mirror of
https://github.com/anchore/syft.git
synced 2026-02-12 18:46:41 +01:00
27b1219e98
Bumps the actions-minor-patch group with 3 updates in the / directory: [actions/checkout](https://github.com/actions/checkout), [actions/setup-go](https://github.com/actions/setup-go) and [github/codeql-action](https://github.com/github/codeql-action). Bumps the actions-minor-patch group with 1 update in the /.github/actions/bootstrap directory: [actions/setup-go](https://github.com/actions/setup-go). Updates `actions/checkout` from 6.0.1 to 6.0.2 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](8e8c483db8...de0fac2e45) Updates `actions/setup-go` from 6.1.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](4dc6199c7b...7a3fe6cf4c) Updates `github/codeql-action` from 4.31.9 to 4.31.10 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](5d4e8d1aca...cdefb33c0f) Updates `actions/setup-go` from 6.1.0 to 6.2.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](4dc6199c7b...7a3fe6cf4c) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 6.0.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: actions/setup-go dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch - dependency-name: github/codeql-action dependency-version: 4.31.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions-minor-patch - dependency-name: actions/setup-go dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
229 lines
10 KiB
YAML
229 lines
10 KiB
YAML
name: "Release"
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: tag the latest commit on main with the given version (prefixed with v)
|
|
required: true
|
|
phase:
|
|
description: the specific workflow phase to run or all
|
|
required: true
|
|
default: "all"
|
|
type: choice
|
|
options:
|
|
- "all"
|
|
- "install-script-only"
|
|
|
|
jobs:
|
|
quality-gate:
|
|
environment: release
|
|
if: ${{ github.event.inputs.phase == 'all' }}
|
|
runs-on: ubuntu-24.04
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Bootstrap environment
|
|
uses: ./.github/actions/bootstrap
|
|
|
|
- name: Validate Apple notarization credentials
|
|
run: .tool/quill submission list
|
|
env:
|
|
QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
|
|
QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
|
|
QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
|
|
|
|
- name: Check if running on main
|
|
if: github.ref != 'refs/heads/main'
|
|
# we are using the following flag when running `cosign blob-verify` for checksum signature verification:
|
|
# --certificate-identity-regexp "https://github.com/anchore/.github/workflows/release.yaml@refs/heads/main"
|
|
# if we are not on the main branch, the signature will not be verifiable since the suffix requires the main branch
|
|
# at the time of when the OIDC token was issued on the Github Actions runner.
|
|
run: echo "This can only be run on the main branch otherwise releases produced will not be verifiable with cosign" && exit 1
|
|
|
|
- name: Check if tag already exists
|
|
# note: this will fail if the tag already exists
|
|
run: |
|
|
[[ "$VERSION" == v* ]] || (echo "version '$VERSION' does not have a 'v' prefix" && exit 1)
|
|
git tag "$VERSION"
|
|
env:
|
|
VERSION: ${{ github.event.inputs.version }}
|
|
|
|
- name: Check static analysis results
|
|
uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
|
|
id: static-analysis
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
|
|
checkName: "Static analysis"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check unit test results
|
|
uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
|
|
id: unit
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
|
|
checkName: "Unit tests"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check integration test results
|
|
uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
|
|
id: integration
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
|
|
checkName: "Integration tests"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check acceptance test results (linux)
|
|
uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
|
|
id: acceptance-linux
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
|
|
checkName: "Acceptance tests (Linux)"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check acceptance test results (mac)
|
|
uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
|
|
id: acceptance-mac
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
|
|
checkName: "Acceptance tests (Mac)"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check cli test results (linux)
|
|
uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
|
|
id: cli-linux
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
