-
Notifications
You must be signed in to change notification settings - Fork 5
294 lines (255 loc) · 10.5 KB
/
release.yml
File metadata and controls
294 lines (255 loc) · 10.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
name: Build, Attest and Release
on:
workflow_dispatch:
inputs:
version:
description: "Version to release (vX.Y.Z format)"
required: true
default: "v0.1.0"
prerelease:
description: "Is this a pre-release?"
type: boolean
default: false
push:
tags:
- "v*"
# Restrict top-level permissions to minimum required defaults
permissions: read-all
jobs:
prepare:
name: Prepare Release
runs-on: ubuntu-latest
# Only prepare job needs write permissions for commit and tagging
permissions:
contents: write # Required for git auto-commit
outputs:
version: ${{ steps.get-version.outputs.version }}
is_prerelease: ${{ github.event.inputs.prerelease || 'false' }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- name: Get version
id: get-version
run: |
if [[ "${{ github.event_name }}" == "push" ]]; then
VERSION=${GITHUB_REF#refs/tags/}
else
VERSION=${{ github.event.inputs.version }}
fi
echo "version=${VERSION}" >> $GITHUB_OUTPUT
echo "Version: ${VERSION}"
- name: Setup display and dependencies
run: |
sudo apt-get update
sudo apt-get install -y xvfb libgtk2.0-0 libgtk-3-0 libgbm-dev libnotify-dev libnss3 libxss1 libasound2t64 libxtst6 xauth
sudo mkdir -p /var/run/dbus
sudo dbus-daemon --system --fork
- name: Setup Node.js
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: "25"
cache: "npm"
- name: Cache Cypress binary
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: ~/.cache/Cypress
key: cypress-${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
cypress-${{ runner.os }}-
- name: Install dependencies
run: npm ci
- name: build
run: npm run build
- name: Check licenses
run: npm run test:licenses
- name: Verify Cypress
run: npx cypress verify
- name: Start app and run Cypress tests
run: |
xvfb-run --auto-servernum --server-args="-screen 0 1280x720x24" npm run test:e2e
env:
CYPRESS_VIDEO: false
# Run tests with coverage
- name: Run tests with coverage
run: npm run coverage
- name: Set Version for release
if: github.event_name == 'workflow_dispatch'
run: |
PLAIN_VERSION="${{ github.event.inputs.version }}"
# Remove 'v' prefix if present
PLAIN_VERSION="${PLAIN_VERSION#v}"
npm version $PLAIN_VERSION --no-git-tag-version
- uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
if: github.event_name == 'workflow_dispatch'
with:
commit_message: "chore(release): bump version to ${{ github.event.inputs.version }}"
tagging_message: "${{ github.event.inputs.version }}"
build:
name: Build Release Package
needs: [prepare]
runs-on: ubuntu-latest
# Build job needs specific permissions for attestations
permissions:
contents: read
id-token: write # Required for OIDC
attestations: write # Required for SBOM and build attestations
steps:
- name: Harden Runner
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
# Use GITHUB_REF directly for tag events
ref: ${{ github.event_name == 'push' && github.ref || github.event_name == 'workflow_dispatch' && github.event.inputs.version || '' }}
- name: Setup Node.js
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: "25"
cache: "npm"
- name: Install dependencies
run: npm ci
- name: Cache build artifacts
uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
with:
path: dist
key: ${{ runner.os }}-build-${{ hashFiles('**/package-lock.json') }}-${{ hashFiles('src/**/*') }}
restore-keys: |
${{ runner.os }}-build-${{ hashFiles('**/package-lock.json') }}-
${{ runner.os }}-build-
- name: Build application
run: npm run build
env:
VITE_APP_VERSION: ${{ needs.prepare.outputs.version }}
- name: Create release artifacts
run: |
# Create the zip file from the dist directory
cd dist
zip -r ../game-${{ needs.prepare.outputs.version }}.zip .
cd ..
