diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a25e11ec..d4a42eb3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -55,231 +55,11 @@ jobs: name: build-artifact path: dist overwrite: true - release_npm: - name: Publish to npm - needs: release - runs-on: ubuntu-latest - permissions: - contents: read - issues: write - steps: - - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 - with: - node-version: 18.x - - name: Download build artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 - with: - name: build-artifact - path: dist - - name: Restore build artifact permissions - run: cd dist && setfacl --restore=permissions-backup.acl - continue-on-error: true - - name: Publish to npm with provenance - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - run: | - cd dist/js - npm publish --provenance --access public --tag latest - - name: Extract Version - id: extract-version - if: ${{ failure() }} - run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - - name: Create Issue - if: ${{ failure() }} - uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd - with: - labels: failed-release - title: Publishing v${{ steps.extract-version.outputs.VERSION }} to npm failed - body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - release_maven: - name: Publish to Maven Central - needs: release - runs-on: ubuntu-latest - permissions: - contents: read - issues: write - steps: - - uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 - with: - distribution: temurin - java-version: 11.x - - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 - with: - node-version: 18.x - - name: Download build artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 - with: - name: build-artifact - path: dist - - name: Restore build artifact permissions - run: cd dist && setfacl --restore=permissions-backup.acl - continue-on-error: true - - name: Release - env: - MAVEN_GPG_PRIVATE_KEY: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} - MAVEN_GPG_PRIVATE_KEY_PASSPHRASE: ${{ secrets.MAVEN_GPG_PRIVATE_KEY_PASSPHRASE }} - MAVEN_PASSWORD: ${{ secrets.MAVEN_PASSWORD }} - MAVEN_USERNAME: ${{ secrets.MAVEN_USERNAME }} - MAVEN_STAGING_PROFILE_ID: ${{ secrets.MAVEN_STAGING_PROFILE_ID }} - MAVEN_SERVER_ID: ${{ vars.MAVEN_SERVER_ID }} - run: npx -p publib@latest publib-maven - - name: Extract Version - id: extract-version - if: ${{ failure() }} - run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - - name: Create Issue - if: ${{ failure() }} - uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd - with: - labels: failed-release - title: Publishing v${{ steps.extract-version.outputs.VERSION }} to Maven Central failed - body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - release_pypi: - name: Publish to PyPI - needs: release - runs-on: ubuntu-latest - permissions: - contents: read - issues: write - steps: - - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 - with: - node-version: 18.x - - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c - with: - python-version: 3.x - - name: Download build artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 - with: - name: build-artifact - path: dist - - name: Restore build artifact permissions - run: cd dist && setfacl --restore=permissions-backup.acl - continue-on-error: true - - name: Import GPG key - uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec - with: - gpg_private_key: ${{ secrets.APIX_BOT_GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.APIX_BOT_GPG_PASSPHRASE }} - - name: GPG sign PyPI distributions - run: | - for file in dist/python/*.whl dist/python/*.tar.gz; do - if [ -f "$file" ]; then - gpg --batch --yes --pinentry-mode loopback --passphrase "$APIX_BOT_GPG_PASSPHRASE" --detach-sign -a "$file" - fi - done - env: - APIX_BOT_GPG_PASSPHRASE: ${{ secrets.APIX_BOT_GPG_PASSPHRASE }} + - - name: Upload to PyPI - env: - TWINE_USERNAME: ${{ secrets.TWINE_USERNAME }} - TWINE_PASSWORD: ${{ secrets.TWINE_PASSWORD }} - run: twine upload dist/* - - name: Extract Version - id: extract-version - if: ${{ failure() }} - run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - - name: Create Issue - if: ${{ failure() }} - uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd - with: - labels: failed-release - title: Publishing v${{ steps.extract-version.outputs.VERSION }} to PyPI failed - body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - release_nuget: - name: Publish to NuGet Gallery - needs: release - runs-on: ubuntu-latest - permissions: - contents: read - issues: write - steps: - - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 - with: - node-version: 