mirror of
https://github.com/anchore/syft.git
synced 2025-11-17 08:23:15 +01:00
6195002ae5
* Create independent build targets for Mac and Linux Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * Create targets for macOS signing and notarization Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * Create target for Linux packaging Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * Update release workflow and leverage new make targets Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * Add release assets to release draft Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * Add homebrew formula release follow-up and improve Makefile Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * Add follow-up workflow for updating version check file Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * Get rid of fetch depth 0 for checkout action Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * Add follow-up workflow for Docker images Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * Restore wait-for-checks job Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * Replace make functions with shell functions Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * Account for envsubst command in bootstrap-ci-linux Signed-off-by: Dan Luhring <dan.luhring@anchore.com> * move homebrew generation into script Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add release approval step; remove goreleaser; add docker image smoke testing in acceptance step Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * replace homebrew formula template file with heredoc template Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update release documentation Signed-off-by: Alex Goodman <alex.goodman@anchore.com> Co-authored-by: Alex Goodman <alex.goodman@anchore.com>
250 lines
10 KiB
YAML
250 lines
10 KiB
YAML
name: "Release"
|
|
on:
|
|
push:
|
|
# take no actions on push to any branch...
|
|
branches-ignore:
|
|
- "**"
|
|
# ... only act on release tags
|
|
tags:
|
|
- "v*"
|
|
|
|
env:
|
|
GO_VERSION: "1.15.x"
|
|
|
|
jobs:
|
|
quality-gate:
|
|
environment: release
|
|
runs-on: ubuntu-latest # This OS choice is arbitrary. None of the steps in this job are specific to either Linux or macOS.
|
|
steps:
|
|
|
|
- uses: actions/checkout@v2
|
|
|
|
# we don't want to release commits that have been pushed and tagged, but not necessarily merged onto main
|
|
- name: Ensure tagged commit is on main
|
|
run: |
|
|
echo "Tag: ${GITHUB_REF##*/}"
|
|
git fetch origin main
|
|
git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && echo "${GITHUB_REF##*/} is a commit on main!"
|
|
|
|
- name: Check static analysis results
|
|
uses: fountainhead/action-wait-for-check@v1.0.0
|
|
id: static-analysis
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the circle-ci workflow name (in .circleci/config.yaml)
|
|
checkName: "Static-Analysis (1.x, ubuntu-latest)"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check unit + integration results (latest go version)
|
|
uses: fountainhead/action-wait-for-check@v1.0.0
|
|
id: unit-integration
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the circle-ci workflow name (in .circleci/config.yaml)
|
|
checkName: "Tests (1.x, ubuntu-latest)"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check acceptance test results (linux)
|
|
uses: fountainhead/action-wait-for-check@v1.0.0
|
|
id: acceptance-linux
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml)
|
|
checkName: "Acceptance-Linux"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check acceptance test results (mac)
|
|
uses: fountainhead/action-wait-for-check@v1.0.0
|
|
id: acceptance-mac
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml)
|
|
checkName: "Acceptance-Mac"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check inline comparison test results
|
|
uses: fountainhead/action-wait-for-check@v1.0.0
|
|
id: inline-compare
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/acceptance-test.yaml)
|
|
checkName: "Inline-Compare"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check container image smoke test results
|
|
uses: fountainhead/action-wait-for-check@v1.0.0
|
|
id: smoke-test-container-image
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the circle-ci workflow name (in .github/workflows/acceptance-test.yaml)
|
|
checkName: "Smoke-Test-Container-Image"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Quality gate
|
|
if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit-integration.outputs.conclusion != 'success' || steps.inline-compare.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success' || steps.smoke-test-container-image.outputs.conclusion != 'success'
|
|
run: |
|
|
echo "Static Analysis Status: ${{ steps.static-analysis.conclusion }}"
|
|
echo "Unit & Integration Test Status: ${{ steps.unit-integration.outputs.conclusion }}"
|
|
echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}"
|
|
echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}"
|
|
echo "Inline Compare Status: ${{ steps.inline-compare.outputs.conclusion }}"
|
|
echo "Smoke Test Container Image Status: ${{ steps.smoke-test-container-image.outputs.conclusion }}"
|
|
false
|
|
|
|
build-assets-mac:
|
|
needs: [ quality-gate ]
|
|
runs-on: macos-latest # Due to our code signing process, it's vital that we run these release steps on macOS.
|
|
steps:
|
|
- uses: actions/setup-go@v2
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
|
|
- uses: actions/checkout@v2
|
|
|
|
# We are expecting this cache to have been created during the "Build-Snapshot-Artifacts" job in the "Acceptance" workflow.
|
|
- name: Restore bootstrap cache
|
|
id: cache
|
|
uses: actions/cache@v2.1.3
|
|
with:
|
|
path: |
|
|
~/go/pkg/mod
|
|
${{ github.workspace }}/.tmp
|
|
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-
|
|
${{ runner.os }}-go-${{ env.GO_VERSION }}-
|
|
|
|
- name: Build for macOS
|
|
run: make build-mac
|
|
|
|
- name: Create macOS release assets
|
|
run: make package-mac
|
|
env:
|
|
APPLE_DEVELOPER_ID_CERT: ${{ secrets.APPLE_DEVELOPER_ID_CERT }} # Used during macOS code signing.
