Release #1479
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# This is the workflow for building release artifacts. | |
# Optionally, creating a release with those artifacts is possible by pushing a tag. | |
--- | |
name: Release | |
on: | |
# Allow running this workflow manually from the Actions tab | |
workflow_dispatch: | |
push: | |
branches: | |
- main | |
tags: | |
- '*' | |
jobs: | |
Generate-Completion-Files: | |
name: Generate shell completion files | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout the repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Install protoc | |
run: sudo apt install -y protobuf-compiler | |
- name: Install Rust toolchain | |
run: | | |
rustup toolchain install stable --profile minimal | |
rustup default stable | |
- name: Generate shell completion files | |
run: cargo run --package xtask gencomp | |
- name: Upload shell completions | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: shell-completions | |
path: ./target/completions/ | |
if-no-files-found: error | |
retention-days: 7 | |
Build-CLI: | |
name: Build the CLI binary | |
strategy: | |
fail-fast: false | |
matrix: | |
include: | |
- target: x86_64-unknown-linux-gnu | |
os: ubuntu-20.04 | |
- target: aarch64-unknown-linux-gnu | |
os: [self-hosted, linux, arm64] | |
- target: x86_64-apple-darwin | |
os: macos-latest | |
- target: aarch64-apple-darwin | |
os: macos-14 | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout the repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
- if: ${{ runner.os == 'macOS' }} | |
name: Install protoc | |
run: brew install cmake protobuf | |
- if: ${{ runner.os == 'Linux' }} | |
name: Install protoc | |
run: sudo apt update && sudo apt install -y protobuf-compiler | |
- name: Install Rust toolchain | |
run: | | |
curl https://sh.rustup.rs -sSf \ | |
| sh -s -- -y --default-toolchain stable --profile minimal --target ${{ matrix.target }} | |
echo "$HOME/.cargo/bin" >> "$GITHUB_PATH" | |
- name: Build Distributions | |
run: cargo build --release --target ${{ matrix.target }} | |
- name: Upload release artifacts | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: phylum-${{ matrix.target }} | |
path: ./target/${{ matrix.target }}/release/phylum | |
if-no-files-found: error | |
retention-days: 7 | |
Build-Release-Artifacts: | |
name: Build the release artifacts | |
needs: [Generate-Completion-Files, Build-CLI] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install host dependencies | |
run: sudo apt install -yq zip | |
- name: Checkout the repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
path: cli | |
- name: Download release artifacts | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
- name: Prep archives | |
run: | | |
for archive in phylum-*/; | |
do | |
archive=$(echo "${archive}" | sed -e "s/\/$//") | |
cp -R shell-completions "${archive}/completions" | |
mkdir "${archive}/extensions" | |
for extension in npm poetry yarn pip bundle cargo | |
do | |
cp -R "cli/extensions/${extension}" "${archive}/extensions/${extension}" | |
done | |
cp cli/cli/src/install.sh "${archive}/install.sh" | |
chmod a+x "${archive}/phylum" | |
zip -r "${archive}.zip" "${archive}" | |
done | |
- name: Upload release artifacts | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: release-archives | |
path: phylum-*.zip | |
if-no-files-found: error | |
retention-days: 7 | |
- name: Create release notes | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
script: | | |
const fs = require("node:fs"); | |
const tag = process.env.GITHUB_REF_NAME; | |
const prerelease = !tag.match(/^v(\d+\.)*\d+$/); | |
const ver = prerelease ? "Unreleased" : tag.replace("v", ""); | |
const changelog = fs | |
.readFileSync("cli/CHANGELOG.md", { encoding: "utf-8" }) | |
.split("\n"); | |
const header = changelog.findIndex((line) => line.startsWith(`## ${ver}`)); | |
const nextHeader = changelog.findIndex((line, idx) => idx > header && line.startsWith("## ")); | |
