Test

harrryr · Oct 18, 2024 · 29b8602 · 29b8602
1 parent a825c19
commit 29b8602
Show file tree

Hide file tree

Showing 2 changed files with 132 additions and 91 deletions.
diff --git a/.github/trust-policy/signed-image.json b/.github/trust-policy/signed-image.json
@@ -0,0 +1,21 @@
+{
+    "version":"1.0",
+    "trustPolicies":[
+       {
+          "name":"aws-signer-tp",
+          "registryScopes":[
+             "*"
+          ],
+          "signatureVerification":{
+             "level":"strict"
+          },
+          "trustStores":[
+             "signingAuthority:aws-signer-ts"
+          ],
+          "trustedIdentities":[
+             "arn:aws:signer:us-east-1:612966150583:/signing-profiles/AWSDistroOpenTelemetrySigningProfileBF578949_a75m7igIPnaz"
+          ]
+       }
+    ]
+ }
+
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -1,16 +1,12 @@
 name: Release Build
 on:
-  workflow_dispatch:
-    inputs:
-      version:
-        description: The version to tag the release with, e.g., 1.2.0, 1.2.1-alpha.1
-        required: true
+  push:
 
 env:
   AWS_PUBLIC_ECR_REGION: us-east-1
   AWS_PRIVATE_ECR_REGION: us-west-2
   TEST_TAG: public.ecr.aws/aws-observability/adot-autoinstrumentation-java:test
-  PUBLIC_REPOSITORY: public.ecr.aws/aws-observability/adot-autoinstrumentation-java
+  PUBLIC_REPOSITORY: public.ecr.aws/e2l5l6g6/framework-test
   PRIVATE_REPOSITORY: 020628701572.dkr.ecr.us-west-2.amazonaws.com/adot-autoinstrumentation-java
   PRIVATE_REGISTRY: 020628701572.dkr.ecr.us-west-2.amazonaws.com
 
@@ -29,101 +25,125 @@ jobs:
           distribution: 'temurin'
       - uses: gradle/wrapper-validation-action@v1
 
-      - name: Publish patched dependencies to maven local
-        uses: ./.github/actions/patch-dependencies
-        with:
-          gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
-          gpg_password: ${{ secrets.GPG_PASSPHRASE }}
-
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
-          aws-region: ${{ env.AWS_PUBLIC_ECR_REGION }}
-
-      - name: Log in to AWS ECR
-        uses: docker/login-action@v3
-        with:
-          registry: public.ecr.aws
-
-      - name: Build release with Gradle
-        uses: gradle/gradle-build-action@v3
-        with:
-          arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ github.event.inputs.version }} --stacktrace
+      # - name: Publish patched dependencies to maven local
+      #   uses: ./.github/actions/patch-dependencies
+      #   with:
+      #     gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
+      #     gpg_password: ${{ secrets.GPG_PASSPHRASE }}
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v4
         with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_RELEASE }}
+          role-to-assume: arn:aws:iam::612966150583:role/aws-obs-java-image-release
           aws-region: ${{ env.AWS_PUBLIC_ECR_REGION }}
 
       - name: Log in to AWS ECR
         uses: docker/login-action@v3
         with:
           registry: public.ecr.aws
 
