Use the Publish to BCR reusable GitHub workflow

mbland · mbland · commit d90aa1b161af · 2025-04-29T07:58:08.000-04:00
Updates `.github/workflows/release.yml` and adds `publish-to-bcr.yml` for publishing to the Bazel Central Registry. Part of bazel-contrib#1482 broken out from bazel-contrib#1722. `release.yml` now uses the `release_ruleset` workflow from `bazel-contrib/.github`, which does everything `release.yml` did previously and adds SLSA provenance attestations. `release.yml` then invokes the new `publish-to-bcr.yml` workflow after publishing a successful release to GitHub. Based on aspect-build/rules_lint#498 and aspect-build/rules_lint#501. See `.bcr/README.md`. --- Extracting this from bazel-contrib#1722 makes that pull request more focused, and prevents holding it up based on any discussion around these workflow changes in particular. It's also unclear if the infrastructure will be in place to support these workflows before we're ready to publish the first `rules_scala` module. Though these workflows will supersede the Publish to BCR app, it may take some time to resolve slsa-framework/slsa-verifier#840. aspect-build/rules_lint#508, @alexeagle manually triggered a workflow run based on these workflows, which generated an attestation: - https://github.com/aspect-build/rules_lint/actions/runs/14095611671 - https://github.com/aspect-build/rules_lint/attestations/5857159 Here are some examples of GitHub's attestation UI in general: - https://github.com/aspect-build/rules_lint/attestations And some relevant GitHub docs: - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow - https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#secrets-context - https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets
diff --git a/.bcr/README.md b/.bcr/README.md
@@ -1,16 +1,44 @@
 # Bazel Central Registry publication
 
-The [Publish to BCR GitHub app](https://github.com/bazel-contrib/publish-to-bcr)
-uses these configuration files for publishing Bazel modules to the [Bazel
-Central Registry (BCR)](https://registry.bazel.build/).
+The [.github/workflows/publish-to-bcr.yml](
+../.github/workflows/publish-to-bcr.yml) reusable GitHub workflow uses these
+configuration files for publishing Bazel modules to the [Bazel Central Registry
+(BCR)](https://registry.bazel.build/). This workflow also produces attestations
+required by the [Supply chain Levels for Software Artifacts
+(SLSA)](https://slsa.dev/) framework for secure supply chain provenance.
 
-- [Publish to BCR workflow setup](
-    https://github.com/bazel-contrib/publish-to-bcr/tree/main/README.md#setup)
+[bazel-contrib/publish-to-bcr](https://github.com/bazel-contrib/publish-to-bcr)
+documentation:
+
+- [Publish to BCR workflow setup (from bazel-contrib/publish-to-bcr@fb1dc68)](
+    https://github.com/bazel-contrib/publish-to-bcr/blob/fb1dc6802c3c999e17ad7afce9474a90bd89e132/README.md#setup)
 - [.bcr/ templates](
     https://github.com/bazel-contrib/publish-to-bcr/tree/main/templates)
+- [.github/workflows/publish.yaml reusable workflow](
+    https://github.com/bazel-contrib/publish-to-bcr/blob/main/.github/workflows/publish.yaml)
 
 Related documentation:
 
 - [bazelbuild/bazel-central-registry](
     https://github.com/bazelbuild/bazel-central-registry)
+- [SLSA: Provenance](https://slsa.dev/spec/v1.0/provenance)
+- [in-toto](https://in-toto.io/)
 - [GitHub Actions](https://docs.github.com/actions)
+- [Security for GitHub Actions](
+    https://docs.github.com/en/actions/security-for-github-actions)
+- [Security for GitHub Actions: Using artifact attestations](
+    https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations)
+- [actions/attest-build-provenance](
+    https://github.com/actions/attest-build-provenance)
+- [in-toto/attestation](https://github.com/in-toto/attestation)
+- [slsa-framework/slsa-verifier](
+    https://github.com/slsa-framework/slsa-verifier)
+
+---
+
+Originally based on the examples from aspect-build/rules_lint#498 and
+aspect-build/rules_lint#501. See also:
+
+- bazelbuild/bazel-central-registry#4060
+- bazelbuild/bazel-central-registry#4146
+- slsa-framework/slsa-verifier#840
diff --git a/.github/workflows/publish-to-bcr.yml b/.github/workflows/publish-to-bcr.yml
@@ -0,0 +1,35 @@
+# Publishes to the Bazel Central Registry. See .bcr/README.md.
+name: Publish to the Bazel Central Registry
+
+on:
+  # Run from release.yml.
+  workflow_call:
+    inputs:
+      tag_name:
+        required: true
+        type: string
+    secrets:
+      publish_token:
+        required: true
+
+  # In case of problems, enable manual dispatch from the GitHub UI.
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        required: true
+        type: string
+
+jobs:
+  publish-to-bcr:
+    uses: bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml@v0.0.1
+    with:
+      tag_name: ${{ inputs.tag_name }}
+      # bazelbuild/bazel-central-registry fork used to open a pull request.
+      registry_fork: simuons/bazel-central-registry
+    permissions:
+      attestations: write
+      contents: write
+      id-token: write
+    secrets:
+      # Necessary to push to the BCR fork and open a pull request.
+      publish_token: ${{ secrets.publish_token }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,21 +7,36 @@ on:
     tags:
       - 'v*.*.*'
 
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+  # In case of problems, enable manual dispatch from the GitHub UI.
+  workflow_dispatch:
+    inputs:
+      tag_name:
+        required: true
+        type: string
+
+# Based on the following, which uses the `release_ruleset` workflow to generate
+# provenance attestation files referenced by the `publish-to-bcr` workflow.
+# https://github.com/aspect-build/rules_lint/blob/v1.3.1/.github/workflows/release.yml
 
-      - name: Prepare workspace snippet
-        run: .github/workflows/workspace_snippet.sh ${{ env.GITHUB_REF_NAME }} > release_notes.txt
+permissions:
+  attestations: write # Needed to attest provenance
+  contents: write # Needed to create release
+  id-token: write # Needed to attest provenance
+
+jobs:
+  release:
+    uses: bazel-contrib/.github/.github/workflows/release_ruleset.yaml@v7.1.0
+    with:
+      bazel_test_command: "bazel test //src/... //test/... //third_party/..."
+      prerelease: false
+      release_files: rules_scala-*.tar.gz
+      release_prep_command: .github/workflows/workspace_snippet.sh
+      tag_name: ${{ github.ref_name }}
 
-      - name: Release
-        uses: softprops/action-gh-release@v1
-        with:
-          # Use GH feature to populate the changelog automatically
-          generate_release_notes: true
-          body_path: release_notes.txt
-          fail_on_unmatched_files: true
-          files: rules_scala-*.tar.gz
+  publish-to-bcr:
+    needs: release
+    uses: ./.github/workflows/publish-to-bcr.yml
+    with:
+      tag_name: ${{ github.ref_name }}
+    secrets:
+      publish_token: ${{ secrets.PUBLISH_TOKEN }}
