Skip to content

Commit dccf00d

Browse files
lantolilantoli
committed
TEMPORARY see npm version and allow execution
1 parent 9a7d338 commit dccf00d

File tree

1 file changed

+7
-235
lines changed

1 file changed

+7
-235
lines changed

.github/workflows/release.yml

Lines changed: 7 additions & 235 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
name: Release (Requires manual steps to take, check all jobs are successful)
1+
name: Release DRY RUN (Requires manual steps to take, check all jobs are successful)
22
on: workflow_dispatch
33
jobs:
44
release:
@@ -74,240 +74,12 @@ jobs:
7474
- name: Restore build artifact permissions
7575
run: cd dist && setfacl --restore=permissions-backup.acl
7676
continue-on-error: true
77+
- run: npm -version
78+
- run: npm install -g npm@latest
79+
- run: npm -version
80+
- run: npm ci
81+
- run: npm -version
7782
- name: Publish to npm with provenance
7883
env:
7984
NPM_CONFIG_PROVENANCE: true
80-
run: npx -p publib@latest publib-npm
81-
release_maven:
82-
name: Publish to Maven Central
83-
needs: release
84-
runs-on: ubuntu-latest
85-
permissions:
86-
contents: read
87-
issues: write
88-
steps:
89-
- uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165
90-
with:
91-
distribution: temurin
92-
java-version: 11.x
93-
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903
94-
with:
95-
node-version: 18.x
96-
- name: Download build artifacts
97-
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
98-
with:
99-
name: build-artifact
100-
path: dist
101-
- name: Restore build artifact permissions
102-
run: cd dist && setfacl --restore=permissions-backup.acl
103-
continue-on-error: true
104-
- name: Release
105-
env:
106-
MAVEN_GPG_PRIVATE_KEY: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}
107-
MAVEN_GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.MAVEN_GPG_PRIVATE_KEY_PASSPHRASE }}
108-
MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }}
109-
MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }}
110-
MAVEN_STAGING_PROFILE_ID: ${{ secrets.MAVEN_STAGING_PROFILE_ID }}
111-
MAVEN_SERVER_ID: ${{ vars.MAVEN_SERVER_ID }}
112-
run: npx -p publib@latest publib-maven
113-
release_pypi:
114-
name: Publish to PyPI
115-
needs: release
116-
runs-on: ubuntu-latest
117-
permissions:
118-
contents: read
119-
issues: write
120-
steps:
121-
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903
122-
with:
123-
node-version: 18.x
124-
- uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
125-
with:
126-
python-version: 3.x
127-
- name: Download build artifacts
128-
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
129-
with:
130-
name: build-artifact
131-
path: dist
132-
- name: Restore build artifact permissions
133-
run: cd dist && setfacl --restore=permissions-backup.acl
134-
continue-on-error: true
135-
- name: Import GPG key
136-
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec
137-
with:
138-
gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }}
139-
passphrase: ${{ secrets.APIX_BOT_GPG_PASSPHRASE }}
140-
- name: GPG sign PyPI distributions
141-
run: |
142-
for file in dist/python/*.whl dist/python/*.tar.gz; do
143-
if [ -f "$file" ]; then
144-
gpg --batch --yes --pinentry-mode loopback --passphrase "$APIX_BOT_GPG_PASSPHRASE" --detach-sign -a "$file"
145-
fi
146-
done
147-
env:
148-
APIX_BOT_GPG_PASSPHRASE: ${{ secrets.APIX_BOT_GPG_PASSPHRASE }}
149-
150-
- name: Upload to PyPI
151-
env:
152-
TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }}
153-
TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }}
154-
run: |
155-
pip install twine
156-
twine upload dist/python/*.whl dist/python/*.tar.gz
157-
release_nuget:
158-
name: Publish to NuGet Gallery
159-
needs: release
160-
runs-on: ubuntu-latest
161-
permissions:
162-
contents: read
163-
issues: write
164-
id-token: write # Required for Trusted Publishing.
165-
steps:
166-
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903
167-
with:
168-
node-version: 18.x
169-
- uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d
170-
with:
171-
dotnet-version: 9.0.x
172-
- name: Download build artifacts
173-
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
174-
with:
175-
name: build-artifact
176-
path: dist
177-
- name: Restore build artifact permissions
178-
run: cd dist && setfacl --restore=permissions-backup.acl
179-
continue-on-error: true
180-
- name: Extract Version
181-
id: extract-version
182-
run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}"
183-
- name: Log in to MongoDB Docker registry
184-
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
185-
with:
186-
registry: ${{ secrets.ARTIFACTORY_REGISTRY }}
187-
username: ${{ secrets.ARTIFACTORY_USER }}
188-
password: ${{ secrets.ARTIFACTORY_PASSWORD }}
189-
- name: Sign NuGet package
190-
run: |
191-
docker run \
192-
-e GRS_CONFIG_USER1_USERNAME="${{ secrets.ARTIFACTORY_SIGN_USER }}" \
193-