-      - name: Configure AWS Credentials for Private ECR
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_RELEASE }}
-          aws-region: ${{ env.AWS_PRIVATE_ECR_REGION }}
-
-      - name: Log in to AWS private ECR
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.PRIVATE_REGISTRY }}
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          driver-opts: image=moby/buildkit:v0.15.1
+      # - name: Build release with Gradle
+      #   uses: gradle/gradle-build-action@v3
+      #   with:
+      #     arguments: build integrationTests -PlocalDocker=true -Prelease.version=1.0.0 --stacktrace
+
+      # - name: Configure AWS Credentials
+      #   uses: aws-actions/configure-aws-credentials@v4
+      #   with:
+      #     role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_RELEASE }}
+      #     aws-region: ${{ env.AWS_PUBLIC_ECR_REGION }}
+
+      # - name: Log in to AWS ECR
+      #   uses: docker/login-action@v3
+      #   with:
+      #     registry: public.ecr.aws
+
+      # - name: Configure AWS Credentials for Private ECR
+      #   uses: aws-actions/configure-aws-credentials@v4
+      #   with:
+      #     role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_RELEASE }}
+      #     aws-region: ${{ env.AWS_PRIVATE_ECR_REGION }}
+
+      # - name: Log in to AWS private ECR
+      #   uses: docker/login-action@v3
+      #   with:
+      #     registry: ${{ env.PRIVATE_REGISTRY }}
+
+      # - name: Set up QEMU
+      #   uses: docker/setup-qemu-action@v3
+
+      # - name: Set up Docker Buildx
+      #   uses: docker/setup-buildx-action@v3
+      #   with:
+      #     driver-opts: image=moby/buildkit:v0.15.1
+
+      # - name: Build image for testing
+      #   uses: docker/build-push-action@v5
+      #   with:
+      #     push: false
+      #     build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
+      #     context: .
+      #     platforms: linux/amd64
+      #     tags: ${{ env.TEST_TAG }}
+      #     load: true
+
+      # - name: Test docker image
+      #   shell: bash
+      #   run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "${{ github.event.inputs.version }}"
+
+      # - name: Build and push image
+      #   uses: docker/build-push-action@v5
+      #   with:
+      #     push: true
+      #     build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
+      #     context: .
+      #     platforms: linux/amd64,linux/arm64
+      #     tags: |
+      #       ${{ env.PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}
+
+      # - name: Setup Notation CLI
+      #   uses: notaryproject/notation-action/setup@v1
+
+      # - name: Sign released image
+      #   uses: notaryproject/notation-action/sign@v1
+      #   with:
+      #     plugin_name: aws-signer-notation-plugin
+      #     plugin_url: https://github.com/aws/aws-signer-notation-plugin/archive/refs/tags/v1.0.350.tar.gz
+      #     plugin_checksum: 6a1e0e0b2c3716899fd4c0ac37e60b287b1a36731f4874305c5c953291613acf
+      #     key_id: arn:aws:signer:us-east-1:612966150583:/signing-profiles/045231FF5_Jc8eznT2BNJ6
+      #     target_artifact_reference: public.ecr.aws/e2l5l6g6/framework-test:latest
+
+      - name: Setup Notation
+        run: |
+          curl -L -o aws-signer-notation-cli_amd64.deb https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/deb/latest/aws-signer-notation-cli_amd64.deb
+          sudo apt install ./aws-signer-notation-cli_amd64.deb
 
-      - name: Build image for testing
-        uses: docker/build-push-action@v5
-        with:
-          push: false
-          build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
-          context: .
-          platforms: linux/amd64
-          tags: ${{ env.TEST_TAG }}
-          load: true
-
-      - name: Test docker image
-        shell: bash
-        run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "${{ github.event.inputs.version }}"
-
-      - name: Build and push image
-        uses: docker/build-push-action@v5
-        with:
-          push: true
-          build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
-          context: .
-          platforms: linux/amd64,linux/arm64
-          tags: |
-            ${{ env.PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}
-            ${{ env.PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}
-
-      - name: Build and Publish release with Gradle
-        uses: gradle/gradle-build-action@v3
-        with:
-          arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ github.event.inputs.version }} --stacktrace
-        env:
-          PUBLISH_TOKEN_USERNAME: ${{ secrets.PUBLISH_TOKEN_USERNAME }}
-          PUBLISH_TOKEN_PASSWORD: ${{ secrets.PUBLISH_TOKEN_PASSWORD }}
-          GRGIT_USER: ${{ secrets.GITHUB_TOKEN }}
-          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
-          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-
-      - name: Create release
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+      - name: Sign released image
+        run: notation sign public.ecr.aws/e2l5l6g6/framework-test:latest --plugin "com.amazonaws.signer.notation.plugin" --id "arn:aws:signer:us-east-1:612966150583:/signing-profiles/AWSDistroOpenTelemetrySigningProfileBF578949_a75m7igIPnaz"
+
+      - name: Verify signed image
         run: |
-          cp "otelagent/build/libs/aws-opentelemetry-agent-${{ github.event.inputs.version }}.jar" aws-opentelemetry-agent.jar
-          gh release create --target "$GITHUB_REF_NAME" \
-             --title "Release v${{ github.event.inputs.version }}" \
-             --draft \
-             "v${{ github.event.inputs.version }}" \
-             aws-opentelemetry-agent.jar
+          notation policy import ./.github/trust-policy/signed-image.json
+          notation verify public.ecr.aws/e2l5l6g6/framework-test:latest
+
+      # - name: Build and Publish release with Gradle
+      #   uses: gradle/gradle-build-action@v3
+      #   with:
+      #     arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ github.event.inputs.version }} --stacktrace
+      #   env:
+      #     PUBLISH_TOKEN_USERNAME: ${{ secrets.PUBLISH_TOKEN_USERNAME }}
+      #     PUBLISH_TOKEN_PASSWORD: ${{ secrets.PUBLISH_TOKEN_PASSWORD }}
+      #     GRGIT_USER: ${{ secrets.GITHUB_TOKEN }}
+      #     GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+      #     GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+
+      # - name: Create release
+      #   env:
+      #     GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
+      #   run: |
+      #     cp "otelagent/build/libs/aws-opentelemetry-agent-${{ github.event.inputs.version }}.jar" aws-opentelemetry-agent.jar
+      #     gh release create --target "$GITHUB_REF_NAME" \
+      #        --title "Release v${{ github.event.inputs.version }}" \
+      #        --draft \
+      #        "v${{ github.event.inputs.version }}" \
+      #        aws-opentelemetry-agent.jar