if (header == -1 || nextHeader == -1) throw "Could not find headers"; | |
const releaseNotes = changelog.slice(header + 1, nextHeader).join("\n").trim(); | |
fs.writeFileSync("RELEASE-NOTES.txt", releaseNotes); | |
- name: Upload release notes | |
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 | |
with: | |
name: RELEASE-NOTES.txt | |
path: RELEASE-NOTES.txt | |
if-no-files-found: error | |
retention-days: 7 | |
Release: | |
name: Create release from tag | |
needs: Build-Release-Artifacts | |
# Only run this job when pushing a tag | |
if: startsWith(github.ref, 'refs/tags/') | |
environment: | |
name: release | |
url: ${{ fromJSON(steps.create_release.outputs.result).data.html_url }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download release artifacts | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: release-archives | |
- name: Sign archives | |
env: | |
OPENSSL_KEY: ${{ secrets.OPENSSL_KEY }} | |
run: | | |
for archive in phylum-*.zip; | |
do | |
openssl dgst -sha256 -sign <(printf "%s" "$OPENSSL_KEY") -out "${archive}.signature" "${archive}" | |
done | |
- name: Download release notes | |
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7 | |
with: | |
name: RELEASE-NOTES.txt | |
- name: Create GitHub release | |
id: create_release | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
# The response is explicitly returned here so it will be available for other steps | |
script: | | |
const fs = require("node:fs"); | |
const body = fs.readFileSync("RELEASE-NOTES.txt", { encoding: "utf-8" }); | |
const response = await github.rest.repos.createRelease({ | |
owner: context.repo.owner, | |
repo: context.repo.repo, | |
tag_name: process.env.GITHUB_REF_NAME, | |
prerelease: ${{ contains(github.ref, 'rc') }}, | |
name: process.env.GITHUB_REF_NAME, | |
body: body, | |
}); | |
console.log(response); | |
return response; | |
- name: Upload release assets | |
env: | |
UPLOAD_URL: ${{ fromJSON(steps.create_release.outputs.result).data.upload_url }} | |
# NOTE: The `UPLOAD_URL` is provided as an RFC 6570 URI templates, which is not usable directly | |
# without first trimming off the form-style query expansion part (e.g., {?var}) | |
# Reference: https://docs.github.com/en/rest/releases/assets?apiVersion=2022-11-28#upload-a-release-asset | |
run: | | |
API_URL=$(printf "%s" "$UPLOAD_URL" | cut -d '{' -f 1) | |
for asset in phylum-*.zip*; | |
do | |
curl \ | |
-X POST \ | |
-H "Accept: application/vnd.github+json" \ | |
-H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ | |
-H "X-GitHub-Api-Version: 2022-11-28" \ | |
-H "Content-Type: application/octet-stream" \ | |
--data-binary "@$asset" \ | |
"$API_URL?name=$asset" | |
done | |
- name: Trigger phylum-ci Docker image creation | |
# Don't trigger for pre-releases | |
if: ${{ !contains(github.ref, 'rc') }} | |
# Reference: https://docs.github.com/en/rest/repos/repos#create-a-repository-dispatch-event | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
github-token: ${{ secrets.GH_RELEASE_PAT }} | |
script: | | |
const response = await github.rest.repos.createDispatchEvent({ | |
owner: "phylum-dev", | |
repo: "phylum-ci", | |
event_type: "build-push-docker-images", | |
client_payload: {CLI_version: process.env.GITHUB_REF_NAME}, | |
}); | |
console.log(response); | |
- name: Trigger documentation update | |
# Don't trigger for pre-releases | |
if: ${{ !contains(github.ref, 'rc') }} | |
# Reference: https://docs.github.com/en/rest/repos/repos#create-a-repository-dispatch-event | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
with: | |
github-token: ${{ secrets.GH_RELEASE_PAT }} | |
script: | | |
const response = await github.rest.repos.createDispatchEvent({ | |
owner: "phylum-dev", | |
repo: "documentation", | |
event_type: "trigger-update-submodule", | |
client_payload: { | |
repo_name: context.repo.repo, | |
tag_name: process.env.GITHUB_REF_NAME | |
}, | |
}); | |
console.log(response); |