forked from jordanlambrecht/tracker-tracker
-
Notifications
You must be signed in to change notification settings - Fork 0
159 lines (141 loc) · 5.61 KB
/
Copy pathrelease.yml
File metadata and controls
159 lines (141 loc) · 5.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: Release
on:
push:
branches: [main]
permissions:
contents: write
packages: write
security-events: write
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
release:
name: Build & Release
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
fetch-tags: true
- name: Check for unreleased version
id: tag
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
VERSION=$(node -p "require('./package.json').version")
TAG="v${VERSION}"
# Check if a GitHub Release (not just a tag) exists for this version.
# Tags are now created on the development branch before merging to main,
# so we check for the Release object instead.
if gh release view "$TAG" >/dev/null 2>&1; then
echo "GitHub Release $TAG already exists — nothing to release."
echo "should_release=false" >> "$GITHUB_OUTPUT"
else
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
echo "should_release=true" >> "$GITHUB_OUTPUT"
echo "New version ${VERSION} detected — will create release."
fi
- name: Ensure version tag points to this commit
if: steps.tag.outputs.should_release == 'true'
env:
TAG_VERSION: ${{ steps.tag.outputs.version }}
run: |
TAG="v${TAG_VERSION}"
if git rev-parse "$TAG" >/dev/null 2>&1; then
TAG_SHA="$(git rev-list -n 1 "$TAG")"
if [ "$TAG_SHA" != "$GITHUB_SHA" ]; then
echo "Tag $TAG points to $TAG_SHA, retagging to $GITHUB_SHA (main merge commit)."
git tag -f "$TAG" "$GITHUB_SHA"
git push origin "$TAG" --force
fi
else
git tag "$TAG"
git push origin "$TAG"
fi
- name: Log in to GHCR
if: steps.tag.outputs.should_release == 'true'
uses: docker/login-action@v4
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Log in to Docker Hub
if: steps.tag.outputs.should_release == 'true'
uses: docker/login-action@v4
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up QEMU (for arm64 cross-compilation)
if: steps.tag.outputs.should_release == 'true'
uses: docker/setup-qemu-action@v4
- name: Set up Docker Buildx
if: steps.tag.outputs.should_release == 'true'
uses: docker/setup-buildx-action@v4
- name: Build and push Docker image
if: steps.tag.outputs.should_release == 'true'
uses: docker/build-push-action@v7
with:
context: .
push: true
platforms: linux/amd64,linux/arm64
tags: |
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.version }}
${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
docker.io/jordyjordy/tracker-tracker:${{ steps.tag.outputs.version }}
docker.io/jordyjordy/tracker-tracker:latest
cache-from: |
type=gha,scope=buildx-amd64
type=gha,scope=buildx-arm64
cache-to: type=gha,mode=max,scope=buildx-${{ steps.tag.outputs.version }}
- name: Run Trivy vulnerability scanner
if: steps.tag.outputs.should_release == 'true'
uses: aquasecurity/trivy-action@0.35.0
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.version }}
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
ignore-unfixed: true
trivyignores: .trivyignore
- name: Upload Trivy results to GitHub Security
if: steps.tag.outputs.should_release == 'true'
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy-results.sarif
- name: Generate SBOM
if: steps.tag.outputs.should_release == 'true'
uses: anchore/sbom-action@v0.24.0
with:
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.version }}
artifact-name: sbom-tracker-tracker.spdx.json
output-file: sbom-tracker-tracker.spdx.json
- name: Extract changelog for this version
if: steps.tag.outputs.should_release == 'true'
id: changelog
env:
RELEASE_VERSION: ${{ steps.tag.outputs.version }}
run: |
NOTES=$(sed -n "/^## \[${RELEASE_VERSION}\]/,/^## /{/^## \[${RELEASE_VERSION}\]/d;/^## /d;p}" CHANGELOG.md | sed '/^$/N;/^\n$/d')
if [ -z "$NOTES" ]; then
NOTES="Release v${RELEASE_VERSION}"
fi
echo "notes<<CHANGELOG_EOF" >> "$GITHUB_OUTPUT"
echo "$NOTES" >> "$GITHUB_OUTPUT"
echo "CHANGELOG_EOF" >> "$GITHUB_OUTPUT"
- name: Create GitHub Release
if: steps.tag.outputs.should_release == 'true'
uses: softprops/action-gh-release@v2
with:
tag_name: v${{ steps.tag.outputs.version }}
name: v${{ steps.tag.outputs.version }}
body: ${{ steps.changelog.outputs.notes }}
generate_release_notes: false
files: sbom-tracker-tracker.spdx.json
- name: Sync README to Docker Hub
if: steps.tag.outputs.should_release == 'true'
uses: peter-evans/dockerhub-description@v5
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
repository: jordyjordy/tracker-tracker