github-action: enable provenance (#2014)

Author: v1v

.github/actions/build-distribution/action.yml

@@ -0,0 +1,21 @@
+---
+
+name: common build distribution tasks
+description: Run the build distribution
+
+runs:
+ using: "composite"
+ steps:
+ - uses: actions/setup-python@v5
+ with:
+ python-version: "3.10"
+
+ - name: Build lambda layer zip
+ run: ./dev-utils/make-distribution.sh
+ shell: bash
+
+ - uses: actions/upload-artifact@v4
+ with:
+ name: build-distribution
+ path: ./build/
+ if-no-files-found: error

.github/actions/packages/action.yml

@@ -0,0 +1,31 @@
+---
+
+name: common package tasks
+description: Run the packages
+
+runs:
+ using: "composite"
+ steps:
+ - uses: actions/setup-python@v5
+ with:
+ python-version: "3.10"
+ - name: Override the version if there is no tag release.
+ run: |
+ if [[ "${GITHUB_REF}" != refs/tags/* ]]; then
+ echo "ELASTIC_CI_POST_VERSION=${{ github.run_id }}" >> "${GITHUB_ENV}"
+ fi
+ shell: bash
+ - name: Build packages
+ run: ./dev-utils/make-packages.sh
+ shell: bash
+ - name: Upload Packages
+ uses: actions/upload-artifact@v4
+ with:
+ name: packages
+ path: |
+ dist/*.whl
+ dist/*tar.gz
+ - name: generate build provenance
+ uses: github-early-access/generate-build-provenance@main
+ with:
+ subject-path: "${{ github.workspace }}/dist/*"

.github/dependabot.yml

@@ -29,3 +29,30 @@ updates:
  github-actions:
  patterns:
  - "*"
+
+ # GitHub composite actions
+ - package-ecosystem: "github-actions"
+ directory: "/.github/actions/packages"
+ reviewers:
+ - "elastic/observablt-ci"
+ schedule:
+ interval: "weekly"
+ day: "sunday"
+ time: "22:00"
+ groups:
+ github-actions:
+ patterns:
+ - "*"
+
+ - package-ecosystem: "github-actions"
+ directory: "/.github/actions/build-distribution"
+ reviewers:
+ - "elastic/observablt-ci"
+ schedule:
+ interval: "weekly"
+ day: "sunday"
+ time: "22:00"
+ groups:
+ github-actions:
+ patterns:
+ - "*"

.github/workflows/build-distribution.yml

@@ -18,27 +18,10 @@ permissions:
 
 jobs:
  build:
+ permissions:
+ id-token: write
+ contents: write
  runs-on: ubuntu-latest
  steps:
  - uses: actions/checkout@v4
- - uses: actions/setup-python@v5
- with:
- python-version: "3.10"
- - name: Override the version if there is no tag release.
- run: |
- if [[ "${GITHUB_REF}" != refs/tags/* ]]; then
- echo "ELASTIC_CI_POST_VERSION=${{ github.run_id }}" >> "${GITHUB_ENV}"
- fi
- - name: Install wheel
- run: pip install --user wheel
- - name: Building universal wheel
- run: python setup.py bdist_wheel
- - name: Building source distribution
- run: python setup.py sdist
- - name: Upload Packages
- uses: actions/upload-artifact@v4
- with:
- name: packages
- path: |
- dist/*.whl
- dist/*tar.gz
+ - uses: ./.github/actions/packages

.github/workflows/packages.yml

@@ -18,7 +18,13 @@ jobs:
  enabled: ${{ startsWith(github.ref, 'refs/tags') }}
 
  packages:
- uses: ./.github/workflows/packages.yml
+ permissions:
+ id-token: write
+ contents: write
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - uses: ./.github/actions/packages
 
  publish-pypi:
  needs:
@@ -46,7 +52,17 @@ jobs:
  repository-url: https://test.pypi.org/legacy/
 
  build-distribution:
- uses: ./.github/workflows/build-distribution.yml
+ permissions:
+ id-token: write
+ contents: write
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - uses: ./.github/actions/build-distribution
+ - name: generate build provenance
+ uses: github-early-access/generate-build-provenance@main
+ with:
+ subject-path: "${{ github.workspace }}/build/dist/elastic-apm-python-lambda-layer.zip"
 
