|
85 | 85 | id: extract-version |
86 | 86 | if: ${{ failure() }} |
87 | 87 | run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" |
| 88 | + |
| 89 | + |
| 90 | + release_github: |
| 91 | + name: Publish to GitHub Releases |
| 92 | + needs: [release, release_npm] |
| 93 | + runs-on: ubuntu-latest |
| 94 | + permissions: |
| 95 | + contents: write |
| 96 | + issues: write |
| 97 | + steps: |
| 98 | + - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 |
| 99 | + with: |
| 100 | + node-version: 18.x |
| 101 | + - name: Download build artifacts |
| 102 | + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 |
| 103 | + with: |
| 104 | + name: build-artifact |
| 105 | + path: dist |
| 106 | + - name: Restore build artifact permissions |
| 107 | + run: cd dist && setfacl --restore=permissions-backup.acl |
| 108 | + continue-on-error: true |
| 109 | + - name: Release |
| 110 | + env: |
| 111 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 112 | + GITHUB_REPOSITORY: ${{ github.repository }} |
| 113 | + GITHUB_REF: ${{ github.ref }} |
| 114 | + run: errout=$(mktemp); gh release create "$(cat dist/releasetag.txt)" -R "${GITHUB_REPOSITORY}" -F dist/changelog.md -t "$(cat dist/releasetag.txt)" --target "${GITHUB_REF}" 2> "$errout" && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" "$errout"; then cat "$errout"; exit $exitcode; fi |
| 115 | + - name: Extract Version |
| 116 | + id: extract-version |
| 117 | + if: ${{ failure() }} |
| 118 | + run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" |
| 119 | + - name: Generate PURL and SBOM |
| 120 | + run: | |
| 121 | + ./scripts/compliance/gen-purls.sh |
| 122 | + ./scripts/compliance/gen-sbom.sh |
| 123 | + env: |
| 124 | + SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} |
| 125 | + - name: Upload SBOM to Kondukto |
| 126 | + run: ./scripts/compliance/upload-sbom.sh |
| 127 | + env: |
| 128 | + KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }} |
| 129 | + SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} |
| 130 | + KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} |
| 131 | + KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} |
| 132 | + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 |
| 133 | + - name: Generate SSDLC report |
| 134 | + run: | |
| 135 | + AUTHOR="${{ github.actor }}" |
| 136 | + export AUTHOR |
| 137 | + VERSION="${{ steps.extract-version.outputs.VERSION }}" |
| 138 | + export VERSION |
| 139 | + ./scripts/compliance/gen-ssdlc-report.sh |
| 140 | + env: |
| 141 | + KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }} |
| 142 | + SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} |
| 143 | + KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} |
| 144 | + KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} |
| 145 | + - name: Import GPG key |
| 146 | + uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec |
| 147 | + with: |
| 148 | + gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }} |
| 149 | + passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }} |
| 150 | + git_user_signingkey: true |
| 151 | + git_commit_gpgsign: true |
| 152 | + - name: Commit changes |
| 153 | + shell: bash |
| 154 | + run: | |
| 155 | + if [[ $(git status --porcelain) ]]; then |
| 156 | + git pull |
| 157 | + git config --local user.email [email protected] |
| 158 | + git config --local user.name svc-apix-bot |
| 159 | + git remote set-url origin https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }} |
| 160 | + git add compliance/v*/* |
| 161 | + git commit -m "chore: Update SSDLC report for ${{ steps.extract-version.outputs.VERSION }}" |
| 162 | + git push origin |
| 163 | + else |
| 164 | + echo "No changes to commit." |
| 165 | + fi |
| 166 | + - name: Upload SBOM as release artifact |
| 167 | + uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 |
| 168 | + with: |
| 169 | + files: compliance/sbom.json |
| 170 | + tag_name: ${{ steps.extract-version.outputs.VERSION }} |
| 171 | + env: |
| 172 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
0 commit comments