Add Actions release and attest job

.github/workflows/release.yaml

@@ -1,92 +1,47 @@
-name: Cut Release
+name: Release
 
 on:
   push:
     tags:
       - "v*"
 
-concurrency: cut-release
-
-permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for pushing the images to ghcr.io
-
 jobs:
   release:
-    outputs:
-      hashes: ${{ steps.hash.outputs.hashes }}
-      tag_name: ${{ steps.tag.outputs.tag_name }}
     runs-on: ubuntu-latest
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
+      packages: write
+    env:
+      KO_DOCKER_REPO: ghcr.io/github/policy-controller-webhook
+      KOCACHE: /tmp/ko
     steps:
       - uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b # v4.1.5
-
+        with:
+          ref: "release"
       - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
-          go-version-file: './go.mod'
+          go-version-file: "./go.mod"
           check-latest: true
-
-      - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20
-
-      - uses: anchore/sbom-action/download-syft@7ccf588e3cf3cc2611714c2eeae48550fbc17552 # v0.15.11
-
       - uses: ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa # v0.6
-
-      - name: Set up Cloud SDK
-        uses: google-github-actions/auth@55bd3a7c6e2ae7cf1877fd1ccb9d54c0503c457c # v2.1.2
-        with:
-          workload_identity_provider: 'projects/498091336538/locations/global/workloadIdentityPools/githubactions/providers/sigstore-policy-controller'
-          service_account: '[email protected]'
-
-      - name: 'Set up Cloud SDK'
-        uses: google-github-actions/setup-gcloud@98ddc00a17442e89a24bbf282954a3b65ce6d200 # v2.1.0
-
-      - name: creds
-        run: gcloud auth configure-docker --quiet
-
-      - name: Set LDFLAGS
-        id: ldflags
+      - name: Build and publish webhook to GHCR
+        id: build
         run: |
-           source ./release/ldflags.sh
-           goflags=$(ldflags)
-           echo "GO_FLAGS="${goflags}"" >> "$GITHUB_ENV"
-
-      - name: Set tag output
-        id: tag
-        run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
-
-      - name: Run GoReleaser
-        id: run-goreleaser
-        uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
+          export GIT_HASH=`git rev-parse HEAD`
+          export GIT_VERSION=`git describe --tags --always --dirty`
+          export BUILD_DATE=`date +%Y-%m-%dT%H:%M:%SZ`
+          export LDFLAGS="-buildid= -X sigs.k8s.io/release-utils/version.gitVersion=$GIT_VERSION -X sigs.k8s.io/release-utils/version.gitCommit=$GIT_HASH -X sigs.k8s.io/release-utils/version.buildDate=$BUILD_DATE"
+
+          mkdir -p ${{ env.KOCACHE }}
+          # ko build should print ghcr.io/github/policy-controller-webhook@sha256:<digest>
+          # to standard out. Capture the image digest for the build provenance step
+          IMAGE_DIGEST=$(ko build --bare --tags $GIT_VERSION --tags $GIT_HASH --platform=linux/amd64 github.com/sigstore/policy-controller/cmd/webhook | cut -d'@' -f2)
+          echo "image_digest=$IMAGE_DIGEST" >> $GITHUB_OUTPUT
+      - name: Attest
+        uses: actions/attest-build-provenance@951c0c5f8e375ad4efad33405ab77f7ded2358e4 # v1.1.1
+        id: attest
         with:
-          version: latest
-          args: release --rm-dist --timeout 120m
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          LDFLAGS: ${{ env.GO_FLAGS }}
-
-      - name: Generate subject
-        id: hash
-        env:
-          ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
-        run: |
-          set -euo pipefail
-          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
-          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
-
-      - name: copy-signed-release-to-ghcr
-        run: make copy-signed-release-to-ghcr || true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-  provenance:
-    needs: [release]
-    permissions:
-      actions: read # To read the workflow path.
-      id-token: write # To sign the provenance.
-      contents: write # To add assets to a release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
-    with:
-      base64-subjects: "${{ needs.release.outputs.hashes }}"
-      upload-assets: true # upload to a new release
-      upload-tag-name: "${{ needs.release.outputs.tag_name }}"
+          subject-name: ${{ env.KO_DOCKER_REPO }}
+          subject-digest: ${{ steps.build.outputs.image_digest }}
+          push-to-registry: true

.ko.yaml

@@ -30,4 +30,3 @@ builds:
     ldflags:
       - -extldflags "-static"
       - "{{ .Env.LDFLAGS }}"
-

README.md

@@ -83,12 +83,16 @@ This policy-controller's versions are able to run in the following versions of K
 
 note: not fully tested yet, but can be installed
 
-## Release Cadence
+## Cutting a new release
 
-We are intending to move to a monthly cadence for minor releases.
-Minor releases will be published around the beginning of the month.
-We may cut a patch release instead, if the changes are small enough not to warrant a minor release.
-We will also cut patch releases periodically as needed to address bugs.
+The branch `release` on the private fork is used for customer-facing released code. 
+
+In order to push a new release, follow these steps:
+
+1. Merge any changes into the `release` branch.
+1. Tag as `v0.9.0+githubX` (incrementing the `X` as needed).
+1. Push the tag to the private fork.
+1. The [Release GitHub Action workflow](https://github.com/github/policy-controller/actions/workflows/release.yaml) will triggered automatically when the tag is pushed
 
 ## Security