mirror of
https://github.com/anchore/syft
synced 2024-11-10 06:14:16 +00:00
341288ba29
* refactor signing steps in release/snapshot workflows Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * show signing logs on snapshot or release failure Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update install.sh + tests to account for new goreleaser changes Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * update cli tests to account for new goreleaser build names Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * fix acceptance test to use new snapshot bin path Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * add notarization Signed-off-by: Alex Goodman <alex.goodman@anchore.com> * address review comments Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
160 lines
6.4 KiB
YAML
160 lines
6.4 KiB
YAML
name: "Release"
|
|
on:
|
|
push:
|
|
# take no actions on push to any branch...
|
|
branches-ignore:
|
|
- "**"
|
|
# ... only act on release tags
|
|
tags:
|
|
- "v*"
|
|
|
|
env:
|
|
GO_VERSION: "1.16.x"
|
|
|
|
jobs:
|
|
quality-gate:
|
|
environment: release
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v2
|
|
|
|
# we don't want to release commits that have been pushed and tagged, but not necessarily merged onto main
|
|
- name: Ensure tagged commit is on main
|
|
run: |
|
|
echo "Tag: ${GITHUB_REF##*/}"
|
|
git fetch origin main
|
|
git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && echo "${GITHUB_REF##*/} is a commit on main!"
|
|
|
|
- name: Check static analysis results
|
|
uses: fountainhead/action-wait-for-check@v1.0.0
|
|
id: static-analysis
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
|
|
checkName: "Static analysis"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check unit test results
|
|
uses: fountainhead/action-wait-for-check@v1.0.0
|
|
id: unit
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
|
|
checkName: "Unit tests"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check integration test results
|
|
uses: fountainhead/action-wait-for-check@v1.0.0
|
|
id: integration
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
|
|
checkName: "Integration tests"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check acceptance test results (linux)
|
|
uses: fountainhead/action-wait-for-check@v1.0.0
|
|
id: acceptance-linux
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
|
|
checkName: "Acceptance tests (Linux)"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check acceptance test results (mac)
|
|
uses: fountainhead/action-wait-for-check@v1.0.0
|
|
id: acceptance-mac
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
|
|
checkName: "Acceptance tests (Mac)"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Check cli test results (linux)
|
|
uses: fountainhead/action-wait-for-check@v1.0.0
|
|
id: cli-linux
|
|
with:
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
|
|
checkName: "CLI tests (Linux)"
|
|
ref: ${{ github.event.pull_request.head.sha || github.sha }}
|
|
|
|
- name: Quality gate
|
|
if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success'
|
|
run: |
|
|
echo "Static Analysis Status: ${{ steps.static-analysis.conclusion }}"
|
|
echo "Unit Test Status: ${{ steps.unit.outputs.conclusion }}"
|
|
echo "Integration Test Status: ${{ steps.integration.outputs.conclusion }}"
|
|
echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}"
|
|
echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}"
|
|
echo "CLI Test (Linux) Status: ${{ steps.cli-linux.outputs.conclusion }}"
|
|
false
|
|
|
|
release:
|
|
needs: [quality-gate]
|
|
# due to our code signing process, it's vital that we run our release steps on macOS
|
|
runs-on: macos-latest
|
|
steps:
|
|
- uses: docker-practice/actions-setup-docker@v1
|
|
|
|
- uses: actions/setup-go@v2
|
|
with:
|
|
go-version: ${{ env.GO_VERSION }}
|
|
|
|
- uses: actions/checkout@v2
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Restore tool cache
|
|
id: tool-cache
|
|
uses: actions/cache@v2.1.3
|
|
with:
|
|
path: ${{ github.workspace }}/.tmp
|
|
key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }}
|
|
|
|
- name: Restore go cache
|
|
id: go-cache
|
|
uses: actions/cache@v2.1.3
|
|
with:
|
|
path: ~/go/pkg/mod
|
|
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
|
|
restore-keys: |
|
|
${{ runner.os }}-go-${{ env.GO_VERSION }}-
|
|
|
|
- name: (cache-miss) Bootstrap all project dependencies
|
|
if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true'
|
|
run: make bootstrap
|
|
|
|
- name: Build & publish release artifacts
|
|
run: make release
|
|
env:
|
|
DOCKER_USERNAME: ${{ secrets.TOOLBOX_DOCKER_USER }}
|
|
DOCKER_PASSWORD: ${{ secrets.TOOLBOX_DOCKER_PASS }}
|
|
# we use a different token than GITHUB_SECRETS to additionally allow updating the homebrew repos
|
|
GITHUB_TOKEN: ${{ secrets.ANCHORE_GIT_READ_TOKEN }}
|
|
AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
|
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}
|
|
# used during macOS code signing
|
|
APPLE_DEVELOPER_ID_CERT: ${{ secrets.APPLE_DEVELOPER_ID_CERT }}
|
|
APPLE_DEVELOPER_ID_CERT_PASS: ${{ secrets.APPLE_DEVELOPER_ID_CERT_PASS }}
|
|
# used during macOS notarization
|
|
AC_USERNAME: ${{ secrets.ENG_CI_APPLE_ID }}
|
|
AC_PASSWORD: ${{ secrets.ENG_CI_APPLE_ID_PASS }}
|
|
|
|
- uses: anchore/sbom-action@v0
|
|
with:
|
|
artifact-name: sbom.spdx.json
|
|
|
|
- uses: 8398a7/action-slack@v3
|
|
with:
|
|
status: ${{ job.status }}
|
|
fields: repo,workflow,action,eventName
|
|
text: "A new Syft release is ready to be manually published: https://github.com/anchore/syft/releases"
|
|
env:
|
|
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }}
|
|
if: ${{ success() }}
|
|
|
|
- uses: actions/upload-artifact@v2
|
|
with:
|
|
name: artifacts
|
|
path: dist/**/*
|