-
Notifications
You must be signed in to change notification settings - Fork 54
127 lines (111 loc) · 4.89 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
name: create release on new tags
# This workflow is triggered by new version tags (e.g. "1.12.2" without leading "v") on the main
# branch.
#
# Tagging should be automatic after each merged PR release (see the build.yaml workflow).
# Alternatively, this workflow can be triggered by manually creating a tag on the main branch with
# the aforementioned format. Note that the tests are *not* run by this workflow, and that you
# should therefore apply caution before manually tagging the main branch in order to trigger it.
#
# This workflow contains a check that the tag matches the version set in
# ./pkg/chartverifier/version/version_info.json.
#
# In order to recreate a GitHub release and rebuild its associated assets, first the tag needs to
# be manually deleted (e.g `git tag --delete 1.12.2 && git push --delete origin 1.12.2`). The
# GitHub release that was created for this tag automatically turns into a "Draft" release and will
# need to be manually cleaned up, though it doesn't constitute a blocker for this workflow to run.
# Finally, as mentioned above, create a new tag (e.g. `git tag 1.12.2 && git push --tags`) to
# recreate the release.
#
# This workflow builds all release assets (the tarball and the container images), creates the
# Github release and attaches the tarball to it.
on:
push:
# Publish semver tags as releases.
tags: '[0-9]+.[0-9]+.[0-9]+'
jobs:
build-and-release:
name: Create GitHub release
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Print tag to GITHUB_OUTPUT
id: get_tag
run: |
echo "release_version=${GITHUB_REF#refs/*/}" | tee -a $GITHUB_OUTPUT
- name: Build binary and make tarball
id: build_bin
run: |
make bin
TARBALL_NAME="chart-verifier.tgz-${{ steps.get_tag.outputs.release_version }}.tgz"
tar -zcvf $TARBALL_NAME -C out/ chart-verifier
export TARBALL_PATH=$(realpath $TARBALL_NAME)
echo "tarball_path=$TARBALL_PATH" | tee -a $GITHUB_OUTPUT
- name: Check that the tag matches the current version
id: check_tag_and_version
run: |
release_version=${{ steps.get_tag.outputs.release_version }}
bin_version=$(out/chart-verifier version --as-data | jq -r .version)
if [[ "$release_version" != "$bin_version" ]]; then
echo "Binary version ($bin_version) doesn't match tag ($release_version)" && exit 1
fi
- name: Generate SBOM filename
id: generate_sbom_filename
run: echo sbom_filename="${{ github.event.repository.name }}-${{ steps.get_tag.outputs.release_version }}-sbom.spdx.json" | tee -a $GITHUB_OUTPUT
- name: Generate SBOM
continue-on-error: true
id: generate_sbom
uses: anchore/sbom-action@v0
with:
# Setting path to null works around this bug:
# https://github.com/anchore/sbom-action/issues/389
path: null
file: go.mod
format: spdx-json
output-file: ${{ steps.generate_sbom_filename.outputs.sbom_filename }}
artifact-name: ${{ steps.generate_sbom_filename.outputs.sbom_filename }}
upload-release-assets: false
- name: Set up Python 3.x
uses: ./.github/actions/setup-python
- name: Set up Python scripts
run: |
# set up python requirements and scripts on PR branch
python3 -m venv ve1
cd scripts && ../ve1/bin/pip3 install -r requirements.txt && cd ..
cd scripts && ../ve1/bin/pip3 install . && cd ..
- name: Generate release body
id: release_body
run: echo "release_body=$(ve1/bin/print-release-body)" | tee -a $GITHUB_OUTPUT
- name: Create the release
id: create_release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ steps.get_tag.outputs.release_version }}
body: ${{ steps.release_body.outputs.release_body }}
files: |
${{ steps.build_bin.outputs.tarball_path }}
${{ steps.generate_sbom_filename.outputs.sbom_filename }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Build container images
id: build_container_images
run: |
# Build podman images locally
make build-image IMAGE_TAG=${{ steps.get_tag.outputs.release_version }}
make build-image IMAGE_TAG=latest
- name: Push to quay.io
id: push_to_quay
uses: redhat-actions/push-to-registry@v2
with:
image: chart-verifier
tags: |
${{ steps.get_tag.outputs.release_version }}
latest
registry: quay.io/redhat-certification
username: ${{ secrets.QUAY_BOT_USERNAME }}
password: ${{ secrets.QUAY_BOT_TOKEN }}