change(ci): Updated release pipeline#1008
Conversation
✅ Deploy Preview for common-cloud-controls canceled.
|
Signed-off-by: Eddie Knight <knight@linux.com>
eddie-knight
changed the title
eddie-knight
force-pushed
the
grcli-release-pipeline
branch
from
8507e18 to
fc81f45
Compare
|
I pinged @TheJuanAndOnly99 for guidance on the failing check. It can be safely ignored for now. |
sshiells-scottlogic
left a comment
sshiells-scottlogic
left a comment
There was a problem hiding this comment.
Looks good as far as I can tell
robmoffat
left a comment
robmoffat
left a comment
There was a problem hiding this comment.
One further improvement I would like to see is that this should run automaticatically as well as workflow dispatch.
i.e.
- Build the catalogs.
- Compare (perhaps just the IDs) to previous versions
- If there is changed content, perform the release automatically.
That would mean we complete #993 too
| "description": "Global/common capability IDs" | ||
| "pattern": "^CCC\\.Core\\..+$", | ||
| "description": "Global/common capability IDs (CP## or F## during migration)" | ||
| }, |
There was a problem hiding this comment.
can we not pull in these schema files from Gemara now?
There was a problem hiding this comment.
Yes we could achieve the vetting strictly through the CUE schema, but @sshiells-scottlogic requested that we persist the IDE support via jsonschema
| grcli validate -f "$ARTIFACT" --spec /tmp/gemara-spec | ||
|
|
||
| # Create a GitHub release | ||
| - name: Create GitHub Release |
There was a problem hiding this comment.
we need to create the GitHub release too
There was a problem hiding this comment.
That was just moved down: https://github.com/finos/common-cloud-controls/pull/1008/changes#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R141-R146
Still there 👍
| draft: false | ||
| prerelease: true | ||
| # NEW publishing step: push the typed catalog to grc.store. | ||
| - name: Publish to grc.store |
There was a problem hiding this comment.
Who or what owns grc.store? Are we creating a new link to a proprietary service here?
Is this infra owned by OpenSSF?
There was a problem hiding this comment.
That's all built and maintained by me at the moment. It'll unlock several capabilities in addition to what we have from the current GitHub release flow — especially valuable is the grcli pull ... command which will allow anyone to fetch official immutable release artifacts and vet provenance in a single command.
3 participants
This change set allows us to publish releases to https://grc.store in addition to the GH releases page.
This is a first step — the PR was already getting big so I decided not to go through and bring every catalog into compliance with the latest schema.
This disables the website updates due to the change in artifact shape. We should update that pipeline in a dedicated PR.
Test run: https://github.com/finos/common-cloud-controls/actions/runs/26257290484
Result: https://grc.store/search/finos-ccc/ccc.objstor.cp
I left a whole bunch of claude ultrareview comments inside the PR so that it is clear where we need to make follow-up PRs. I will be drafting those as soon as we merge this in.