name: 'Release' on: push: # take no actions on push to any branch... branches-ignore: - '**' # ... only act on release tags tags: - 'v*' env: GO_VERSION: "1.14.x" jobs: wait-for-checks: runs-on: ubuntu-latest # This OS choice is arbitrary. None of the steps in this job are specific to either Linux or macOS. steps: - uses: actions/checkout@v2 # we don't want to release commits that have been pushed and tagged, but not necessarily merged onto main - name: Ensure tagged commit is on main run: | echo "Tag: ${GITHUB_REF##*/}" git fetch origin main git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && echo "${GITHUB_REF##*/} is a commit on main!" - name: Check static analysis results uses: fountainhead/action-wait-for-check@v1.0.0 id: static-analysis with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the circle-ci workflow name (in .circleci/config.yaml) checkName: "Static-Analysis (1.x, ubuntu-latest)" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check unit + integration results (latest go version) uses: fountainhead/action-wait-for-check@v1.0.0 id: unit-integration with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the circle-ci workflow name (in .circleci/config.yaml) checkName: "Tests (1.x, ubuntu-latest)" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check acceptance test results (linux) uses: fountainhead/action-wait-for-check@v1.0.0 id: acceptance-linux with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml) checkName: "Acceptance-Linux" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check acceptance test results (mac) uses: fountainhead/action-wait-for-check@v1.0.0 id: acceptance-mac with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml) checkName: "Acceptance-Mac" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Check inline comparison test results uses: fountainhead/action-wait-for-check@v1.0.0 id: inline-compare with: token: ${{ secrets.GITHUB_TOKEN }} # This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml) checkName: "Inline-Compare" ref: ${{ github.event.pull_request.head.sha || github.sha }} - name: Quality gate if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit-integration.outputs.conclusion != 'success' || steps.inline-compare.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success' run: | echo "Static Analysis Status: ${{ steps.static-analysis.conclusion }}" echo "Unit & Integration Test Status: ${{ steps.unit-integration.outputs.conclusion }}" echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}" echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}" echo "Inline Compare Status: ${{ steps.inline-compare.outputs.conclusion }}" false release: needs: [ wait-for-checks ] runs-on: macos-latest # Due to our code signing process, it's vital that we run our release steps on macOS. steps: - uses: actions/setup-go@v2 with: go-version: ${{ env.GO_VERSION }} - uses: actions/checkout@v2 with: fetch-depth: 0 # We are expecting this cache to have been created during the "Build-Snapshot-Artifacts" job in the "Acceptance" workflow. - name: Restore bootstrap cache id: cache uses: actions/cache@v2 with: path: | ~/go/pkg/mod ${{ github.workspace }}/.tmp key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }} restore-keys: | ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}- ${{ runner.os }}-go-${{ env.GO_VERSION }}- - name: Import GPG key id: import_gpg uses: crazy-max/ghaction-import-gpg@v2 env: GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }} PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }} - name: GPG signing info run: | echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}" echo "keyid: ${{ steps.import_gpg.outputs.keyid }}" echo "name: ${{ steps.import_gpg.outputs.name }}" echo "email: ${{ steps.import_gpg.outputs.email }}" - name: Build & publish release artifacts run: make release env: GITHUB_TOKEN: ${{ secrets.ANCHORE_GIT_READ_TOKEN }} GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }} PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }} SIGNING_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }} AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }} APPLE_DEVELOPER_ID_CERT: ${{ secrets.APPLE_DEVELOPER_ID_CERT }} # Used during macOS code signing. APPLE_DEVELOPER_ID_CERT_PASS: ${{ secrets.APPLE_DEVELOPER_ID_CERT_PASS }} # Used during macOS code signing. AC_USERNAME: ${{ secrets.ENG_CI_APPLE_ID }} # Used during macOS notarization. AC_PASSWORD: ${{ secrets.ENG_CI_APPLE_ID_PASS }} # Used during macOS notarization. - uses: 8398a7/action-slack@v3 with: status: ${{ job.status }} fields: repo,workflow,action,eventName text: "A new Syft release is ready to be manually published: https://github.com/anchore/syft/releases" env: SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }} if: ${{ success() }} - uses: actions/upload-artifact@v2 with: name: artifacts path: dist/**/*