-e GRS_CONFIG_USER1_PASSWORD="${{ secrets.ARTIFACTORY_SIGN_PASSWORD }}" \
194-
--rm -v "$(pwd)":"$(pwd)" -w "$(pwd)" \
195-
"${{ secrets.ARTIFACTORY_REGISTRY }}/${{ secrets.ARTIFACTORY_SIGN_TOOL }}" \
196-
/bin/bash -c "jsign --tsaurl http://timestamp.digicert.com -a ${{ secrets.AUTHENTICODE_KEY_NAME }} \
197-
./dist/dotnet/MongoDB.AWSCDKResourcesMongoDBAtlas.${{ steps.extract-version.outputs.VERSION }}.nupkg"
198-
- id: login
199-
uses: NuGet/login@d22cc5f58ff5b88bf9bd452535b4335137e24544
200-
with:
201-
user: ${{ secrets.NUGET_USER }}
202-
- name: Release
203-
env:
204-
NUGET_API_KEY: ${{ steps.login.outputs.NUGET_API_KEY }}
205-
run: npx -p publib@latest publib-nuget
206-
release_golang:
207-
name: Publish to GitHub Go Module Repository
208-
needs: release
209-
runs-on: ubuntu-latest
210-
permissions:
211-
contents: read
212-
issues: write
213-
steps:
214-
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903
215-
with:
216-
node-version: 18.x
217-
- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00
218-
with:
219-
go-version: ^1.16.0
220-
- name: Download build artifacts
221-
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
222-
with:
223-
name: build-artifact
224-
path: dist
225-
- name: Restore build artifact permissions
226-
run: cd dist && setfacl --restore=permissions-backup.acl
227-
continue-on-error: true
228-
- name: Release
229-
env:
230-
GITHUB_TOKEN: ${{ secrets.GO_GITHUB_TOKEN }}
231-
GIT_USER_NAME: ${{ secrets.GO_GIT_USER_NAME }}
232-
GIT_USER_EMAIL: ${{ secrets.GO_GIT_USER_EMAIL }}
233-
run: npx -p publib@latest publib-golang
234-
release_github:
235-
name: Publish to GitHub Releases
236-
needs: [release, release_npm, release_maven, release_pypi, release_nuget, release_golang]
237-
runs-on: ubuntu-latest
238-
permissions:
239-
contents: write
240-
issues: write
241-
steps:
242-
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903
243-
with:
244-
node-version: 18.x
245-
- name: Download build artifacts
246-
uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53
247-
with:
248-
name: build-artifact
249-
path: dist
250-
- name: Restore build artifact permissions
251-
run: cd dist && setfacl --restore=permissions-backup.acl
252-
continue-on-error: true
253-
- name: Release
254-
env:
255-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
256-
GITHUB_REPOSITORY: ${{ github.repository }}
257-
GITHUB_REF: ${{ github.ref }}
258-
run: errout=$(mktemp); gh release create "$(cat dist/releasetag.txt)" -R "${GITHUB_REPOSITORY}" -F dist/changelog.md -t "$(cat dist/releasetag.txt)" --target "${GITHUB_REF}" 2> "$errout" && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" "$errout"; then cat "$errout"; exit $exitcode; fi
259-
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8
260-
- name: Generate PURL and SBOM
261-
run: |
262-
./scripts/compliance/gen-purls.sh
263-
./scripts/compliance/gen-sbom.sh
264-
env:
265-
SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
266-
- name: Upload SBOM to Kondukto
267-
run: ./scripts/compliance/upload-sbom.sh
268-
env:
269-
KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
270-
SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
271-
KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
272-
KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
273-
274-
- name: Generate SSDLC report
275-
run: |
276-
AUTHOR="${{ github.actor }}"
277-
export AUTHOR
278-
VERSION="${{ steps.extract-version.outputs.VERSION }}"
279-
export VERSION
280-
./scripts/compliance/gen-ssdlc-report.sh
281-
env:
282-
KONDUKTO_TOKEN: ${{ secrets.KONDUKTO_TOKEN }}
283-
SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }}
284-
KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }}
285-
KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }}
286-
- name: Import GPG key
287-
uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec
288-
with:
289-
gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }}
290-
passphrase: ${{ secrets.APIX_BOT_PASSPHRASE }}
291-
git_user_signingkey: true
292-
git_commit_gpgsign: true
293-
- name: Commit changes
294-
shell: bash
295-
run: |
296-
if [[ $(git status --porcelain) ]]; then
297-
git pull
298-
git config --local user.email [email protected]
299-
git config --local user.name svc-apix-bot
300-
git remote set-url origin https://svc-apix-bot:${{ secrets.APIX_BOT_PAT }}@github.com/${{ github.repository }}
301-
git add compliance/v*/*
302-
git commit -m "chore: Update SSDLC report for ${{ steps.extract-version.outputs.VERSION }}"
303-
git push origin
304-
else
305-
echo "No changes to commit."
306-
fi
307-
- name: Upload SBOM as release artifact
308-
uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090
309-
with:
310-
files: compliance/sbom.json
311-
tag_name: ${{ steps.extract-version.outputs.VERSION }}
312-
env:
313-
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
85+
run: echo TODO DRY RUN PUBLISH

0 commit comments

Comments
 (0)