name: "Release" on: push: # take no actions on push to any branch... branches-ignore: - "**" # ... only act on release tags tags: - "v*" env: GO_VERSION: "1.15.x" jobs: quality-gate: environment: release runs-on: ubuntu-latest # This OS choice is arbitrary. None of the steps in this job are specific to either Linux or macOS. steps: - uses: actions/checkout@v2 # we don't want to release commits that have been pushed and tagged, but not necessarily merged onto main - name: Ensure tagged commit is on main run: | echo "Tag: ${GITHUB_REF##*/}" git fetch origin main git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && echo "${GITHUB_REF##*/} is a commit on main!" - name: Check static analysis results uses: fountainhead/action-wait-for-check@v1.0.0 id: static-analysis with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the circle-ci workflow name (in .circleci/config.yaml) checkName: "Static-Analysis (1.x, ubuntu-latest)" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check unit + integration results (latest go version) uses: fountainhead/action-wait-for-check@v1.0.0 id: unit-integration with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the circle-ci workflow name (in .circleci/config.yaml) checkName: "Tests (1.x, ubuntu-latest)" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check acceptance test results (linux) uses: fountainhead/action-wait-for-check@v1.0.0 id: acceptance-linux with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml) checkName: "Acceptance-Linux" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check acceptance test results (mac) uses: fountainhead/action-wait-for-check@v1.0.0 id: acceptance-mac with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml) checkName: "Acceptance-Mac" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check inline comparison test results uses: fountainhead/action-wait-for-check@v1.0.0 id: inline-compare with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml) checkName: "Inline-Compare" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check container image smoke test results uses: fountainhead/action-wait-for-check@v1.0.0 id: smoke-test-container-image with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the circle-ci workflow name (in .github/workflows/acceptance-test.yaml) checkName: "Smoke-Test-Container-Image" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Quality gate if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit-integration.outputs.conclusion != 'success' || steps.inline-compare.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success' || steps.smoke-test-container-image.outputs.conclusion != 'success' run: | echo "Static Analysis Status: ${{ steps.static-analysis.conclusion }}" echo "Unit & Integration Test Status: ${{ steps.unit-integration.outputs.conclusion }}" echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}" echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}" echo "Inline Compare Status: ${{ steps.inline-compare.outputs.conclusion }}" echo "Smoke Test Container Image Status: ${{ steps.smoke-test-container-image.outputs.conclusion }}" false build-assets-mac: needs: [ quality-gate ] runs-on: macos-latest # Due to our code signing process, it's vital that we run these release steps on macOS. steps: - uses: actions/setup-go@v2 with: go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 # We are expecting this cache to have been created during the "Build-Snapshot-Artifacts" job in the "Acceptance" workflow. - name: Restore bootstrap cache id: cache uses: actions/cache@v2.1.3 with: path: | ~/go/pkg/mod ${{ github.workspace }}/.tmp key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} restore-keys: | ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}- ${{ runner.os }}-go-${{ env.GO_VERSION }}- - name: Build for macOS run: make build-mac - name: Create macOS release assets run: make package-mac env: APPLE_DEVELOPER_ID_CERT: ${{ secrets.APPLE_DEVELOPER_ID_CERT }} # Used during macOS code signing. APPLE_DEVELOPER_ID_CERT_PASS: ${{ secrets.APPLE_DEVELOPER_ID_CERT_PASS }} # Used during macOS code signing. AC_USERNAME: ${{ secrets.ENG_CI_APPLE_ID }} # Used during macOS notarization. AC_PASSWORD: ${{ secrets.ENG_CI_APPLE_ID_PASS }} # Used during macOS notarization. - uses: actions/upload-artifact@v2 with: name: macOS-artifacts path: "./dist/*_darwin_*.*" build-assets-linux: needs: [ quality-gate ] runs-on: ubuntu-latest steps: - uses: actions/setup-go@v2 with: go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 # We are expecting this cache to have been created during the "Build-Snapshot-Artifacts" job in the "Acceptance" workflow. - name: Restore bootstrap cache id: cache uses: actions/cache@v2.1.3 with: path: | ~/go/pkg/mod ${{ github.workspace }}/.tmp key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} restore-keys: | ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}- ${{ runner.os }}-go-${{ env.GO_VERSION }}- - name: Import GPG key id: import_gpg uses: crazy-max/ghaction-import-gpg@v2 env: GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }} PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }} - name: GPG signing info run: | echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}" echo "keyid: ${{ steps.import_gpg.outputs.keyid }}" echo "name: ${{ steps.import_gpg.outputs.name }}" echo "email: ${{ steps.import_gpg.outputs.email }}" - name: Build Linux assets run: make build-linux - name: Package Linux release assets run: make package-linux env: GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }} PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }} - uses: actions/upload-artifact@v2 with: name: Linux-artifacts path: | ./dist/*_linux_*.* ./dist/*_checksums.* draft-release: needs: [ build-assets-mac, build-assets-linux ] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 with: # fetch all history --this is necessary since we are referencing multiple tags during the release process (for changelog generation) fetch-depth: 0 # We are expecting this cache to have been created during the "Build-Snapshot-Artifacts" job in the "Acceptance" workflow. - name: Restore bootstrap cache id: cache uses: actions/cache@v2.1.3 with: path: | ~/go/pkg/mod ${{ github.workspace }}/.tmp key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} restore-keys: | ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}- ${{ runner.os }}-go-${{ env.GO_VERSION }}- - uses: actions/download-artifact@v2 # Downloads all artifacts - name: Generate changelog run: make changelog-release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token - name: Create draft release uses: actions/create-release@v1 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token with: tag_name: ${{ github.ref }} release_name: ${{ github.ref }} body_path: "./CHANGELOG.md" draft: true prerelease: false - name: Upload release assets run: | # Solution found at https://github.com/actions/upload-release-asset/issues/28#issuecomment-617208601 after seeing that the native "actions/upload-release-asset" might not be actively maintained. set -eux assets=() for asset in ./Linux-artifacts/*; do assets+=("-a" "$asset") done for asset in ./macOS-artifacts/*; do assets+=("-a" "$asset") done tag_name="${GITHUB_REF##*/}" hub release edit -m "" "${assets[@]}" "$tag_name" env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - uses: 8398a7/action-slack@v3 with: status: ${{ job.status }} fields: repo,workflow,action,eventName text: "A new Syft release is ready to be manually published: https://github.com/anchore/syft/releases" env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }} if: ${{ success() }}