mirror of
https://github.com/anchore/syft.git
synced 2026-05-20 04:05:24 +02:00
c09a009bda
Bumps the actions-minor-patch group with 4 updates in the / directory: [anchore/workflows/.github/workflows/codeql.yaml](https://github.com/anchore/workflows), [anchore/workflows/.github/workflows/check-version-available.yaml](https://github.com/anchore/workflows), [anchore/workflows/.github/workflows/check-gate.yaml](https://github.com/anchore/workflows) and [anchore/workflows/.github/workflows/release-install-script.yaml](https://github.com/anchore/workflows). Updates `anchore/workflows/.github/workflows/codeql.yaml` from 0.5.0 to 0.6.0 - [Commits](e8cee3a591...15122524ce) Updates `anchore/workflows/.github/workflows/check-version-available.yaml` from 0.4.0 to 0.6.0 - [Commits](8b2b1caf40...15122524ce) Updates `anchore/workflows/.github/workflows/check-gate.yaml` from 0.4.0 to 0.6.0 - [Commits](8b2b1caf40...15122524ce) Updates `anchore/workflows/.github/workflows/release-install-script.yaml` from 0.4.0 to 0.6.0 - [Commits](8b2b1caf40...15122524ce) --- updated-dependencies: - dependency-name: anchore/workflows/.github/workflows/codeql.yaml dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-version-available.yaml dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/check-gate.yaml dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch - dependency-name: anchore/workflows/.github/workflows/release-install-script.yaml dependency-version: 0.6.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
140 lines
6.0 KiB
YAML
140 lines
6.0 KiB
YAML
name: "Release"
|
|
|
|
permissions: {}
|
|
|
|
# there should never be two releases in progress at the same time
|
|
concurrency:
|
|
group: release
|
|
cancel-in-progress: false
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
description: tag the latest commit on main with the given version (prefixed with v)
|
|
required: true
|
|
phase:
|
|
description: the specific workflow phase to run or all
|
|
required: true
|
|
default: "all"
|
|
type: choice
|
|
options:
|
|
- "all"
|
|
- "install-script-only"
|
|
|
|
jobs:
|
|
version-available:
|
|
if: ${{ github.event.inputs.phase == 'all' }}
|
|
permissions:
|
|
contents: read # required for fetching tags
|
|
uses: anchore/workflows/.github/workflows/check-version-available.yaml@15122524ced7906bfa9685eeae12e22647773ea6 # v0.6.0
|
|
with:
|
|
version: ${{ github.event.inputs.version }}
|
|
|
|
check-gate:
|
|
if: ${{ github.event.inputs.phase == 'all' }}
|
|
permissions:
|
|
checks: read # required for getting the status of specific check names
|
|
uses: anchore/workflows/.github/workflows/check-gate.yaml@15122524ced7906bfa9685eeae12e22647773ea6 # v0.6.0
|
|
with:
|
|
# these are checks that should be run on pull-request and merges to main.
|
|
# we do NOT want to kick off a release if these have not been verified on main.
|
|
# Please see the validations.yaml workflow for the names that should be used here.
|
|
checks: '["Acceptance tests (Linux)", "Acceptance tests (Mac)", "Build snapshot artifacts", "CLI tests (Linux)", "Integration tests", "Static analysis", "Unit tests"]'
|
|
|
|
release:
|
|
needs: [check-gate, version-available]
|
|
if: ${{ github.event.inputs.phase == 'all' }}
|
|
environment: release
|
|
# runs-on.com: compute instances for parallel builds
|
|
# spot disabled: reliability for build workflows (used for releases too)
|
|
# goreleaser uses parallelism of 12, so we need more CPUs
|
|
# s3-cache: faster actions cache
|
|
# tmpfs: faster io-intensive workflows
|
|
runs-on: runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=s3-cache+tmpfs
|
|
permissions:
|
|
contents: write # required for creating the GitHub release and pushing the version tag
|
|
packages: write # required for publishing release artifacts to GitHub packages
|
|
id-token: write # required for keyless signing (cosign/sigstore OIDC)
|
|
steps:
|
|
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: true
|
|
|
|
- name: Bootstrap environment
|
|
uses: ./.github/actions/bootstrap
|
|
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0
|
|
with:
|
|
username: ${{ secrets.ANCHOREOSSWRITE_DH_USERNAME }}
|
|
password: ${{ secrets.ANCHOREOSSWRITE_DH_PAT }}
|
|
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 #v4.1.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Build & publish release artifacts
|
|
run: make ci-release
|
|
env:
|
|
# used for pushing tags
|
|
DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
|
|
RELEASE_VERSION: ${{ github.event.inputs.version }}
|
|
# for mac signing and notarization...
|
|
QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }}
|
|
QUILL_SIGN_PASSWORD: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_PASS }}
|
|
QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
|
|
QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
|
|
QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
|
|
# for creating the release (requires write access to packages and content)
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
# for updating brew formula in anchore/homebrew-syft
|
|
GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }}
|
|
|
|
- uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 #v0.24.0
|
|
continue-on-error: true
|
|
with:
|
|
file: go.mod
|
|
artifact-name: sbom.spdx.json
|
|
|
|
- name: Notify Slack of new release
|
|
uses: slackapi/slack-github-action@45a88b9581bfab2566dc881e2cd66d334e621e2c #v3.0.3
|
|
continue-on-error: true
|
|
with:
|
|
webhook: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
|
|
webhook-type: incoming-webhook
|
|
payload: |
|
|
text: "A new Syft release has been published: https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}"
|
|
blocks:
|
|
- type: section
|
|
text:
|
|
type: mrkdwn
|
|
text: |
|
|
*A new Syft release has been published* :rocket:
|
|
• Release: <https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}|${{ github.event.inputs.version }}>
|
|
• Repo: `${{ github.repository }}`
|
|
• Workflow: `${{ github.workflow }}`
|
|
• Event: `${{ github.event_name }}`
|
|
if: ${{ success() }}
|
|
|
|
release-install-script:
|
|
needs: [release]
|
|
if: ${{ always() && (needs.release.result == 'success' || github.event.inputs.phase == 'install-script-only') }}
|
|
permissions:
|
|
contents: read # required for the reusable workflow to check out the repo and publish the install script
|
|
uses: anchore/workflows/.github/workflows/release-install-script.yaml@15122524ced7906bfa9685eeae12e22647773ea6 # v0.6.0
|
|
with:
|
|
tag: ${{ github.event.inputs.version }}
|
|
secrets:
|
|
# needed for r2...
|
|
R2_INSTALL_ACCESS_KEY_ID: ${{ secrets.OSS_R2_INSTALL_ACCESS_KEY_ID }}
|
|
R2_INSTALL_SECRET_ACCESS_KEY: ${{ secrets.OSS_R2_INSTALL_SECRET_ACCESS_KEY }}
|
|
R2_ENDPOINT: ${{ secrets.TOOLBOX_CLOUDFLARE_R2_ENDPOINT }}
|
|
# needed for s3...
|
|
S3_INSTALL_AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
|
|
S3_INSTALL_AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
|