Skip to content

Commit

Permalink
prepare release pipeline
Browse files Browse the repository at this point in the history
Signed-off-by: Alex Goodman <alex.goodman@anchore.com>
  • Loading branch information
wagoodman committed Oct 15, 2022
1 parent 5b8e07f commit 71e7f87
Show file tree
Hide file tree
Showing 8 changed files with 115 additions and 95 deletions.
4 changes: 4 additions & 0 deletions .bouncer.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,7 @@ permit:
- MPL.*
- ISC

ignore-packages:
# at the current version there is no license, however, the MIT license was eventually added
# https://github.com/mattn/go-localereader/blob/2491eb6c1c75720122ef321ed7acc3a8d9de95b1/LICENSE
- github.com/mattn/go-localereader
75 changes: 21 additions & 54 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,14 @@ on:

env:
GO_VERSION: "1.18.x"
GO_CACHE_KEY: efa04b89c1b1

jobs:
quality-gate:
environment: release
runs-on: ubuntu-latest # This OS choice is arbitrary. None of the steps in this job are specific to either Linux or macOS.
steps:
- uses: actions/checkout@v2
- uses: actions/checkout@v3

# we don't want to release commits that have been pushed and tagged, but not necessarily merged onto main
- name: Ensure tagged commit is on main
Expand All @@ -26,7 +27,7 @@ jobs:
git merge-base --is-ancestor ${GITHUB_REF##*/} origin/main && echo "${GITHUB_REF##*/} is a commit on main!"
- name: Check static analysis results
uses: fountainhead/action-wait-for-check@v1.0.0
uses: fountainhead/action-wait-for-check@v1.1.0
id: static-analysis
with:
token: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -35,89 +36,52 @@ jobs:
ref: ${{ github.event.pull_request.head.sha || github.sha }}

- name: Check unit test results
uses: fountainhead/action-wait-for-check@v1.0.0
uses: fountainhead/action-wait-for-check@v1.1.0
id: unit
with:
token: ${{ secrets.GITHUB_TOKEN }}
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
checkName: "Unit tests"
ref: ${{ github.event.pull_request.head.sha || github.sha }}

- name: Check integration test results
uses: fountainhead/action-wait-for-check@v1.0.0
id: integration
with:
token: ${{ secrets.GITHUB_TOKEN }}
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
checkName: "Integration tests"
ref: ${{ github.event.pull_request.head.sha || github.sha }}

- name: Check acceptance test results (linux)
uses: fountainhead/action-wait-for-check@v1.0.0
id: acceptance-linux
with:
token: ${{ secrets.GITHUB_TOKEN }}
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
checkName: "Acceptance tests (Linux)"
ref: ${{ github.event.pull_request.head.sha || github.sha }}

- name: Check acceptance test results (mac)
uses: fountainhead/action-wait-for-check@v1.0.0
id: acceptance-mac
with:
token: ${{ secrets.GITHUB_TOKEN }}
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
checkName: "Acceptance tests (Mac)"
ref: ${{ github.event.pull_request.head.sha || github.sha }}

- name: Check cli test results (linux)
uses: fountainhead/action-wait-for-check@v1.0.0
id: cli-linux
with:
token: ${{ secrets.GITHUB_TOKEN }}
# This check name is defined as the github action job name (in .github/workflows/testing.yaml)
checkName: "CLI tests (Linux)"
ref: ${{ github.event.pull_request.head.sha || github.sha }}

- name: Quality gate
if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success'
if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success'
run: |
echo "Static Analysis Status: ${{ steps.static-analysis.conclusion }}"
echo "Unit Test Status: ${{ steps.unit.outputs.conclusion }}"
echo "Integration Test Status: ${{ steps.integration.outputs.conclusion }}"
echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}"
echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}"
echo "CLI Test (Linux) Status: ${{ steps.cli-linux.outputs.conclusion }}"
false
release:
needs: [quality-gate]
runs-on: ubuntu-latest
permissions:
packages: write
contents: write
steps:

- uses: actions/setup-go@v2
- uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}

- uses: actions/checkout@v2
- uses: actions/checkout@v3
with:
fetch-depth: 0

- name: Restore tool cache
id: tool-cache
uses: actions/cache@v2.1.3
uses: actions/cache@v3
with:
path: ${{ github.workspace }}/.tmp
key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }}

- name: Restore go cache
id: go-cache
uses: actions/cache@v2.1.3
uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ env.GO_CACHE_KEY }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-
${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ env.GO_CACHE_KEY }}-
- name: (cache-miss) Bootstrap all project dependencies
if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true'
Expand All @@ -126,15 +90,18 @@ jobs:
- name: Build & publish release artifacts
run: make release
env:
DOCKER_USERNAME: ${{ secrets.TOOLBOX_DOCKER_USER }}
DOCKER_PASSWORD: ${{ secrets.TOOLBOX_DOCKER_PASS }}
GITHUB_TOKEN: ${{ secrets.ANCHORE_GIT_READ_TOKEN }}
QUILL_SIGNING_P12: ${{ secrets.APPLE_SIGNING_P12 }}
QUILL_SIGNING_PASSWORD: ${{ secrets.APPLE_SIGNING_P12_PASSWORD }}
QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }}
QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }}
QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

- uses: anchore/sbom-action@v0
with:
artifact-name: sbom.spdx.json

- uses: actions/upload-artifact@v2
- uses: actions/upload-artifact@v3
with:
name: artifacts
path: dist/**/*
52 changes: 30 additions & 22 deletions .github/workflows/validations.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ on:

env:
GO_VERSION: "1.18.x"
GO_CACHE_KEY: efa04b89c1b1

jobs:

