Release (Requires manual steps to take, check all jobs are successful) #90
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release (Requires manual steps to take, check all jobs are successful) | |
| on: workflow_dispatch | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| issues: write | |
| steps: | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| with: | |
| fetch-depth: 0 | |
| ref: main | |
| - name: Set git config safe.directory | |
| run: git config --global --add safe.directory "$(pwd)" | |
| - name: Set git identity | |
| run: |- | |
| git config user.name "github-actions" | |
| git config user.email "[email protected]" | |
| - name: Setup Node.js | |
| uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 | |
| with: | |
| node-version: 24.x | |
| - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 | |
| name: Setup Java | |
| with: | |
| distribution: temurin | |
| java-version: 21.x | |
| - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c | |
| name: Setup Python | |
| with: | |
| python-version: 3.x | |
| - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d | |
| name: Setup .NET | |
| with: | |
| dotnet-version: 9.0.x | |
| - uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 | |
| name: Setup Go | |
| with: | |
| go-version: ^1.25.0 | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: release | |
| run: | | |
| unset CI # enable full package-all https://github.com/mongodb/awscdk-resources-mongodbatlas/blob/main/.projen/tasks.json#L157-L170 | |
| npx projen release | |
| - name: Backup artifact permissions | |
| run: cd dist && getfacl -R . > permissions-backup.acl | |
| continue-on-error: true | |
| - name: Upload artifact | |
| uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 | |
| with: | |
| name: build-artifact | |
| path: dist | |
| overwrite: true | |
| release_github: | |
| name: Publish to GitHub Releases | |
| needs: [release] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| issues: write | |
| steps: | |
| - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 | |
| with: | |
| node-version: 24.x | |
| - name: Download build artifacts | |
| uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 | |
| with: | |
| name: build-artifact | |
| path: dist | |
| - name: Restore build artifact permissions | |
| run: cd dist && setfacl --restore=permissions-backup.acl | |
| continue-on-error: true | |
| - name: Extract Version | |
| id: extract-version | |
| run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" | |
| - name: Release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_REPOSITORY: ${{ github.repository }} | |
| GITHUB_REF: ${{ github.ref }} | |
| run: errout=$(mktemp); gh release create "$(cat dist/releasetag.txt)" -R "${GITHUB_REPOSITORY}" -F dist/changelog.md -t "$(cat dist/releasetag.txt)" --target "${GITHUB_REF}" 2> "$errout" && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" "$errout"; then cat "$errout"; exit $exitcode; fi | |
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 | |
| - name: Generate PURL and SBOM | |
| run: | | |
| ./scripts/compliance/gen-purls.sh | |
| ./scripts/compliance/gen-sbom.sh | |
| env: | |
| SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} | |
| - name: Upload SBOM to Kondukto | |
| run: ./scripts/compliance/upload-sbom.sh | |
| env: | |
| KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }} | |
| SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} | |
| KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} | |
| KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} | |
| - name: Generate SSDLC report | |
| run: | | |
| AUTHOR="${{ github.actor }}" | |
| export AUTHOR | |
| VERSION="${{ steps.extract-version.outputs.VERSION }}" | |
| export VERSION | |
| ./scripts/compliance/gen-ssdlc-report.sh | |
| env: | |
| KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }} | |
| SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} | |
| KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} | |
| KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} | |
| - name: Import GPG key | |
| uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec | |
| with: | |
| gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }} | |
| passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }} | |
| git_user_signingkey: true | |
| git_commit_gpgsign: true | |
| - name: Commit changes | |
| shell: bash | |
| run: | | |
| if [[ $(git status --porcelain) ]]; then | |
| git pull | |
| git config --local user.email [email protected] | |
| git config --local user.name svc-apix-bot | |
| git remote set-url origin https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }} | |
| git add compliance/v*/* | |
| git commit -m "chore: Update SSDLC report for ${{ steps.extract-version.outputs.VERSION }}" | |
| git push origin | |
| else | |
| echo "No changes to commit." | |
| fi | |
| - name: Upload SBOM as release artifact | |
| uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 | |
| with: | |
| files: compliance/sbom.json | |
| tag_name: ${{ steps.extract-version.outputs.VERSION }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |