Skip to content

Merge pull request #349 from viccuad/main #47

Merge pull request #349 from viccuad/main

Merge pull request #349 from viccuad/main #47

Workflow file for this run

name: audit-scanner release
on:
push:
tags:
- "v*"
# Declare default permissions as read only.
permissions: read-all
jobs:
ci:
uses: ./.github/workflows/ci.yml
permissions: read-all
build:
name: Build container image, sign it, and generate SBOMs
uses: ./.github/workflows/container-build.yml
permissions:
id-token: write
packages: write
crds:
name: Build CRDs
runs-on: ubuntu-latest
steps:
- name: Install Golang
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: "1.21"
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Generate CRDs
run: |
tar -czf CRDS.tar.gz -C config/crd $(ls config/crd)
- name: Upload CRDs as artifacts
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
with:
name: CRDS
path: CRDS.tar.gz
release:
name: Create release
needs:
- ci
- crds
- build
permissions:
contents: write
runs-on: ubuntu-latest
steps:
- name: Retrieve tag name
if: ${{ startsWith(github.ref, 'refs/tags/') }}
run: |
echo TAG_NAME=$(echo ${{ github.ref_name }}) >> $GITHUB_ENV
- name: Get latest release tag
id: get_last_release_tag
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
let release = await github.rest.repos.getLatestRelease({
owner: context.repo.owner,
repo: context.repo.repo,
});
if (release.status === 200 ) {
core.setOutput('old_release_tag', release.data.tag_name)
return
}
core.setFailed("Cannot find latest release")
- name: Get release ID from the release created by release drafter
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
let releases = await github.rest.repos.listReleases({
owner: context.repo.owner,
repo: context.repo.repo,
});
for (const release of releases.data) {
if (release.draft) {
core.info(release)
core.exportVariable('RELEASE_ID', release.id)
return
}
}
core.setFailed(`Draft release not found`)
- name: Download SBOM artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
pattern: sbom-*
path: ./
merge-multiple: true
- name: Download CRDs artifacts
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
pattern: CRDS
path: ./
merge-multiple: true
- name: Display structure of downloaded files
run: ls -R
- name: Upload release assets
id: upload_release_assets
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
let fs = require('fs');
let path = require('path');
let files = [
'audit-scanner-sbom-amd64.spdx',
'audit-scanner-sbom-amd64.spdx.cert',
'audit-scanner-sbom-amd64.spdx.sig',
'audit-scanner-sbom-arm64.spdx',
'audit-scanner-sbom-arm64.spdx.cert',
'audit-scanner-sbom-arm64.spdx.sig',
"CRDS.tar.gz"]
const {RELEASE_ID} = process.env
for (const file of files) {
let file_data = fs.readFileSync(file);
let response = await github.rest.repos.uploadReleaseAsset({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: `${RELEASE_ID}`,
name: path.basename(file),
data: file_data,
});
// store the crds asset id used it in the helm chart update
if (file === "CRDS.tar.gz") {
core.setOutput('crds_asset_id', response.data.id)
}
}
- name: Publish release
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
with:
script: |
const {RELEASE_ID} = process.env
const {TAG_NAME} = process.env
isPreRelease = ${{ contains(github.ref_name, '-alpha') || contains(github.ref_name, '-beta') || contains(github.ref_name, '-rc') }}
github.rest.repos.updateRelease({
owner: context.repo.owner,
repo: context.repo.repo,
release_id: `${RELEASE_ID}`,
draft: false,
tag_name: `${TAG_NAME}`,
name: `${TAG_NAME}`,
prerelease: isPreRelease,
make_latest: !isPreRelease
});
- name: Debug helm chart update payload
run: |
echo '{"version": "${{ github.ref_name }}", "oldVersion": "${{ steps.get_last_release_tag.outputs.old_release_tag }}", "repository": "${{ github.repository }}", "crds_asset_id": "${{steps.upload_release_assets.outputs.crds_asset_id}}"}'
- name: Trigger chart update
uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
with:
token: ${{ secrets.WORKFLOW_PAT }}
repository: "${{github.repository_owner}}/helm-charts"
event-type: update-chart
client-payload: '{"version": "${{ github.ref_name }}", "oldVersion": "${{ steps.get_last_release_tag.outputs.old_release_tag }}", "repository": "${{ github.repository }}", "crds_asset_id": "${{steps.upload_release_assets.outputs.crds_asset_id}}"}'