Release (Candidate) #30
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release (Candidate) | |
| permissions: read-all | |
| on: | |
| workflow_dispatch: # can be triggered via UI | |
| workflow_call: # can be triggered by other workflows | |
| jobs: | |
| # - name: upload image tar artifact | |
| # uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
| # with: | |
| # name: pepr-img.tar | |
| # path: pepr-img.tar | |
| # retention-days: 1 | |
| # - name: dowload image tar artifact | |
| # uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| # with: | |
| # name: pepr-img.tar | |
| # path: ${{ github.workspace }} | |
| check: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| steps: | |
| - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
| with: | |
| node-version: 20 | |
| registry-url: "https://registry.npmjs.org" | |
| cache: npm | |
| - name: check | |
| id: check | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| npm ci | |
| needed=false | |
| needle="There are no relevant changes, so no new version is released." | |
| if $( npm run sem-rel -- --dry-run | grep --quiet "$needle" ) | |
| then needed=false ; else needed=true | |
| fi | |
| echo "RELEASE_NEEDED=$needed" >> "$GITHUB_OUTPUT" | |
| # npm run sem-rel -- --dry-run | grep --quiet \ | |
| # "There are no relevant changes, so no new version is released." \ | |
| # && exit 1 | |
| # TODO: want to halt the pipeline without actually failing | |
| # https://github.com/orgs/community/discussions/27174, maybe..? | |
| - name: show | |
| run: | | |
| echo "RELEASE_NEEDED=${{ steps.check.outputs.RELEASE_NEEDED }}" | |
| # build: | |
| # needs: [check] | |
| # runs-on: ubuntu-latest | |
| # permissions: | |
| # contents: write | |
| # steps: | |
| # - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
| # with: | |
| # egress-policy: audit | |
| # - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| # - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
| # with: | |
| # node-version: 20 | |
| # registry-url: "https://registry.npmjs.org" | |
| # cache: npm | |
| # - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
| # - name: semantic-release | |
| # env: | |
| # GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # # NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| # run: | | |
| # npm ci | |
| # npm run sem-rel -- --dry-run | |
| # build: | |
| # runs-on: ubuntu-latest | |
| # permissions: | |
| # contents: read | |
| # packages: write | |
| # id-token: write | |
| # steps: | |
| # - name: Harden Runner | |
| # uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
| # with: | |
| # egress-policy: audit | |
| # - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| # - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
| # - name: Use Node.js 20 | |
| # uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
| # with: | |
| # node-version: 20 | |
| # registry-url: "https://registry.npmjs.org" | |
| # cache: "npm" | |
| # - name: "Pepr Controller: Login to GHCR" | |
| # uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
| # with: | |
| # registry: ghcr.io | |
| # username: dummy | |
| # password: ${{ github.token }} | |
| # - name: Publish to GHCR | |
| # env: | |
| # NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| # run: | | |
| # #!/bin/bash | |
| # npm install -g npm | |
| # npm run version | |
| # # Build Controller Image | |
| # docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/pepr/controller:${{ github.ref_name }} . | |
| # slsa: | |
| # permissions: | |
| # id-token: write | |
| # contents: read | |
| # actions: read | |
| # uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
| # with: | |
| # run-scripts: "version, ci, build" | |
| # publish: | |
| # needs: [slsa] | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - name: Set up Node registry authentication | |
| # uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
| # with: | |
| # node-version: 20 | |
| # registry-url: "https://registry.npmjs.org" | |
| # - name: Publish package | |
| # id: publish | |
| # uses: slsa-framework/slsa-github-generator/actions/nodejs/publish@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0 | |
| # with: | |
| # access: public | |
| # node-auth-token: ${{ secrets.NPM_TOKEN }} | |
| # package-name: ${{ needs.slsa.outputs.package-name }} | |
| # package-download-name: ${{ needs.slsa.outputs.package-download-name }} | |
| # package-download-sha256: ${{ needs.slsa.outputs.package-download-sha256 }} | |
| # provenance-name: ${{ needs.slsa.outputs.provenance-name }} | |
| # provenance-download-name: ${{ needs.slsa.outputs.provenance-download-name }} | |
| # provenance-download-sha256: ${{ needs.slsa.outputs.provenance-download-sha256 }} |