name: "Release" permissions: {} # there should never be two releases in progress at the same time concurrency: group: release cancel-in-progress: false on: workflow_dispatch: inputs: version: description: tag the latest commit on main with the given version (prefixed with v) required: true phase: description: the specific workflow phase to run or all required: true default: "all" type: choice options: - "all" - "install-script-only" jobs: version-available: if: ${{ github.event.inputs.phase == 'all' }} permissions: contents: read # required for fetching tags uses: anchore/workflows/.github/workflows/check-version-available.yaml@15122524ced7906bfa9685eeae12e22647773ea6 # v0.6.0 with: version: ${{ github.event.inputs.version }} check-gate: if: ${{ github.event.inputs.phase == 'all' }} permissions: checks: read # required for getting the status of specific check names uses: anchore/workflows/.github/workflows/check-gate.yaml@15122524ced7906bfa9685eeae12e22647773ea6 # v0.6.0 with: # these are checks that should be run on pull-request and merges to main. # we do NOT want to kick off a release if these have not been verified on main. # Please see the validations.yaml workflow for the names that should be used here. checks: '["Acceptance tests (Linux)", "Acceptance tests (Mac)", "Build snapshot artifacts", "CLI tests (Linux)", "Integration tests", "Static analysis", "Unit tests"]' release: needs: [check-gate, version-available] if: ${{ github.event.inputs.phase == 'all' }} environment: release # runs-on.com: compute instances for parallel builds # spot disabled: reliability for build workflows (used for releases too) # goreleaser uses parallelism of 12, so we need more CPUs # s3-cache: faster actions cache # tmpfs: faster io-intensive workflows runs-on: runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=s3-cache+tmpfs permissions: contents: write # required for creating the GitHub release and pushing the version tag packages: write # required for publishing release artifacts to GitHub packages id-token: write # required for keyless signing (cosign/sigstore OIDC) steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: fetch-depth: 0 persist-credentials: true - name: Bootstrap environment uses: ./.github/actions/bootstrap - name: Login to Docker Hub uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0 with: username: ${{ secrets.ANCHOREOSSWRITE_DH_USERNAME }} password: ${{ secrets.ANCHOREOSSWRITE_DH_PAT }} - name: Login to GitHub Container Registry uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build & publish release artifacts run: make ci-release env: # used for pushing tags DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }} RELEASE_VERSION: ${{ github.event.inputs.version }} # for mac signing and notarization... QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }} QUILL_SIGN_PASSWORD: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_PASS }} QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} # for creating the release (requires write access to packages and content) GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # for updating brew formula in anchore/homebrew-syft GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }} - uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 #v0.24.0 continue-on-error: true with: file: go.mod artifact-name: sbom.spdx.json - name: Notify Slack of new release uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c #v3.0.3 continue-on-error: true with: webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }} webhook-type: incoming-webhook payload: | text: "A new Syft release has been published: https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}" blocks: - type: section text: type: mrkdwn text: | *A new Syft release has been published* :rocket: • Release: • Repo: `${{ github.repository }}` • Workflow: `${{ github.workflow }}` • Event: `${{ github.event_name }}` if: ${{ success() }} release-install-script: needs: [release] if: ${{ always() && (needs.release.result == 'success' || github.event.inputs.phase == 'install-script-only') }} permissions: contents: read # required for the reusable workflow to check out the repo and publish the install script uses: anchore/workflows/.github/workflows/release-install-script.yaml@15122524ced7906bfa9685eeae12e22647773ea6 # v0.6.0 with: tag: ${{ github.event.inputs.version }} secrets: # needed for r2... R2_INSTALL_ACCESS_KEY_ID: ${{ secrets.OSS_R2_INSTALL_ACCESS_KEY_ID }} R2_INSTALL_SECRET_ACCESS_KEY: ${{ secrets.OSS_R2_INSTALL_SECRET_ACCESS_KEY }} R2_ENDPOINT: ${{ secrets.TOOLBOX_CLOUDFLARE_R2_ENDPOINT }} # needed for s3... S3_INSTALL_AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }} S3_INSTALL_AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}