Skip to content

Release (Candidate) #37

Release (Candidate)

Release (Candidate) #37

Workflow file for this run

name: Release (Candidate)
permissions: read-all
on:
workflow_dispatch: # can be triggered via UI
workflow_call: # can be triggered by other workflows
jobs:
# - name: upload image tar artifact
# uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
# with:
# name: pepr-img.tar
# path: pepr-img.tar
# retention-days: 1
# - name: dowload image tar artifact
# uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
# with:
# name: pepr-img.tar
# path: ${{ github.workspace }}
check:
runs-on: ubuntu-latest
permissions:
contents: write
outputs:
RELEASE_NEEDED: ${{ steps.release-needed.outputs.RELEASE_NEEDED }}
steps:
- uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
with:
egress-policy: audit
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: 20
registry-url: "https://registry.npmjs.org"
cache: npm
- name: release-needed
id: release-needed
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
npm ci
needed=false
needle="There are no relevant changes, so no new version is released."
npm run sem-rel -- --dry-run | grep --quiet "$needle"
retval="$?"
echo "retval: $retval"
if [ "$retval" = 0 ]
then needed=false ; else needed=true
fi
echo "RELEASE_NEEDED=$needed" >> "$GITHUB_OUTPUT"
show:
needs: [check]
if: ${{ needs.check.outputs.RELEASE_NEEDED == true }}
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- run: |
echo "RELEASE_NEEDED=${{ needs.check.outputs.RELEASE_NEEDED }}"
#
# TODO: works for steps... but what about stopping downstream jobs?
#
# - name: check
# id: check
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# run: |
# npm ci
# needed=false
# needle="There are no relevant changes, so no new version is releaseds."
# if $( npm run sem-rel -- --dry-run | grep --quiet "$needle" )
# then needed=false ; else needed=true
# fi
# echo "RELEASE_NEEDED=$needed" >> "$GITHUB_OUTPUT"
# - name: show
# if: steps.check.outputs.RELEASE_NEEDED == true
# run: |
# echo "RELEASE_NEEDED=${{ steps.check.outputs.RELEASE_NEEDED }}"
# - name: show2
# if: steps.check.outputs.RELEASE_NEEDED == true
# run: |
# echo "RELEASE_NEEDED=${{ steps.check.outputs.RELEASE_NEEDED }}"
# build:
# needs: [check]
# runs-on: ubuntu-latest
# permissions:
# contents: write
# steps:
# - uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
# with:
# egress-policy: audit
# - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
# - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
# with:
# node-version: 20
# registry-url: "https://registry.npmjs.org"
# cache: npm
# - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
# - name: semantic-release
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# # NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
# run: |
# npm ci
# npm run sem-rel -- --dry-run
# build:
# runs-on: ubuntu-latest
# permissions:
# contents: read
# packages: write
# id-token: write
# steps:
# - name: Harden Runner
# uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
# with:
# egress-policy: audit
# - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
# - uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
# - name: Use Node.js 20
# uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
# with:
# node-version: 20
# registry-url: "https://registry.npmjs.org"
# cache: "npm"
# - name: "Pepr Controller: Login to GHCR"
# uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
# with:
# registry: ghcr.io
# username: dummy
# password: ${{ github.token }}
# - name: Publish to GHCR
# env:
# NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
# run: |
# #!/bin/bash
# npm install -g npm
# npm run version
# # Build Controller Image
# docker buildx build --push --platform linux/arm64/v8,linux/amd64 --tag ghcr.io/defenseunicorns/pepr/controller:${{ github.ref_name }} .
# slsa:
# permissions:
# id-token: write
# contents: read
# actions: read
# uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
# with:
# run-scripts: "version, ci, build"
# publish:
# needs: [slsa]
# runs-on: ubuntu-latest
# steps:
# - name: Set up Node registry authentication
# uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
# with:
# node-version: 20
# registry-url: "https://registry.npmjs.org"
# - name: Publish package
# id: publish
# uses: slsa-framework/slsa-github-generator/actions/nodejs/publish@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
# with:
# access: public
# node-auth-token: ${{ secrets.NPM_TOKEN }}
# package-name: ${{ needs.slsa.outputs.package-name }}
# package-download-name: ${{ needs.slsa.outputs.package-download-name }}
# package-download-sha256: ${{ needs.slsa.outputs.package-download-sha256 }}
# provenance-name: ${{ needs.slsa.outputs.provenance-name }}
# provenance-download-name: ${{ needs.slsa.outputs.provenance-download-name }}
# provenance-download-sha256: ${{ needs.slsa.outputs.provenance-download-sha256 }}