Merge pull request #6003 from wileyj/chore/update_ci

Release workflow updates

Author: wileyj

.github/workflows/ci.yml

@@ -94,6 +94,7 @@ jobs:
     needs:
       - rustfmt
       - check-release
+    secrets: inherit 
     uses: ./.github/workflows/github-release.yml
     with:
       node_tag: ${{ needs.check-release.outputs.node_tag }}

.github/workflows/core-build-tests.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Build the binaries
         id: build
         run: |
-          cargo build
+          cargo build --bin stacks-inspect
       - name: Dump constants JSON
         id: consts-dump
         run: cargo run --bin stacks-inspect -- dump-consts | tee out.json

.github/workflows/github-release.yml

@@ -38,9 +38,9 @@ concurrency:
 run-name: ${{ inputs.node_tag || inputs.signer_tag }}
 
 jobs:
-  ## This job's sole purpose is trigger a secondary approval outside of the matrix jobs below. 
+  ## This job's sole purpose is trigger a secondary approval outside of the matrix jobs below.
   ##   - If this job isn't approved to run, then the subsequent jobs will also not run - for this reason, we always exit 0
-  ##   - `andon-cord` requires the repo environment "Build Release", which will trigger a secondary approval step before running this workflow.  
+  ##   - `andon-cord` requires the repo environment "Build Release", which will trigger a secondary approval step before running this workflow.
   andon-cord:
     if: |
       inputs.node_tag != '' ||
@@ -65,6 +65,9 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - andon-cord
+    permissions:
+      id-token: write
+      attestations: write
     strategy:
       ## Run a maximum of 10 builds concurrently, using the matrix defined in inputs.arch
       max-parallel: 10
@@ -135,6 +138,10 @@ jobs:
       inputs.signer_tag != ''
     name: Docker Image (Binary)
     runs-on: ubuntu-latest
+    environment: "Push to Docker"
+    permissions:
+      id-token: write
+      attestations: write
     needs:
       - andon-cord
       - build-binaries
@@ -164,7 +171,6 @@ jobs:
   ## Create the downstream PR for the release branch to master,develop
   create-pr:
     if: |
-      !contains(github.ref, '-rc') &&
       (
         inputs.node_tag != '' ||
         inputs.signer_tag != ''

.github/workflows/image-build-source.yml

@@ -23,6 +23,9 @@ jobs:
     runs-on: ubuntu-latest
     ## Requires the repo environment "Push to Docker", which will trigger a secondary approval step before running this workflow.
     environment: "Push to Docker"
+    permissions:
+      id-token: write
+      attestations: write
     steps:
       ## Setup Docker for the builds
       - name: Docker setup
@@ -68,3 +71,22 @@ jobs:
             GIT_COMMIT=${{ env.GITHUB_SHA_SHORT }}
             TARGET_CPU=x86-64-v3
           push: ${{ env.DOCKER_PUSH }}
+
+      ## Generate docker image attestation(s)
+      - name: Generate artifact attestation (${{ github.event.repository.name }})
+        id: attest_primary
+        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
+        with:
+          subject-name: |
+            index.docker.io/${{env.docker-org}}/${{ github.event.repository.name }}
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
+          push-to-registry: true
+
+      - name: Generate artifact attestation (stacks-blockchain)
+        id: attest_secondary
+        uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # v2.2.3
+        with:
+          subject-name: |
+            index.docker.io/${{env.docker-org}}/stacks-blockchain
+          subject-digest: ${{ steps.docker_build.outputs.digest }}
+          push-to-registry: true