name: "Release" on: push: # take no actions on push to any branch... branches-ignore: - "**" # ... only act on release tags tags: - "v*" env: GO_VERSION: "1.18.x" jobs: quality-gate: environment: release runs-on: ubuntu-20.04 steps: - uses: actions/checkout@v2 # we don't want to release commits that have been pushed and tagged, but not necessarily merged onto main - name: Ensure tagged commit is on main run: | echo "Tag: ${GITHUB_REF##*/}" git fetch origin main git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && echo "${GITHUB_REF##*/} is a commit on main!" - name: Check static analysis results uses: fountainhead/action-wait-for-check@v1.0.0 id: static-analysis with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/testing.yaml) checkName: "Static analysis" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check unit test results uses: fountainhead/action-wait-for-check@v1.0.0 id: unit with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/testing.yaml) checkName: "Unit tests" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check integration test results uses: fountainhead/action-wait-for-check@v1.0.0 id: integration with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/testing.yaml) checkName: "Integration tests" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check acceptance test results (linux) uses: fountainhead/action-wait-for-check@v1.0.0 id: acceptance-linux with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/testing.yaml) checkName: "Acceptance tests (Linux)" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check acceptance test results (mac) uses: fountainhead/action-wait-for-check@v1.0.0 id: acceptance-mac with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/testing.yaml) checkName: "Acceptance tests (Mac)" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check cli test results (linux) uses: fountainhead/action-wait-for-check@v1.0.0 id: cli-linux with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/testing.yaml) checkName: "CLI tests (Linux)" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Quality gate if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success' run: | echo "Static Analysis Status: ${{ steps.static-analysis.conclusion }}" echo "Unit Test Status: ${{ steps.unit.outputs.conclusion }}" echo "Integration Test Status: ${{ steps.integration.outputs.conclusion }}" echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}" echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}" echo "CLI Test (Linux) Status: ${{ steps.cli-linux.outputs.conclusion }}" false release: needs: [quality-gate] runs-on: ubuntu-20.04 permissions: packages: write steps: - uses: actions/setup-go@v2 with: go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 with: fetch-depth: 0 - name: Restore tool cache id: tool-cache uses: actions/cache@v2.1.3 with: path: ${{ github.workspace }}/.tmp key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }} - name: Restore go cache id: go-cache uses: actions/cache@v2.1.3 with: path: ~/go/pkg/mod key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }} restore-keys: | ${{ runner.os }}-go-${{ env.GO_VERSION }}- - name: (cache-miss) Bootstrap all project dependencies if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true' run: make bootstrap - name: Login to Docker Hub uses: docker/login-action@v2 with: username: ${{ secrets.TOOLBOX_DOCKER_USER }} password: ${{ secrets.TOOLBOX_DOCKER_PASS }} - name: Login to GitHub Container Registry uses: docker/login-action@v2 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build & publish release artifacts run: make release env: QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }} QUILL_SIGN_PASSWORD: ${{ secrets.APPLE_DEVELOPER_ID_CERT_PASS }} QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - uses: anchore/sbom-action@v0 continue-on-error: true with: artifact-name: sbom.spdx.json - uses: 8398a7/action-slack@v3 continue-on-error: true with: status: ${{ job.status }} fields: repo,workflow,action,eventName text: "A new Syft release has been published: https://github.com/anchore/syft/releases/tag/${{ github.ref_name }}" env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }} if: ${{ success() }} - uses: actions/upload-artifact@v2 with: name: artifacts path: dist/**/*