Release (Candidate) #36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release (Candidate) | |
permissions: read-all | |
on: | |
workflow_dispatch: # can be triggered via UI | |
workflow_call: # can be triggered by other workflows | |
jobs: | |
# - name: upload image tar artifact | |
# uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 | |
# with: | |
# name: pepr-img.tar | |
# path: pepr-img.tar | |
# retention-days: 1 | |
# - name: dowload image tar artifact | |
# uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
# with: | |
# name: pepr-img.tar | |
# path: ${{ github.workspace }} | |
check: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
outputs: | |
RELEASE_NEEDED: ${{ steps.release-needed.outputs.RELEASE_NEEDED }} | |
steps: | |
- uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
node-version: 20 | |
registry-url: "https://registry.npmjs.org" | |
cache: npm | |
- id: release-needed | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
npm ci | |
needed=false | |
needle="There are no relevant changes, so no new version is released." | |
if $( npm run sem-rel -- --dry-run | grep --quiet "$needle" ) | |
then needed=false ; else needed=true | |
fi | |
echo "RELEASE_NEEDED=$needed" >> "$GITHUB_OUTPUT" | |
show: | |
needs: [check] | |
if: ${{ needs.check.outputs.RELEASE_NEEDED == true }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
steps: | |
- run: | | |
echo "RELEASE_NEEDED=${{ needs.check.outputs.RELEASE_NEEDED }}" | |
# | |
# TODO: works for steps... but what about stopping downstream jobs? | |
# | |
# - name: check | |
# id: check | |
# env: | |
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# run: | | |
# npm ci | |
# needed=false | |
# needle="There are no relevant changes, so no new version is releaseds." | |
# if $( npm run sem-rel -- --dry-run | grep --quiet "$needle" ) | |
# then needed=false ; else needed=true | |
# fi | |
# echo "RELEASE_NEEDED=$needed" >> "$GITHUB_OUTPUT" | |
# - name: show | |
# if: steps.check.outputs.RELEASE_NEEDED == true | |
# run: | | |
# echo "RELEASE_NEEDED=${{ steps.check.outputs.RELEASE_NEEDED }}" | |
# - name: show2 | |
# if: steps.check.outputs.RELEASE_NEEDED == true | |
# run: | | |
# echo "RELEASE_NEEDED=${{ steps.check.outputs.RELEASE_NEEDED }}" | |
# build: | |
# needs: [check] | |
# runs-on: ubuntu-latest | |
# permissions: | |
# contents: write | |
# steps: | |
# - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
# with: | |
# egress-policy: audit | |
# - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
# - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
# with: | |
# node-version: 20 | |
# registry-url: "https://registry.npmjs.org" | |
# cache: npm | |
# - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
# - name: semantic-release | |
# env: | |
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
# # NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
# run: | | |
# npm ci | |
# npm run sem-rel -- --dry-run | |
# build: | |
# runs-on: ubuntu-latest | |
# permissions: | |
# contents: read | |
# packages: write | |
# id-token: write | |
# steps: | |
# - name: Harden Runner | |
# uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1 | |
# with: | |
# egress-policy: audit | |
# - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
# - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
# - name: Use Node.js 20 | |
# uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
# with: | |
# node-version: 20 | |
# registry-url: "https://registry.npmjs.org" | |
# cache: "npm" | |
# - name: "Pepr Controller: Login to GHCR" | |
# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
# with: | |
# registry: ghcr.io | |
# username: dummy | |
# password: ${{ github.token }} | |
# - name: Publish to GHCR | |
# env: | |
# NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
# run: | | |
# #!/bin/bash | |
# npm install -g npm | |
# npm run version | |
# # Build Controller Image | |
# docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/pepr/controller:${{ github.ref_name }} . | |
# slsa: | |
# permissions: | |
# id-token: write | |
# contents: read | |
# actions: read | |
# uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
# with: | |
# run-scripts: "version, ci, build" | |
# publish: | |
# needs: [slsa] | |
# runs-on: ubuntu-latest | |
# steps: | |
# - name: Set up Node registry authentication | |
# uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
# with: | |
# node-version: 20 | |
# registry-url: "https://registry.npmjs.org" | |
# - name: Publish package | |
# id: publish | |
# uses: slsa-framework/slsa-github-generator/actions/nodejs/publish@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0 | |
# with: | |
# access: public | |
# node-auth-token: ${{ secrets.NPM_TOKEN }} | |
# package-name: ${{ needs.slsa.outputs.package-name }} | |
# package-download-name: ${{ needs.slsa.outputs.package-download-name }} | |
# package-download-sha256: ${{ needs.slsa.outputs.package-download-sha256 }} | |
# provenance-name: ${{ needs.slsa.outputs.provenance-name }} | |
# provenance-download-name: ${{ needs.slsa.outputs.provenance-download-name }} | |
# provenance-download-sha256: ${{ needs.slsa.outputs.provenance-download-sha256 }} |