18.x - - uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 - with: - dotnet-version: 9.0.x - - name: Download build artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 - with: - name: build-artifact - path: dist - - name: Restore build artifact permissions - run: cd dist && setfacl --restore=permissions-backup.acl - continue-on-error: true - - name: Extract Version - id: extract-version - run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - - name: Log in to MongoDB Docker registry - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 - with: - registry: ${{ secrets.ARTIFACTORY_REGISTRY }} - username: ${{ secrets.ARTIFACTORY_USER }} - password: ${{ secrets.ARTIFACTORY_PASSWORD }} - - name: Sign NuGet package - run: | - docker run \ - -e GRS_CONFIG_USER1_USERNAME="${{ secrets.ARTIFACTORY_SIGN_USER }}" \ - -e GRS_CONFIG_USER1_PASSWORD="${{ secrets.ARTIFACTORY_SIGN_PASSWORD }}" \ - --rm -v "$(pwd)":"$(pwd)" -w "$(pwd)" \ - "${{ secrets.ARTIFACTORY_REGISTRY }}/${{ secrets.ARTIFACTORY_SIGN_TOOL }}" \ - /bin/bash -c "jsign --tsaurl http://timestamp.digicert.com -a ${{ secrets.AUTHENTICODE_KEY_NAME }} \ - ./dist/dotnet/MongoDB.AWSCDKResourcesMongoDBAtlas.${{ steps.extract-version.outputs.VERSION }}.nupkg" - - name: Release - env: - NUGET_API_KEY: ${{ secrets.NUGET_API_KEY }} - run: npx -p publib@latest publib-nuget - - name: Create Issue - if: ${{ failure() }} - uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd - with: - labels: failed-release - title: Publishing v${{ steps.extract-version.outputs.VERSION }} to NuGet Gallery failed - body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} - release_golang: - name: Publish to GitHub Go Module Repository - needs: release - runs-on: ubuntu-latest - permissions: - contents: read - issues: write - steps: - - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 - with: - node-version: 18.x - - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 - with: - go-version: ^1.16.0 - - name: Download build artifacts - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 - with: - name: build-artifact - path: dist - - name: Restore build artifact permissions - run: cd dist && setfacl --restore=permissions-backup.acl - continue-on-error: true - - name: Release - env: - GITHUB_TOKEN: ${{ secrets.GO_GITHUB_TOKEN }} - GIT_USER_NAME: ${{ secrets.GO_GIT_USER_NAME }} - GIT_USER_EMAIL: ${{ secrets.GO_GIT_USER_EMAIL }} - run: npx -p publib@latest publib-golang - - name: Extract Version - id: extract-version - if: ${{ failure() }} - run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - - name: Create Issue - if: ${{ failure() }} - uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd - with: - labels: failed-release - title: Publishing v${{ steps.extract-version.outputs.VERSION }} to GitHub Go Module Repository failed - body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} release_github: name: Publish to GitHub Releases - needs: [release, release_npm, release_maven, release_pypi, release_nuget, release_golang] + needs: [release] runs-on: ubuntu-latest permissions: contents: write @@ -296,25 +76,11 @@ jobs: - name: Restore build artifact permissions run: cd dist && setfacl --restore=permissions-backup.acl continue-on-error: true - - name: Release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_REPOSITORY: ${{ github.repository }} - GITHUB_REF: ${{ github.ref }} - run: errout=$(mktemp); gh release create "$(cat dist/releasetag.txt)" -R "${GITHUB_REPOSITORY}" -F dist/changelog.md -t "$(cat dist/releasetag.txt)" --target "${GITHUB_REF}" 2> "$errout" && true; exitcode=$?; if [ $exitcode -ne 0 ] && ! grep -q "Release.tag_name already exists" "$errout"; then cat "$errout"; exit $exitcode; fi - name: Extract Version id: extract-version if: ${{ failure() }} run: echo "VERSION=$(cat dist/version.txt)" >> "${GITHUB_OUTPUT}" - - name: Create Issue - if: ${{ failure() }} - uses: imjohnbo/issue-bot@572eed14422c4d6ca37e870f97e7da209422f5bd - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - labels: failed-release - title: Publishing v${{ steps.extract-version.outputs.VERSION }} to GitHub Releases failed - body: See https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }} + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - name: Generate PURL and SBOM run: | ./scripts/compliance/gen-purls.sh @@ -328,7 +94,6 @@ jobs: SILKBOMB_IMG: ${{ vars.SILKBOMB_IMG }} KONDUKTO_REPO: ${{ vars.KONDUKTO_REPO }} KONDUKTO_BRANCH_PREFIX: ${{ vars.KONDUKTO_BRANCH_PREFIX }} - - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 - name: Generate SSDLC report run: | AUTHOR="${{ github.actor }}"