  publish-lambda-layers:
  needs:
@@ -63,7 +79,7 @@ jobs:
  secrets: |
  secret/observability-team/ci/service-account/apm-agent-python access_key_id | AWS_ACCESS_KEY_ID ;
  secret/observability-team/ci/service-account/apm-agent-python secret_access_key | AWS_SECRET_ACCESS_KEY
- - uses: actions/download-artifact@v3
+ - uses: actions/download-artifact@v4
  with:
  name: build-distribution
  path: ./build
@@ -86,6 +102,9 @@ jobs:
  needs:
  - build-distribution
  runs-on: ubuntu-latest
+ permissions:
+ id-token: write
+ contents: write
  env:
  DOCKER_IMAGE_NAME: docker.elastic.co/observability/apm-agent-python
  steps:
@@ -97,7 +116,7 @@ jobs:
  url: ${{ secrets.VAULT_ADDR }}
  roleId: ${{ secrets.VAULT_ROLE_ID }}
  secretId: ${{ secrets.VAULT_SECRET_ID }}
- - uses: actions/download-artifact@v3
+ - uses: actions/download-artifact@v4
  with:
  name: build-distribution
  path: ./build
@@ -107,25 +126,30 @@ jobs:
  if [ "${{ startsWith(github.ref, 'refs/tags') }}" == "false" ] ; then
  # for testing purposes
  echo "tag=test" >> "${GITHUB_OUTPUT}"
+ echo "latest=test-latest" >> "${GITHUB_OUTPUT}"
  else
  # version without v prefix (e.g. 1.2.3)
  echo "tag=${GITHUB_REF_NAME/v/}" >> "${GITHUB_OUTPUT}"
+ echo "latest=latest" >> "${GITHUB_OUTPUT}"
  fi
- - name: Docker build
- run: >-
- docker build
- -t ${{ env.DOCKER_IMAGE_NAME }}:${{ steps.setup-docker.outputs.tag }}
- --build-arg AGENT_DIR=./build/dist/package/python
- .
- - name: Docker retag
- run: >-
- docker tag
- ${{ env.DOCKER_IMAGE_NAME }}:${{ steps.setup-docker.outputs.tag }}
- ${{ env.DOCKER_IMAGE_NAME }}:latest
- - name: Docker push
- if: startsWith(github.ref, 'refs/tags')
- run: |-
- docker push --all-tags ${{ env.DOCKER_IMAGE_NAME }}
+ - name: Build and push image
+ id: push
+ uses: docker/build-push-action@v5.3.0
+ with:
+ context: .
+ push: true
+ tags: |
+ ${{ env.DOCKER_IMAGE_NAME }}:${{ steps.setup-docker.outputs.tag }}
+ ${{ env.DOCKER_IMAGE_NAME }}:${{ steps.setup-docker.outputs.latest }}
+ build-args: |
+ AGENT_DIR=./build/dist/package/python
+
+ - name: Attest image
+ uses: github-early-access/generate-build-provenance@main
+ with:
+ subject-name: "${{ env.DOCKER_IMAGE_NAME }}:${{ steps.setup-docker.outputs.tag }}"
+ subject-digest: ${{ steps.push.outputs.digest }}
+ push-to-registry: false
 
  github-draft:
  permissions:

.github/workflows/release.yml

@@ -35,7 +35,11 @@ permissions:
 
 jobs:
  build-distribution:
- uses: ./.github/workflows/build-distribution.yml
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - uses: ./.github/actions/build-distribution
+
 
  create-matrix:
  runs-on: ubuntu-latest

.github/workflows/test.yml

@@ -0,0 +1,16 @@
+#!/bin/bash
+#
+# Make a Python APM agent distribution
+#
+
+echo "::group::Install wheel"
+pip install --user wheel
+echo "::endgroup::"
+
+echo "::group::Building universal wheel"
+python setup.py bdist_wheel
+echo "::endgroup::"
+
+echo "::group::Building source distribution"
+python setup.py sdist
+echo "::endgroup::"