syft/.github/workflows/release.yaml

name: "Release"

permissions: {}

# there should never be two releases in progress at the same time
concurrency:
  group: release
  cancel-in-progress: false

on:
  workflow_dispatch:
    inputs:
      version:
        description: tag the latest commit on main with the given version (prefixed with v)
        required: true
      phase:
        description: the specific workflow phase to run or all
        required: true
        default: "all"
        type: choice
        options:
          - "all"
          - "install-script-only"

jobs:

  version-available:
    if: ${{ github.event.inputs.phase == 'all' }}
    uses: anchore/workflows/.github/workflows/check-version-available.yaml@8b2b1caf40e03933c6807e03b99e883e2ceb5ac8 # v0.4.0
    with:
      version: ${{ github.event.inputs.version }}

  check-gate:
    if: ${{ github.event.inputs.phase == 'all' }}
    permissions:
      checks: read   # required for getting the status of specific check names
    uses: anchore/workflows/.github/workflows/check-gate.yaml@8b2b1caf40e03933c6807e03b99e883e2ceb5ac8 # v0.4.0
    with:
      # these are checks that should be run on pull-request and merges to main.
      # we do NOT want to kick off a release if these have not been verified on main.
      # Please see the validations.yaml workflow for the names that should be used here.
      checks: '["Acceptance tests (Linux)", "Acceptance tests (Mac)", "Build snapshot artifacts", "CLI tests (Linux)", "Integration tests", "Static analysis", "Unit tests"]'

  release:
    needs: [ check-gate, version-available ]
    if: ${{ github.event.inputs.phase == 'all' }}
    # runs-on.com: compute instances for parallel builds
    #   spot disabled: reliability for build workflows (used for releases too)
    #   goreleaser uses parallelism of 12, so we need more CPUs
    #   s3-cache: faster actions cache
    #   tmpfs: faster io-intensive workflows
    runs-on: runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=s3-cache+tmpfs
    permissions:
      contents: write
      packages: write
      # required for goreleaser signs section with cosign
      id-token: write
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: true

      - name: Bootstrap environment
        uses: ./.github/actions/bootstrap

      - name: Login to Docker Hub
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  #v4.1.0
        with:
          username: ${{ secrets.ANCHOREOSSWRITE_DH_USERNAME }}
          password: ${{ secrets.ANCHOREOSSWRITE_DH_PAT }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121  #v4.1.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Tag release
        run: |
          git config --global user.name "anchoreci"
          git config --global user.email "anchoreci@users.noreply.github.com"
          git tag -a "$VERSION" -m "Release $VERSION"
          git push origin --tags
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          VERSION: ${{ github.event.inputs.version }}

      - name: Build & publish release artifacts
        run: make ci-release
        env:
          # for mac signing and notarization...
          QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }}
          QUILL_SIGN_PASSWORD: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_PASS }}
          QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
          QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
          QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
          # for creating the release (requires write access to packages and content)
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # for updating brew formula in anchore/homebrew-syft
          GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }}

      - uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 #v0.24.0
        continue-on-error: true
        with:
          file: go.mod
          artifact-name: sbom.spdx.json

      - name: Notify Slack of new release
        uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c #v3.0.3
        continue-on-error: true
        with:
          webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
          webhook-type: incoming-webhook
          payload: |
            text: "A new Syft release has been published: https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}"
            blocks:
              - type: section
                text:
                  type: mrkdwn
                  text: |
                    *A new Syft release has been published* :rocket:
                    • Release: <https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}|${{ github.event.inputs.version }}>
                    • Repo: `${{ github.repository }}`
                    • Workflow: `${{ github.workflow }}`
                    • Event: `${{ github.event_name }}`
        if: ${{ success() }}

  release-install-script:
    needs: [ release ]
    if: ${{ always() && (needs.release.result == 'success' || github.event.inputs.phase == 'install-script-only') }}
    uses: "anchore/workflows/.github/workflows/release-install-script.yaml@main"
    with:
      tag: ${{ github.event.inputs.version }}
    secrets:
      # needed for r2...
      R2_INSTALL_ACCESS_KEY_ID: ${{ secrets.OSS_R2_INSTALL_ACCESS_KEY_ID }}
      R2_INSTALL_SECRET_ACCESS_KEY: ${{ secrets.OSS_R2_INSTALL_SECRET_ACCESS_KEY }}
      R2_ENDPOINT: ${{ secrets.TOOLBOX_CLOUDFLARE_R2_ENDPOINT }}
      # needed for s3...
      S3_INSTALL_AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
      S3_INSTALL_AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}