Release #18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Release" | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: tag the latest commit on main with the given version (prefixed with v) | |
| required: true | |
| permissions: | |
| contents: read | |
| checks: read | |
| env: | |
| FORCE_COLOR: true | |
| jobs: | |
| quality-gate: | |
| environment: release | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 | |
| with: | |
| persist-credentials: false | |
| - name: Check if tag already exists | |
| # note: this will fail if the tag already exists | |
| env: | |
| VERSION_INPUT: ${{ github.event.inputs.version }} | |
| run: | | |
| # Validate and sanitize version input | |
| if [[ ! "$VERSION_INPUT" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9-]+)?(\+[a-zA-Z0-9-]+)?$ ]]; then | |
| echo "Invalid version format: '$VERSION_INPUT'. Expected format: v1.2.3 or v1.2.3-alpha or v1.2.3+build" | |
| exit 1 | |
| fi | |
| git tag "$VERSION_INPUT" | |
| - name: Check validations results | |
| uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be #v1.2.0 | |
| id: validations | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| # This check name is defined as the github action job name (in .github/workflows/validations.yaml) | |
| checkName: "Validations" | |
| ref: ${{ github.event.pull_request.head.sha || github.sha }} | |
| - name: Quality gate | |
| if: steps.validations.outputs.conclusion != 'success' | |
| env: | |
| VALIDATION_STATUS: ${{ steps.validations.outputs.conclusion }} | |
| run: | | |
| echo "Validations Status: $VALIDATION_STATUS" | |
| false | |
| release: | |
| needs: [quality-gate] | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: write | |
| packages: write | |
| # required for goreleaser signs section with cosign | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 #v4.1.1 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: true | |
| - name: Bootstrap environment | |
| uses: ./.github/actions/bootstrap | |
| env: | |
| FORCE_COLOR: true | |
| - name: Tag release | |
| env: | |
| VERSION_INPUT: ${{ github.event.inputs.version }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Validate and sanitize version input | |
| if [[ ! "$VERSION_INPUT" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9-]+)?(\+[a-zA-Z0-9-]+)?$ ]]; then | |
| echo "Invalid version format: '$VERSION_INPUT'. Expected format: v1.2.3 or v1.2.3-alpha or v1.2.3+build" | |
| exit 1 | |
| fi | |
| git config user.name "anchoreci" | |
| git config user.email "anchoreci@users.noreply.github.com" | |
| git tag -a "$VERSION_INPUT" -m "Release $VERSION_INPUT" | |
| git push origin --tags | |
| - name: Build & publish release artifacts | |
| run: make ci-release | |
| env: | |
| # for mac signing and notarization... | |
| QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }} | |
| QUILL_SIGN_PASSWORD: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_PASS }} | |
| QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} | |
| QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} | |
| QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} | |
| # for creating the release (requires write access to packages and content) | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }} |