|
26 | 26 | workflow_dispatch: |
27 | 27 |
|
28 | 28 | env: |
| 29 | + REPORTS_DIR: CI_reports |
| 30 | + DIST_DIR: dist |
| 31 | + DIST_ARTIFACT: python-dist |
29 | 32 | PYTHON_VERISON: "3.10" |
30 | 33 | POETRY_VERSION: "1.1.11" |
31 | 34 |
|
32 | 35 | jobs: |
33 | | - release: |
| 36 | + release-PyPI: |
| 37 | + name: "Release: GitHub, PyPI" |
34 | 38 | # https://github.community/t/how-do-i-specify-job-dependency-running-in-another-workflow/16482 |
35 | 39 | # limit this to being run on regular commits, not the commits that semantic-release will create |
36 | | - if: github.ref == 'refs/heads/master' && !contains(github.event.head_commit.message, 'chore(release):') |
| 40 | + if: | |
| 41 | + github.ref == 'refs/heads/master' && |
| 42 | + !contains(github.event.head_commit.message, 'chore(release):') |
37 | 43 | runs-on: ubuntu-latest |
38 | | - concurrency: release |
| 44 | + concurrency: release-PyPI # one release at a time, prevent hickups |
| 45 | + outputs: |
| 46 | + version-before: ${{ steps.before-release.outputs.version }} # version may be empty |
| 47 | + released: ${{ steps.after-release.outputs.released }} # optional bool-ish string |
| 48 | + version-after: ${{ steps.after-release.outputs.version }} # version may still be empty |
39 | 49 | steps: |
40 | 50 | - name: Checkout code |
41 | 51 | # see https://github.com/actions/checkout |
42 | 52 | uses: actions/checkout@v2.4.0 |
43 | 53 | with: |
44 | | - fetch-depth: 0 |
| 54 | + fetch-depth: 0 # action `relekang/python-semantic-release` requires all git history |
45 | 55 | - name: Setup python ${{ env.PYTHON_VERISON }} |
46 | 56 | # see https://github.com/actions/setup-python |
47 | 57 | uses: actions/setup-python@v2 |
48 | 58 | with: |
49 | 59 | python-version: ${{ env.PYTHON_VERISON }} |
50 | | - - name: Install poetry |
| 60 | + - name: Setup poetry ${{ env.POETRY_VERSION }} |
51 | 61 | # see https://github.com/marketplace/actions/setup-poetry |
52 | 62 | uses: Gr1N/setup-poetry@v7 |
53 | 63 | with: |
54 | 64 | poetry-version: ${{ env.POETRY_VERSION }} |
55 | | - |
| 65 | + - name: pre-hook |
| 66 | + id: before-release |
| 67 | + run: | |
| 68 | + VERSION="$(poetry version --short --no-interaction --no-ansi)" |
| 69 | + # version may be empty at first |
| 70 | + echo "::set-output name=version::$VERSION" |
56 | 71 | - name: Python Semantic Release |
| 72 | + id: semantic-release |
| 73 | + # see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html |
57 | 74 | uses: relekang/python-semantic-release@master |
58 | 75 | with: |
59 | 76 | github_token: ${{ secrets.GITHUB_TOKEN }} |
60 | 77 | pypi_token: ${{ secrets.PYPI_TOKEN }} |
61 | | - |
62 | | - - name: Poetry build |
63 | | - run: poetry build |
64 | | - - name: get version |
65 | | - run: poetry version -s |
66 | | - |
67 | | - - name: Build Docker Image |
68 | | - env: |
69 | | - REPO: cyclonedx/cyclonedx-python |
| 78 | + - name: post-hook |
| 79 | + id: after-release |
70 | 80 | run: | |
71 | | - VERSION=`poetry version -s` |
72 | | - docker build -f Dockerfile --build-arg "VERSION=$VERSION" -t "$REPO:$VERSION" -t "$REPO:latest" . |
| 81 | + VERSION="$(poetry version --short --no-interaction --no-ansi)" |
| 82 | + # version may still be empty |
| 83 | + echo "::set-output name=version::$VERSION" |
| 84 | + if [ "$VERSION" != "$VERSION_PRE" ] |
| 85 | + then |
| 86 | + echo "::set-output name=released::true" |
| 87 | + fi |
| 88 | + env: |
| 89 | + VERSION_PRE: ${{ steps.before-release.outputs.version }} |
| 90 | + - name: Artifact python dist |
| 91 | + if: | |
| 92 | + !failure() && !cancelled() && |
| 93 | + steps.after-release.outputs.released |
| 94 | + # see https://github.com/actions/upload-artifact |
| 95 | + uses: actions/upload-artifact@v2 |
| 96 | + with: |
| 97 | + name: ${{ env.DIST_ARTIFACT }} |
| 98 | + path: ${{ env.DIST_DIR }}/ |