Expand All @@ -16,27 +17,27 @@ jobs:
name: "Static analysis"
runs-on: ubuntu-20.04
steps:
- uses: actions/setup-go@v2
- uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}

- uses: actions/checkout@v2
- uses: actions/checkout@v3

- name: Restore tool cache
id: tool-cache
uses: actions/cache@v2.1.3
uses: actions/cache@v3
with:
path: ${{ github.workspace }}/.tmp
key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }}

- name: Restore go cache
id: go-cache
uses: actions/cache@v2.1.3
uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ env.GO_CACHE_KEY }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-
${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ env.GO_CACHE_KEY }}-
- name: (cache-miss) Bootstrap all project dependencies
if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true'
Expand All @@ -48,29 +49,36 @@ jobs:
Unit-Test:
# Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
name: "Unit tests"
runs-on: macos-latest
runs-on: macOS-12
steps:
- uses: actions/setup-go@v2
- uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}

- uses: actions/checkout@v2
- uses: actions/checkout@v3
with:
# this downloads and initializes LFS, but does not pull the objects
lfs: true

- name: Checkout LFS objects
# lfs pull does a lfs fetch and lfs checkout, this is NOT the same as "git pull"
run: git lfs pull

- name: Restore tool cache
id: tool-cache
uses: actions/cache@v2.1.3
uses: actions/cache@v3
with:
path: ${{ github.workspace }}/.tmp
key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }}

- name: Restore go cache
id: go-cache
uses: actions/cache@v2.1.3
uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ env.GO_CACHE_KEY }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-
${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ env.GO_CACHE_KEY }}-
- name: (cache-miss) Bootstrap all project dependencies
if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true'
Expand All @@ -79,7 +87,7 @@ jobs:
- name: Run unit tests
run: make unit

- uses: actions/upload-artifact@v2
- uses: actions/upload-artifact@v3
with:
name: unit-test-results
path: test/results/**/*
Expand All @@ -88,30 +96,30 @@ jobs:
name: "Build snapshot artifacts"
runs-on: ubuntu-20.04
steps:
- uses: actions/setup-go@v2
- uses: actions/setup-go@v3
with:
go-version: ${{ env.GO_VERSION }}

- uses: actions/checkout@v2
- uses: actions/checkout@v3

- name: Set up QEMU
uses: docker/setup-qemu-action@v1
uses: docker/setup-qemu-action@v2

- name: Restore tool cache
id: tool-cache
uses: actions/cache@v2.1.3
uses: actions/cache@v3
with:
path: ${{ github.workspace }}/.tmp
key: ${{ runner.os }}-tool-${{ hashFiles('Makefile') }}

- name: Restore go cache
id: go-cache
uses: actions/cache@v2.1.3
uses: actions/cache@v3
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ hashFiles('**/go.sum') }}
key: ${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ env.GO_CACHE_KEY }}-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-${{ env.GO_VERSION }}-
${{ runner.os }}-go-${{ env.GO_VERSION }}-${{ env.GO_CACHE_KEY }}-
- name: (cache-miss) Bootstrap all project dependencies
if: steps.tool-cache.outputs.cache-hit != 'true' || steps.go-cache.outputs.cache-hit != 'true'
Expand All @@ -120,7 +128,7 @@ jobs:
- name: Build snapshot artifacts
run: make snapshot

- uses: actions/upload-artifact@v2
- uses: actions/upload-artifact@v3
with:
name: artifacts
path: snapshot/**/*
Expand Down
52 changes: 45 additions & 7 deletions .goreleaser.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,19 +7,18 @@ release:
draft: true

builds:
- binary: quill
dir: ./cmd/quill
env:
- binary: &name quill
dir: &dir ./cmd/quill
env: &build-env
- CGO_ENABLED=0
goos:
- linux
- windows
- darwin
goarch:
- amd64
# Set the modified timestamp on the output binary to the git timestamp (to ensure a reproducible build)
mod_timestamp: '{{ .CommitTimestamp }}'
ldflags: |
mod_timestamp: &build-timestamp '{{ .CommitTimestamp }}'
ldflags: &build-ldflags |
-w
-s
-extldflags '-static'
Expand All @@ -28,6 +27,45 @@ builds:
-X github.com/anchore/quill/internal/version.buildDate={{.Date}}
-X github.com/anchore/quill/internal/version.gitDescription={{.Summary}}

- id: darwin-build
dir: *dir
binary: *name
goos:
- darwin
goarch:
- amd64
- arm64
mod_timestamp: *build-timestamp
env: *build-env
ldflags: *build-ldflags
hooks:
post:
- cmd: .tmp/quill sign-and-notarize "{{ .Path }}" --dry-run={{ .IsSnapshot }} --ad-hoc={{ .IsSnapshot }} -vv
env:
- QUILL_LOG_FILE=/tmp/quill-{{ .Target }}.log

- id: windows-build
dir: *dir
binary: *name
goos:
- windows
goarch:
- amd64
mod_timestamp: *build-timestamp
env: *build-env
ldflags: *build-ldflags


archives:
- format: tar.gz
- id: linux-archives
builds:
- linux-build

- id: darwin-archives
builds:
- darwin-build

- id: windows-archives
format: zip
builds:
- windows-build
Loading

0 comments on commit 71e7f87

Please sign in to comment.