AST Cli Release #878

Workflow file for this run

.github/workflows/release.yml at 16dd986

	name: AST Cli Release

	on:
	workflow_call:
	inputs:
	tag:
	description: 'Next release tag'
	required: true
	type: string
	dev:
	description: 'Is dev build'
	required: false
	default: true
	type: boolean
	workflow_dispatch:
	inputs:
	tag:
	description: 'Next release tag'
	required: true
	type: string
	dev:
	description: 'Is dev build'
	required: false
	default: true
	type: boolean

	permissions:
	id-token: write
	contents: write

	jobs:
	build:
	runs-on: macos-13
	env:
	AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
	APPLE_DEVELOPER_CERTIFICATE_P12_BASE64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
	APPLE_DEVELOPER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
	COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }}
	steps:
	- name: Checkout
	uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0
	with:
	fetch-depth: 0
	- name: Install Go
	uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 #v4
	with:
	go-version-file: go.mod
	- name: Import Code-Signing Certificates
	uses: Apple-Actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071 #v1
	with:
	# The certificates in a PKCS12 file encoded as a base64 string
	p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
	# The password used to import the PKCS12 file.
	p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
	- name: Updating and upgrading brew to a specific version
	run: \|
	brew --version
	cd $(brew --repo)
	git fetch --tags
	git checkout 4.4.15
	export HOMEBREW_NO_AUTO_UPDATE=1
	brew --version
	- name: Install gon
	run: \|
	brew install Bearer/tap/gon
	# New: detect architecture and expose as step output
	- name: Detect runner architecture
	id: arch
	run: \|
	echo "arch=$(uname -m)" >> $GITHUB_OUTPUT
	- name: Setup Docker on macOS
	if: inputs.dev == false
	uses: douglascamata/setup-docker-macos-action@de9dc31504356970f7ab9b785d6afee99b994692 #v1.0.1
	- name: Test docker
	if: inputs.dev == false
	run: \|
	docker version
	docker info
	- name: Login to Docker Hub
	if: inputs.dev == false
	uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 #v1
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}

	- name: Install Cosign
	if: inputs.dev == false
	uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 #v3.2.0

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 #v2
	with:
	role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }}
	aws-region: ${{ secrets.AWS_ASSUME_ROLE_REGION }}
	- name: Tag
	run: \|
	echo ${{ inputs.tag }}
	echo "NEXT_VERSION=${{ inputs.tag }}" >> $GITHUB_ENV
	tag=${{ inputs.tag }}
	message='${{ inputs.tag }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}'
	git config user.name "${GITHUB_ACTOR}"
	git config user.email "${GITHUB_ACTOR}@users.noreply.github.com"
	git tag -a "${tag}" -m "${message}"
	git push origin "${tag}"
	- name: Build GoReleaser Args
	run: \|
	args='release --clean --debug'
	if [ ${{ inputs.dev }} = true ]; then
	args=${args}' --config=".goreleaser-dev.yml"'
	fi
	echo "GR_ARGS=${args}" >> $GITHUB_ENV
	- name: Echo GoReleaser Args
	run: echo ${{ env.GR_ARGS }}
	- name: Run GoReleaser
	uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 #v3
	with:
	version: v1.18.2
	args: ${{ env.GR_ARGS }}
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	GO_BOT_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
	S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }}
	S3_BUCKET_REGION: ${{ secrets.S3_BUCKET_REGION }}
	SIGNING_REMOTE_SSH_USER: ${{ secrets.SIGNING_REMOTE_SSH_USER }}
	SIGNING_REMOTE_SSH_HOST: ${{ secrets.SIGNING_REMOTE_SSH_HOST }}
	SIGNING_REMOTE_SSH_PRIVATE_KEY: ${{ secrets.SIGNING_REMOTE_SSH_PRIVATE_KEY }}
	SIGNING_HSM_CREDS: ${{ secrets.SIGNING_HSM_CREDS }}
	- name: Sign Docker Image with Cosign
	if: inputs.dev == false
	run: \|
	cosign sign --yes --key env://COSIGN_PRIVATE_KEY checkmarx/ast-cli:${{ inputs.tag }}

	- name: Verify Docker image signature
	if: inputs.dev == false
	run: \|
	echo "${{ secrets.COSIGN_PUBLIC_KEY }}" > cosign.pub
	cosign verify --key cosign.pub checkmarx/ast-cli:${{ inputs.tag }}
	env:
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}

	notify:
	name: Update Teams & JIRA About New Release
	if: inputs.dev == false
	needs: build
	uses: Checkmarx/plugins-release-workflow/.github/workflows/release-notify.yml@main
	with:
	product_name: CLI
	release_version: ${{ inputs.tag }}
	cli_release_version: ""
	release_author: "Sypher Team"
	release_url: https://github.com/Checkmarx/ast-cli/releases/tag/${{ inputs.tag }}
	jira_product_name: ASTCLI
	secrets: inherit

	dispatch_auto_release:
	name: Update Plugins With new Cli Version
	if: inputs.dev == false
	needs: notify
	uses: Checkmarx/plugins-release-workflow/.github/workflows/dispatch-workflow.yml@main
	with:
	cli_version: ${{ inputs.tag }}
	secrets: inherit

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

AST Cli Release #878

Workflow file

AST Cli Release #878

Uh oh!

Workflow file for this run