name: 'Release' on: push: # take no actions on push... branches-ignore: - '**' # ... only act on release tags tags: - 'v*' env: GO_VERSION: "1.14.x" jobs: wait-for-checks: runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 # we don't want to release commits that have been pushed and tagged, but not necessarily merged onto master - name: Ensure tagged commit is on master run: | echo "Tag: ${GITHUB_REF##*/}" git fetch origin master git merge-base --is-ancestor ${GITHUB_REF##*/} origin/master && echo "${GITHUB_REF##*/} is a commit on master!" - name: Check static anaylysis, unit, and integration test results uses: fountainhead/action-wait-for-check@v1.0.0 id: sa-unit-int with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the circle-ci workflow name (in .circleci/config.yaml) checkName: "Static Analysis + Unit + Integration" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check acceptance test results (linux) uses: fountainhead/action-wait-for-check@v1.0.0 id: acceptance-linux with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml) checkName: "Acceptance-Linux" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check acceptance test results (mac) uses: fountainhead/action-wait-for-check@v1.0.0 id: acceptance-mac with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml) checkName: "Acceptance-Mac" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Quality gate if: steps.sa-unit-int.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success' run: | echo "Static/Unit/Integration Status: ${{ steps.sa-unit-int.outputs.conclusion }}" echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}" echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}" false release: needs: [ wait-for-checks ] runs-on: ubuntu-latest steps: # TODO: remove me after release - name: Configure git for private modules env: TOKEN: ${{ secrets.ANCHORE_GIT_READ_TOKEN }} run: git config --global url."https://anchore:${TOKEN}@github.com".insteadOf "https://github.com" - uses: actions/setup-go@v2 with: go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 - name: Restore bootstrap cache id: cache uses: actions/cache@v2 with: path: | ~/go/pkg/mod ${{ github.workspace }}/.tmp key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} restore-keys: | ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}- ${{ runner.os }}-go-${{ env.GO_VERSION }}- - name: Bootstrap dependencies if: steps.cache.outputs.cache-hit != 'true' run: make ci-bootstrap - name: Import GPG key id: import_gpg uses: crazy-max/ghaction-import-gpg@v2 env: GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }} PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }} - name: GPG signing info run: | echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}" echo "keyid: ${{ steps.import_gpg.outputs.keyid }}" echo "name: ${{ steps.import_gpg.outputs.name }}" echo "email: ${{ steps.import_gpg.outputs.email }}" - name: Build & publish release artifacts run: make release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }} PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }} SIGNING_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} TOOLBOX_AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }} TOOLBOX_AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }} - uses: actions/upload-artifact@v2 with: name: artifacts path: dist/**/*