From eae120fbda34524433b6945201a07eb20976797f Mon Sep 17 00:00:00 2001
From: "K.B.Dharun Krishna" <kbdharunkrishna@gmail.com>
Date: Fri, 26 Jul 2024 21:43:34 +0530
Subject: [PATCH] feat: add release workflow, misc

Signed-off-by: K.B.Dharun Krishna <kbdharunkrishna@gmail.com>
---
 .github/dependabot.yml        |  2 +-
 .github/workflows/release.yml | 71 +++++++++++++++++++++++++++++++++++
 .gitignore                    |  7 ++--
 README.md                     |  1 +
 4 files changed, 77 insertions(+), 4 deletions(-)
 create mode 100644 .github/workflows/release.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 8ac6b8c..5ace460 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,4 +3,4 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "monthly"
+      interval: "weekly"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
new file mode 100644
index 0000000..8b11722
--- /dev/null
+++ b/.github/workflows/release.yml
@@ -0,0 +1,71 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - '*'
+  workflow_dispatch:
+
+env:
+    REGISTRY_USER: ${{ github.actor }}
+    REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  verify-image:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Install dependencies
+      run: sudo apt-get install -y libfyaml-utils
+
+    - name: Read base image name from recipe
+      id: read_base_recipe
+      run: |
+        BASE_IMAGE="$(fy-filter -f recipe.yml /stages/-1/base)"
+        echo The base image is $BASE_IMAGE
+        if [ -z $BASE_IMAGE ]; then exit 1; fi
+        echo "base_image=$BASE_IMAGE" >> "$GITHUB_OUTPUT"
+        echo "BASE_IMAGE=$BASE_IMAGE" >> "$GITHUB_ENV"
+
+    - name: Verify Base Image Integrity
+      run: |
+        gh attestation verify oci://ghcr.io/${{ env.BASE_IMAGE }} --owner Vanilla-OS
+      env:
+        GH_TOKEN: ${{ github.token }}
+
+  release:
+    runs-on: ubuntu-latest
+    needs: verify-image
+    permissions:
+      contents: write # Allow actions to create release
+      attestations: write # To create and write attestations
+      id-token: write # Additional permissions for the persistence of the attestations
+    
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - uses: vanilla-os/vib-gh-action@v0.7.4
+        with:
+            recipe: 'recipe.yml'
+            plugins: 'Vanilla-OS/vib-fsguard:v1.5.3'
+
+      - uses: actions/upload-artifact@v4
+        with:
+            name: Containerfile
+            path: Containerfile
+
+      - name: Create Release
+        env:
+            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: gh release create "${{ github.ref_name }}" --generate-notes Containerfile
+
+      - name: Attest Release Files
+        id: attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: 'Containerfile'
diff --git a/.gitignore b/.gitignore
index 2b1e343..f52775b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
-# Ignore Vib generated directories
-/downloads/
-/sources/
+# Ignore Vib directories
 Containerfile
+downloads/
+plugins/
+sources/
diff --git a/README.md b/README.md
index 06a72d9..9227fa4 100644
--- a/README.md
+++ b/README.md
@@ -35,6 +35,7 @@ Now, that you are aware of the basics, let's explore the files and directories p
 - `.github/workflows/vib-build.yml`: This file contains the GitHub Actions workflow to check for updates to the base image and build the Vib image on push and pull requests.
   - It uses the [`vib-gh-action`](https://github.com/Vanilla-OS/vib-gh-action) to build the recipe and upload it as an artifact. The generated artifact is then built using Docker's actions and pushed to GHCR (**Note**: The image with the respective branch tags is published to GHCR only on push actions to the branches in your repository or on tags and not on pull requests).
   - The action runs automatically on a schedule checking updates to the base image using [Differ](https://github.com/Vanilla-OS/Differ).
+- `.github/workflows/release.yml`: This file contains the GitHub Actions workflow to automatically create a GitHub release when a tag is created and it uploads the generated Containerfile to the release for future reference.
 - `.github/dependabot.yml`: This file contains the configuration for GitHub's Dependabot to check for updates to the GitHub actions used in the workflow files monthly and when it finds a new version it creates a PR in your repository.
 - `includes.container`: The files included in this directory are added by default to your image to the specified location (**Note**: It also contains ABRoot's configuration file).
 - `modules`: This directory contains the modules that are used to customize the image. You can add your modules to this directory.