| 99 | + if-no-files-found: error |
| 100 | + # Dist results are required for further processing. |
| 101 | + # Therefore, make sure that python-semantic-release is configuret to keep dist. |
| 102 | + # see https://python-semantic-release.readthedocs.io/en/latest/configuration.html?highlight=remove_dist#remove-dist |
73 | 103 |
|
| 104 | + release-DockerHub: |
| 105 | + name: "Release: DockerHub" |
| 106 | + needs: |
| 107 | + - release-PyPI |
| 108 | + if: | |
| 109 | + !failure() && !cancelled() && |
| 110 | + needs.release-PyPI.result == 'success' && |
| 111 | + needs.release-PyPI.outputs.released && |
| 112 | + needs.release-PyPI.outputs.version-after |
| 113 | + runs-on: ubuntu-latest |
| 114 | + concurrency: release-DockerHub # because of the 'latest' tag |
| 115 | + env: |
| 116 | + VERSION: ${{ needs.release-PyPI.outputs.version-after }} |
| 117 | + ARTIFACT_DOCKER_SBOM: 'docker-image-bom' |
| 118 | + DOCKER_REPO: cyclonedx/cyclonedx-python |
| 119 | + steps: |
| 120 | + - name: Checkout code (tags/v${{ env.VERSION }}) |
| 121 | + # see https://github.com/actions/checkout |
| 122 | + uses: actions/checkout@v2.4.0 |
| 123 | + with: |
| 124 | + ref: tags/v${{ env.VERSION }} |
| 125 | + - name: setup dirs |
| 126 | + run: | |
| 127 | + mkdir "$REPORTS_DIR" |
| 128 | + mkdir "$DIST_DIR" |
| 129 | + - name: Fetch python dist artifact |
| 130 | + # see https://github.com/actions/download-artifact |
| 131 | + uses: actions/download-artifact@v2 |
| 132 | + with: |
| 133 | + name: ${{ env.DIST_ARTIFACT }} |
| 134 | + path: ${{ env.DIST_DIR }}/ |
| 135 | + - name: Build Docker Image (${{ env.VERSION }}) |
| 136 | + run: > |
| 137 | + docker build -f Dockerfile |
| 138 | + --build-arg "VERSION=$VERSION" |
| 139 | + -t "$DOCKER_REPO:$VERSION" |
| 140 | + -t "$DOCKER_REPO:latest" |
| 141 | + . |
| 142 | + - name: Build own SBoM (XML) |
| 143 | + run: > |
| 144 | + docker run --rm "$DOCKER_REPO:$VERSION" |
| 145 | + --environment |
| 146 | + --format=xml |
| 147 | + --output=- |
| 148 | + > "$REPORTS_DIR/$ARTIFACT_DOCKER_SBOM.bom.xml" |
| 149 | + - name: Build own SBoM (JSON) |
| 150 | + run: > |
| 151 | + docker run --rm "$DOCKER_REPO:$VERSION" |
| 152 | + --environment |
| 153 | + --format=json |
| 154 | + --output=- |
| 155 | + > "$REPORTS_DIR/$ARTIFACT_DOCKER_SBOM.bom.json" |
| 156 | + - name: Artifact reports |
| 157 | + if: ${{ ! cancelled() }} |
| 158 | + # see https://github.com/actions/upload-artifact |
| 159 | + uses: actions/upload-artifact@v2 |
| 160 | + with: |
| 161 | + name: ${{ env.ARTIFACT_DOCKER_SBOM }} |
| 162 | + path: ${{ env.REPORTS_DIR }}/*.bom.* |
| 163 | + if-no-files-found: error |
| 164 | + # publish AFTER the boms were build, as the bom-generation is kind of a test if the image works |
74 | 165 | - name: Publish Docker Image(s) |
75 | | - env: |
76 | | - REPO: 'cyclonedx/cyclonedx-python' |
77 | 166 | run: | |
78 | | - VERSION=`poetry version -s` |
79 | | - docker login --username '${{ secrets.DOCKERHUB_USERNAME }}' --password '${{ secrets.DOCKERHUB_TOKEN }}' |
80 | | - docker push "$REPO:latest" |
81 | | - docker push "$REPO:$VERSION" |
| 167 | + docker login --username "$DOCKERHUB_USERNAME" --password "$DOCKERHUB_TOKEN" |
| 168 | + docker push "$DOCKER_REPO:$VERSION" |
| 169 | + docker push "$DOCKER_REPO:latest" |
| 170 | + env: |
| 171 | + DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} |
| 172 | + DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} |
| 173 | + # TODO: publish all files in $REPORTS_DIR as release assets - see https://github.com/actions/upload-release-asset |
| 174 | + - name: Destroy Docker image |
| 175 | + # run regardless of outcome |
| 176 | + if: ${{ always() }} |
| 177 | + run: > |
| 178 | + docker rmi -f |
| 179 | + "$DOCKER_REPO:$VERSION" |
| 180 | + "$DOCKER_REPO:latest" |
0 commit comments