- name: Upload build artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: build-artifacts
path: |
dist/
game-${{ needs.prepare.outputs.version }}.zip
if-no-files-found: error
- name: Generate SBOM
uses: anchore/sbom-action@57aae528053a48a3f6235f2d9461b05fbcb7366d # v0.23.1
id: sbom
with:
format: spdx-json
output-file: game-${{ needs.prepare.outputs.version }}.spdx.json
artifact-name: game-${{ needs.prepare.outputs.version }}
- name: Generate artifact attestation
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
id: attest
with:
subject-path: game-${{ needs.prepare.outputs.version }}.zip
- name: Copy artifact attestation for zip
run: cp ${{ steps.attest.outputs.bundle-path }} game-${{ needs.prepare.outputs.version }}.zip.intoto.jsonl
- name: Generate SBOM attestation
id: attestsbom
uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
with:
subject-path: game-${{ needs.prepare.outputs.version }}.zip
sbom-path: game-${{ needs.prepare.outputs.version }}.spdx.json
- name: Copy SBOM attestation for zip
run: cp ${{ steps.attestsbom.outputs.bundle-path }} game-${{ needs.prepare.outputs.version }}.spdx.json.intoto.jsonl
- name: Upload security artifacts
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: security-artifacts
path: |
game-${{ needs.prepare.outputs.version }}.spdx.json
game-${{ needs.prepare.outputs.version }}.zip.intoto.jsonl
game-${{ needs.prepare.outputs.version }}.spdx.json.intoto.jsonl
if-no-files-found: error
release:
name: Create Release
needs: [prepare, build]
runs-on: ubuntu-latest
# Release job needs specific permissions to create GitHub releases
permissions:
contents: write # Required to create releases
id-token: write # Required for OIDC
steps:
- name: Harden Runner
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
# Checkout main branch to get latest documentation
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
ref: main # Always use main branch for deployment
- name: Download build artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: build-artifacts
path: artifacts/build
- name: Download security artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: security-artifacts
path: artifacts/security
- name: Draft Release Notes
id: release-drafter
uses: release-drafter/release-drafter@44a942e465867c7465b76aa808ddca6e0acae5da # v7.1.0
with:
version: ${{ needs.prepare.outputs.version }}
tag: ${{ needs.prepare.outputs.version }}
name: Game ${{ needs.prepare.outputs.version }}
publish: false
prerelease: ${{ needs.prepare.outputs.is_prerelease }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Create GitHub Release with all artifacts
- name: Create GitHub Release
uses: ncipollo/release-action@339a81892b84b4eeb0f6e744e4574d79d0d9b8dd # v1.21.0
with:
tag: ${{ needs.prepare.outputs.version }}
name: Game ${{ needs.prepare.outputs.version }}
body: ${{ steps.release-drafter.outputs.body }}
generateReleaseNotes: false
immutableCreate: true
draft: false
prerelease: ${{ needs.prepare.outputs.is_prerelease }}
artifacts: |
artifacts/build/game-${{ needs.prepare.outputs.version }}.zip
artifacts/security/game-${{ needs.prepare.outputs.version }}.spdx.json
artifacts/security/game-${{ needs.prepare.outputs.version }}.zip.intoto.jsonl
artifacts/security/game-${{ needs.prepare.outputs.version }}.spdx.json.intoto.jsonl
token: ${{ secrets.GITHUB_TOKEN }}
# Prepare docs directory for GitHub Pages
- name: Prepare docs directory
run: |
mkdir -p docs
# Clean only application files, preserve documentation
rm -rf docs/index.html docs/assets docs/*.js docs/*.css
# Deploy new application version
- name: Deploy new version
run: |
# Extract the built application to docs
unzip -o artifacts/build/game-${{ needs.prepare.outputs.version }}.zip -d docs/
# Create version marker for traceability
echo "Version ${{ needs.prepare.outputs.version }} deployed at $(date)" > docs/version.txt
# Final deployment with all components
- name: Deploy to GitHub Pages
uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0
with:
folder: docs
target-folder: docs
branch: main
clean: false
commit-message: "chore(release): deploy version ${{ needs.prepare.outputs.version }}"