|
|
checkName: "CLI tests (Linux)"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Quality gate
|
|
if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success'
|
|
env:
|
|
STATIC_ANALYSIS_STATUS: ${{ steps.static-analysis.conclusion }}
|
|
UNIT_TEST_STATUS: ${{ steps.unit.outputs.conclusion }}
|
|
INTEGRATION_TEST_STATUS: ${{ steps.integration.outputs.conclusion }}
|
|
ACCEPTANCE_LINUX_STATUS: ${{ steps.acceptance-linux.outputs.conclusion }}
|
|
ACCEPTANCE_MAC_STATUS: ${{ steps.acceptance-mac.outputs.conclusion }}
|
|
CLI_LINUX_STATUS: ${{ steps.cli-linux.outputs.conclusion }}
|
|
run: |
|
|
echo "Static Analysis Status: $STATIC_ANALYSIS_STATUS"
|
|
echo "Unit Test Status: $UNIT_TEST_STATUS"
|
|
echo "Integration Test Status: $INTEGRATION_TEST_STATUS"
|
|
echo "Acceptance Test (Linux) Status: $ACCEPTANCE_LINUX_STATUS"
|
|
echo "Acceptance Test (Mac) Status: $ACCEPTANCE_MAC_STATUS"
|
|
echo "CLI Test (Linux) Status: $CLI_LINUX_STATUS"
|
|
false
|
|
|
|
release:
|
|
needs: [ quality-gate ]
|
|
if: ${{ github.event.inputs.phase == 'all' }}
|
|
# runs-on.com: compute instances for parallel builds
|
|
# spot disabled: reliability for build workflows (used for releases too)
|
|
# goreleaser uses parallelism of 12, so we need more CPUs
|
|
# s3-cache: faster actions cache
|
|
# tmpfs: faster io-intensive workflows
|
|
runs-on: runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=s3-cache+tmpfs
|
|
permissions:
|
|
contents: write
|
|
packages: write
|
|
# required for goreleaser signs section with cosign
|
|
id-token: write
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: true
|
|
|
|
- name: Bootstrap environment
|
|
uses: ./.github/actions/bootstrap
|
|
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef #v3.6.0
|
|
with:
|
|
username: ${{ secrets.ANCHOREOSSWRITE_DH_USERNAME }}
|
|
password: ${{ secrets.ANCHOREOSSWRITE_DH_PAT }}
|
|
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef #v3.6.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Tag release
|
|
run: |
|
|
git config --global user.name "anchoreci"
|
|
git config --global user.email "anchoreci@users.noreply.github.com"
|
|
git tag -a "$VERSION" -m "Release $VERSION"
|
|
git push origin --tags
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
VERSION: ${{ github.event.inputs.version }}
|
|
|
|
- name: Build & publish release artifacts
|
|
run: make ci-release
|
|
env:
|
|
# for mac signing and notarization...
|
|
QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }}
|
|
QUILL_SIGN_PASSWORD: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_PASS }}
|
|
QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
|
|
QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
|
|
QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
|
|
# for creating the release (requires write access to packages and content)
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
# for updating brew formula in anchore/homebrew-syft
|
|
GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }}
|
|
|
|
- uses: anchore/sbom-action@0b82b0b1a22399a1c542d4d656f70cd903571b5c #v0.21.1
|
|
continue-on-error: true
|
|
with:
|
|
file: go.mod
|
|
artifact-name: sbom.spdx.json
|
|
|
|
- name: Notify Slack of new release
|
|
uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a #v2.1.1
|
|
continue-on-error: true
|
|
with:
|
|
webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
|
|
webhook-type: incoming-webhook
|
|
payload: |
|
|
text: "A new Syft release has been published: https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}"
|
|
blocks:
|
|
- type: section
|
|
text:
|
|
type: mrkdwn
|
|
text: |
|
|
*A new Syft release has been published* :rocket:
|
|
• Release: <https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}|${{ github.event.inputs.version }}>
|
|
• Repo: `${{ github.repository }}`
|
|
• Workflow: `${{ github.workflow }}`
|
|
• Event: `${{ github.event_name }}`
|
|
if: ${{ success() }}
|
|
|
|
release-install-script:
|
|
needs: [ release ]
|
|
if: ${{ always() && (needs.release.result == 'success' || github.event.inputs.phase == 'install-script-only') }}
|
|
uses: "anchore/workflows/.github/workflows/release-install-script.yaml@main"
|
|
with:
|
|
tag: ${{ github.event.inputs.version }}
|
|
secrets:
|
|
# needed for r2...
|
|
R2_INSTALL_ACCESS_KEY_ID: ${{ secrets.OSS_R2_INSTALL_ACCESS_KEY_ID }}
|
|
R2_INSTALL_SECRET_ACCESS_KEY: ${{ secrets.OSS_R2_INSTALL_SECRET_ACCESS_KEY }}
|
|
R2_ENDPOINT: ${{ secrets.TOOLBOX_CLOUDFLARE_R2_ENDPOINT }}
|
|
# needed for s3...
|
|
S3_INSTALL_AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
|
|
S3_INSTALL_AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
|