|
|
APPLE_DEVELOPER_ID_CERT_PASS: ${{ secrets.APPLE_DEVELOPER_ID_CERT_PASS }} # Used during macOS code signing.
|
|
AC_USERNAME: ${{ secrets.ENG_CI_APPLE_ID }} # Used during macOS notarization.
|
|
AC_PASSWORD: ${{ secrets.ENG_CI_APPLE_ID_PASS }} # Used during macOS notarization.
|
|
|
|
- uses: actions/upload-artifact@v2
|
|
with:
|
|
name: macOS-artifacts
|
|
path: "./dist/*_darwin_*.*"
|
|
|
|
build-assets-linux:
|
|
needs: [ quality-gate ]
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/setup-go@v2
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
|
|
- uses: actions/checkout@v2
|
|
|
|
# We are expecting this cache to have been created during the "Build-Snapshot-Artifacts" job in the "Acceptance" workflow.
|
|
- name: Restore bootstrap cache
|
|
id: cache
|
|
uses: actions/cache@v2.1.3
|
|
with:
|
|
path: |
|
|
~/go/pkg/mod
|
|
${{ github.workspace }}/.tmp
|
|
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-
|
|
${{ runner.os }}-go-${{ env.GO_VERSION }}-
|
|
|
|
- name: Import GPG key
|
|
id: import_gpg
|
|
uses: crazy-max/ghaction-import-gpg@v2
|
|
env:
|
|
GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }}
|
|
PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }}
|
|
|
|
- name: GPG signing info
|
|
run: |
|
|
echo "fingerprint: ${{ steps.import_gpg.outputs.fingerprint }}"
|
|
echo "keyid: ${{ steps.import_gpg.outputs.keyid }}"
|
|
echo "name: ${{ steps.import_gpg.outputs.name }}"
|
|
echo "email: ${{ steps.import_gpg.outputs.email }}"
|
|
|
|
- name: Build Linux assets
|
|
run: make build-linux
|
|
|
|
- name: Package Linux release assets
|
|
run: make package-linux
|
|
env:
|
|
GPG_PRIVATE_KEY: ${{ secrets.SIGNING_GPG_PRIVATE_KEY }}
|
|
PASSPHRASE: ${{ secrets.SIGNING_GPG_PASSPHRASE }}
|
|
|
|
- uses: actions/upload-artifact@v2
|
|
with:
|
|
name: Linux-artifacts
|
|
path: |
|
|
./dist/*_linux_*.*
|
|
./dist/*_checksums.*
|
|
|
|
draft-release:
|
|
needs: [ build-assets-mac, build-assets-linux ]
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
with:
|
|
# fetch all history --this is necessary since we are referencing multiple tags during the release process (for changelog generation)
|
|
fetch-depth: 0
|
|
|
|
# We are expecting this cache to have been created during the "Build-Snapshot-Artifacts" job in the "Acceptance" workflow.
|
|
- name: Restore bootstrap cache
|
|
id: cache
|
|
uses: actions/cache@v2.1.3
|
|
with:
|
|
path: |
|
|
~/go/pkg/mod
|
|
${{ github.workspace }}/.tmp
|
|
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-${{ hashFiles('Makefile') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}-
|
|
${{ runner.os }}-go-${{ env.GO_VERSION }}-
|
|
|
|
|
|
- uses: actions/download-artifact@v2 # Downloads all artifacts
|
|
|
|
- name: Generate changelog
|
|
run: make changelog-release
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
|
|
|
|
- name: Create draft release
|
|
uses: actions/create-release@v1
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
|
|
with:
|
|
tag_name: ${{ github.ref }}
|
|
release_name: ${{ github.ref }}
|
|
body_path: "./CHANGELOG.md"
|
|
draft: true
|
|
prerelease: false
|
|
|
|
- name: Upload release assets
|
|
run: | # Solution found at https://github.com/actions/upload-release-asset/issues/28#issuecomment-617208601 after seeing that the native "actions/upload-release-asset" might not be actively maintained.
|
|
set -eux
|
|
assets=()
|
|
for asset in ./Linux-artifacts/*; do
|
|
assets+=("-a" "$asset")
|
|
done
|
|
for asset in ./macOS-artifacts/*; do
|
|
assets+=("-a" "$asset")
|
|
done
|
|
tag_name="${GITHUB_REF##*/}"
|
|
hub release edit -m "" "${assets[@]}" "$tag_name"
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- uses: 8398a7/action-slack@v3
|
|
with:
|
|
status: ${{ job.status }}
|
|
fields: repo,workflow,action,eventName
|
|
text: "A new Syft release is ready to be manually published: https://github.com/anchore/syft/releases"
|
|
env:
|
|
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
|
|
if: ${{ success() }}
|