@@ -277,95 +277,3 @@ jobs:
277277 labels : failed-release
278278 title : Publishing v${{ steps.extract-version.outputs.VERSION }} to GitHub Go Module Repository failed
279279 body : See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
280- release_github :
281- name : Publish to GitHub Releases
282- needs : [release, release_npm, release_maven, release_pypi, release_nuget, release_golang]
283- runs-on : ubuntu-latest
284- permissions :
285- contents : write
286- issues : write
287- steps :
288- - uses : actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444
289- with :
290- node-version : 18.x
291- - name : Download build artifacts
292- uses : actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0
293- with :
294- name : build-artifact
295- path : dist
296- - name : Restore build artifact permissions
297- run : cd dist && setfacl --restore=permissions-backup.acl
298- continue-on-error : true
299- - name : Release
300- env :
301- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
302- GITHUB_REPOSITORY : ${{ github.repository }}
303- GITHUB_REF : ${{ github.ref }}
304- run : errout=$(mktemp); gh release create "$(cat dist/releasetag.txt)" -R "${GITHUB_REPOSITORY}" -F dist/changelog.md -t "$(cat dist/releasetag.txt)" --target "${GITHUB_REF}" 2> "$errout" && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" "$errout"; then cat "$errout"; exit $exitcode; fi
305- - name : Extract Version
306- id : extract-version
307- if : ${{ failure() }}
308- run : echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}"
309- - name : Create Issue
310- if : ${{ failure() }}
311- uses : imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd
312- env :
313- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
314- with :
315- labels : failed-release
316- title : Publishing v${{ steps.extract-version.outputs.VERSION }} to GitHub Releases failed
317- body : See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
318- - name : Generate PURL and SBOM
319- run : |
320- ./scripts/compliance/gen-purls.sh
321- ./scripts/compliance/gen-sbom.sh
322- env :
323- SILKBOMB_IMG : ${{ vars.SILKBOMB_IMG }}
324- - name : Upload SBOM to Kondukto
325- run : ./scripts/compliance/upload-sbom.sh
326- env :
327- KONDUKTO_TOKEN : ${{ secrets.KONDUKTO_TOKEN }}
328- SILKBOMB_IMG : ${{ vars.SILKBOMB_IMG }}
329- KONDUKTO_REPO : ${{ vars.KONDUKTO_REPO }}
330- KONDUKTO_BRANCH_PREFIX : ${{ vars.KONDUKTO_BRANCH_PREFIX }}
331- - uses : actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
332- - name : Generate SSDLC report
333- run : |
334- AUTHOR="${{ github.actor }}"
335- export AUTHOR
336- VERSION="${{ steps.extract-version.outputs.VERSION }}"
337- export VERSION
338- ./scripts/compliance/gen-ssdlc-report.sh
339- env :
340- KONDUKTO_TOKEN : ${{ secrets.KONDUKTO_TOKEN }}
341- SILKBOMB_IMG : ${{ vars.SILKBOMB_IMG }}
342- KONDUKTO_REPO : ${{ vars.KONDUKTO_REPO }}
343- KONDUKTO_BRANCH_PREFIX : ${{ vars.KONDUKTO_BRANCH_PREFIX }}
344- - name : Import GPG key
345- uses : crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec
346- with :
347- gpg_private_key : ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }}
348- passphrase : ${{ secrets.APIX_BOT_PASSPHRASE }}
349- git_user_signingkey : true
350- git_commit_gpgsign : true
351- - name : Commit changes
352- shell : bash
353- run : |
354- if [[ $(git status --porcelain) ]]; then
355- git pull
356- git config --local user.email [email protected] 357- git config --local user.name svc-apix-bot
358- git remote set-url origin https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }}
359- git add compliance/v*/*
360- git commit -m "chore: Update SSDLC report for ${{ steps.extract-version.outputs.VERSION }}"
361- git push origin
362- else
363- echo "No changes to commit."
364- fi
365- name : Upload SBOM as release artifact
366- uses : softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836
367- with :
368- files : compliance/sbom.json
369- tag_name : ${{ steps.extract-version.outputs.VERSION }}
370- env :
371- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
0 commit comments