refs/tags/v2.10.7 -> v2.10.7
+          RELEASE_TAG="${SOURCE_TAG##*/}"
+          # install git-chglog
+          go install github.com/git-chglog/git-chglog/cmd/git-chglog@latest
+          # install crane
+          go install github.com/google/go-containerregistry/cmd/crane@v0.16.1
+          # install rekor-cli
+          go install github.com/sigstore/rekor/cmd/rekor-cli@v1.3.3
+
+          git-chglog --template .chglog/release.tpl.md -o release.md ${RELEASE_TAG}
+
+          # Extract image name and tag from RELEASE_TAG
+          IMAGE_NAME="epamedp/cd-pipeline-operator"
+          IMAGE_TAG=${RELEASE_TAG#v}
+
+          # Get the digest of the image
+          DIGEST=$(crane digest ${IMAGE_NAME}:${IMAGE_TAG} | tr ':' '-')
+
+          # Get the digest of the attestation layer
+          ATTESTATION_DIGEST=$(crane manifest ${IMAGE_NAME}:${DIGEST}.att | jq -r '.layers[].digest')
+
+          # Get the digest of the signature layer
+          SIGNATURE_DIGEST=$(crane manifest ${IMAGE_NAME}:${DIGEST}.sig | jq -r '.layers[].digest')
+
+          # Search for the UUID of the attestation in JSON format
+          ATTESTATION_UUID_JSON=$(rekor-cli search --sha ${ATTESTATION_DIGEST} --format json)
+
+          # Search for the UUID of the signature in JSON format
+          SIGNATURE_UUID_JSON=$(rekor-cli search --sha ${SIGNATURE_DIGEST} --format json)
+
+          # Parse the JSON output to get the UUIDs
+          ATTESTATION_UUID=$(echo ${ATTESTATION_UUID_JSON} | jq -r '.UUIDs[0]')
+          SIGNATURE_UUID=$(echo ${SIGNATURE_UUID_JSON} | jq -r '.UUIDs[0]')
+
+          # Create a new file with the desired text and the UUIDs
+          echo "### Deployment Certifications and Source Traceability" > new_release.md
+          echo "KubeRocketCI container images bear [cosign](https://github.com/sigstore/cosign) signatures. Refer to the [documentation](https://docs.kuberocketci.io/docs/developer-guide/artifacts-verification) for instructions on verification." >> new_release.md
+          echo "The Rekor UUID's for this release is \`${ATTESTATION_UUID}\` - attestation and" >> new_release.md
+          echo "\`${SIGNATURE_UUID}\` - signature" >> new_release.md
+
+          # Append the contents of release.md to new_release.md
+          cat release.md >> new_release.md
+
+          # Move new_release.md to release.md
+          mv new_release.md release.md
+
+          echo "RELEASE_TAG=${RELEASE_TAG}" >> $GITHUB_ENV
+
+      - name: Create GitHub release
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        id: create_release
+        with:
+          tag_name: ${{ env.RELEASE_TAG }}
+          release_name: ${{ env.RELEASE_TAG }}
+          body_path: release.md
@@ -0,0 +1,2 @@
+# All
+** @kuberocketci/admins