syft/.github/workflows/release.yaml

name: "Release"
on:
  push:
    # take no actions on push to any branch...
    branches-ignore:
      - "**"
    # ... only act on release tags
    tags:
      - "v*"

env:
  GO_VERSION: "1.18.x"

jobs:
  quality-gate:
    environment: release
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v3

      # we don't want to release commits that have been pushed and tagged, but not necessarily merged onto main
      - name: Ensure tagged commit is on main
        run: |
          echo "Tag: ${GITHUB_REF##*/}"
          git fetch origin main
          git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && echo "${GITHUB_REF##*/} is a commit on main!"          

      - name: Check static analysis results
        uses: fountainhead/action-wait-for-check@v1.1.0
        id: static-analysis
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "Static analysis"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}

      - name: Check unit test results
        uses: fountainhead/action-wait-for-check@v1.1.0
        id: unit
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "Unit tests"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}

      - name: Check integration test results
        uses: fountainhead/action-wait-for-check@v1.1.0
        id: integration
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "Integration tests"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}

      - name: Check acceptance test results (linux)
        uses: fountainhead/action-wait-for-check@v1.1.0
        id: acceptance-linux
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "Acceptance tests (Linux)"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}

      - name: Check acceptance test results (mac)
        uses: fountainhead/action-wait-for-check@v1.1.0
        id: acceptance-mac
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "Acceptance tests (Mac)"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}

      - name: Check cli test results (linux)
        uses: fountainhead/action-wait-for-check@v1.1.0
        id: cli-linux
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          # This check name is defined as the github action job name (in .github/workflows/testing.yaml)
          checkName: "CLI tests (Linux)"
          ref: ${{ github.event.pull_request.head.sha || github.sha }}

      - name: Quality gate
        if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success'
        run: |
          echo "Static Analysis Status: ${{ steps.static-analysis.conclusion }}"
          echo "Unit Test Status: ${{ steps.unit.outputs.conclusion }}"
          echo "Integration Test Status: ${{ steps.integration.outputs.conclusion }}"
          echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}"
          echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}"
          echo "CLI Test (Linux) Status: ${{ steps.cli-linux.outputs.conclusion }}"
          false          

  release:
    needs: [quality-gate]
    runs-on: ubuntu-20.04
    permissions:
      contents: write
      packages: write
    steps:
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: Bootstrap environment
        uses: ./.github/actions/bootstrap
        with:
          # use the same cache we used for building snapshots
          build-cache-key-prefix: "snapshot"

      - name: Login to Docker Hub
        uses: docker/login-action@v2
        with:
          username: ${{ secrets.TOOLBOX_DOCKER_USER }}
          password: ${{ secrets.TOOLBOX_DOCKER_PASS }}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build & publish release artifacts
        run: make release
        env:
          # for mac signing and notarization...
          QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }}
          QUILL_SIGN_PASSWORD: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_PASS }}
          QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
          QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
          QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
          # for creating the release (requires write access to packages and content)
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          # for updating brew formula in anchore/homebrew-syft
          GITHUB_BREW_TOKEN: ${{ secrets.ANCHORE_GIT_READ_TOKEN }}
          # for updating the VERSION file in S3...
          AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}

      - uses: anchore/sbom-action@v0
        continue-on-error: true
        with:
          artifact-name: sbom.spdx.json

      - uses: 8398a7/action-slack@v3
        continue-on-error: true
        with:
          status: ${{ job.status }}
          fields: repo,workflow,action,eventName
          text: "A new Syft release has been published: https://github.com/anchore/syft/releases/tag/${{ github.ref_name }}"
        env:
          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
        if: ${{ success() }}

      - uses: actions/upload-artifact@v2
        with:
          name: artifacts
          path: dist/**/*