syft/.github/workflows/release.yaml

name: "Release"

permissions: {}

# there should never be two releases in progress at the same time
concurrency:
  group: release
  cancel-in-progress: false

on:
  workflow_dispatch:
    inputs:
      version:
        description: tag the latest commit on main with the given version (prefixed with v)
        required: true
      phase:
        description: the specific workflow phase to run or all
        required: true
        default: "all"
        type: choice
        options:
          - "all"
          - "install-script-only"

jobs:
  version-available:
    if: ${{ github.event.inputs.phase == 'all' }}
    permissions:
      contents: read # required for fetching tags
    uses: anchore/workflows/.github/workflows/check-version-available.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
    with:
      version: ${{ github.event.inputs.version }}

  check-gate:
    if: ${{ github.event.inputs.phase == 'all' }}
    permissions:
      checks: read # required for getting the status of specific check names
    uses: anchore/workflows/.github/workflows/check-gate.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
    with:
      # these are checks that should be run on pull-request and merges to main.
      # we do NOT want to kick off a release if these have not been verified on main.
      # Please see the validations.yaml workflow for the names that should be used here.
      checks: '["Acceptance tests (Linux)", "Acceptance tests (Mac)", "Build snapshot artifacts", "CLI tests (Linux)", "Integration tests", "Static analysis", "Unit tests"]'

  release:
    needs: [check-gate, version-available]
    if: ${{ github.event.inputs.phase == 'all' }}
    environment: release
    # runs-on.com: compute instances for parallel builds
    #   spot disabled: reliability for build workflows (used for releases too)
    #   goreleaser uses parallelism of 12, so we need more CPUs
    #   s3-cache: faster actions cache
    #   tmpfs: faster io-intensive workflows
    runs-on: runs-on=${{ github.run_id }}/cpu=16+32/ram=32+128/family=c5+c6+c7+c8/spot=false/extras=s3-cache+tmpfs
    permissions:
      contents: write # required for creating the GitHub release and pushing the version tag
      packages: write # required for publishing release artifacts to GitHub packages
      id-token: write # required for keyless signing (cosign/sigstore OIDC)
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
        with:
          fetch-depth: 0
          persist-credentials: true

      - name: Bootstrap environment
        uses: ./.github/actions/bootstrap

      - name: Login to Docker Hub
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #v4.2.0
        with:
          username: ${{ secrets.ANCHOREOSSWRITE_DH_USERNAME }}
          password: ${{ secrets.ANCHOREOSSWRITE_DH_PAT }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee #v4.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build & publish release artifacts
        run: make ci-release
        env:
          # used for pushing tags
          DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
          RELEASE_VERSION: ${{ github.event.inputs.version }}
          # for mac signing and notarization...
          QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }}
          QUILL_SIGN_PASSWORD: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_PASS }}
          QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
          QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
          QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
          # for creating the release (requires write access to packages and content)
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # for updating brew formula in anchore/homebrew-syft
          GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }}

      - uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 #v0.24.0
        continue-on-error: true
        with:
          file: go.mod
          artifact-name: sbom.spdx.json

  release-install-script:
    needs: [release]
    if: ${{ always() && (needs.release.result == 'success' || github.event.inputs.phase == 'install-script-only') }}
    permissions:
      contents: read # required for the reusable workflow to check out the repo and publish the install script
    uses: anchore/workflows/.github/workflows/release-install-script.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
    with:
      tag: ${{ github.event.inputs.version }}
    secrets:
      # needed for r2...
      R2_INSTALL_ACCESS_KEY_ID: ${{ secrets.OSS_R2_INSTALL_ACCESS_KEY_ID }}
      R2_INSTALL_SECRET_ACCESS_KEY: ${{ secrets.OSS_R2_INSTALL_SECRET_ACCESS_KEY }}
      R2_ENDPOINT: ${{ secrets.TOOLBOX_CLOUDFLARE_R2_ENDPOINT }}
      # needed for s3...
      S3_INSTALL_AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
      S3_INSTALL_AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}