Release - 0.0.25 #32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# SPDX-FileCopyrightText: © 2024 Christopher Woods <[email protected]> | |
# SPDX-FileCopyrightText: © 2024 Matt Williams <[email protected]> | |
# SPDX-License-Identifier: MIT | |
name: Release | |
run-name: Release - ${{ inputs.version }} | |
on: | |
workflow_dispatch: | |
inputs: | |
version: | |
description: The new version, can be "patch", "minor", "major", or a valid semver string | |
type: string | |
required: true | |
concurrency: | |
group: ${{ github.workflow }} | |
permissions: {} | |
jobs: | |
check-inputs: | |
name: Check inputs | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check release branch | |
if: github.ref_name != 'main' | |
run: | | |
echo "::error::Release must be made on the main branch" | |
exit 1 | |
- name: Check version format | |
shell: bash | |
if: ${{ !contains(fromJSON('["major", "minor", "patch"]'), inputs.version) }} | |
run: | | |
if ! [[ '${{ inputs.version }}' =~ [[:digit:]]+\.[[:digit:]]+\.[[:digit:]]+ ]]; then | |
echo "::error::Version string must be a valid semver string" | |
exit 1 | |
fi | |
check: | |
name: Check | |
needs: check-inputs | |
uses: ./.github/workflows/check.yml | |
with: | |
ref: "${{ github.sha }}" | |
permissions: | |
contents: read | |
tag-release: | |
name: Tag release | |
needs: check | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
outputs: | |
ref: "${{ steps.get_version.outputs.version }}" | |
changelog: "${{ steps.changelog.outputs.changelog }}" | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ github.ref }} # Use ref here since we must commit on a branch | |
ssh-key: ${{secrets.DEPLOY_KEY}} | |
- name: Install kacl | |
run: | | |
python -m venv ~/venv | |
~/venv/bin/pip install python-kacl | |
- name: Install toolchain | |
uses: dtolnay/rust-toolchain@stable | |
with: | |
target: ${{ matrix.target }} | |
- name: Install cargo-edit tool | |
uses: taiki-e/install-action@v2 | |
with: | |
tool: cargo-edit | |
- name: Update version string | |
run: | | |
echo Version input is '${{ inputs.version }}' | |
if [ '${{ contains(fromJSON('["major", "minor", "patch"]'), inputs.version) }}' = 'true' ]; then | |
echo 'Setting based on update spec' | |
cargo set-version --bump ${{ inputs.version }} | |
elif [ -n '${{ inputs.version }}' ]; then | |
echo 'Updating based on explicit version' | |
cargo set-version ${{ inputs.version }} | |
fi | |
git add Cargo.toml | |
- name: Save the version | |
id: get_version | |
run: echo version="$(cargo metadata --format-version 1 --no-deps | jq --raw-output '.packages[0].version')" >> "${GITHUB_OUTPUT}" | |
- name: Update version in changelog | |
id: changelog | |
run: | | |
~/venv/bin/kacl-cli release --allow-dirty --no-commit --modify --link "https://github.com/${{ github.repository }}/releases/tag/${{ steps.get_version.outputs.version }}" "${{ steps.get_version.outputs.version }}" | |
git add CHANGELOG.md | |
{ | |
echo 'changelog<<EOF' | |
~/venv/bin/kacl-cli get "${{ steps.get_version.outputs.version }}" | tail -n+2 | |
echo EOF | |
} >> "${GITHUB_OUTPUT}" | |
- name: Tag release | |
run: | | |
git config --global user.name "GitHub Action" | |
git config --global user.email "[email protected]" | |
git commit -m "Release ${{ steps.get_version.outputs.version }}" | |
git tag -a -m "Release ${{ steps.get_version.outputs.version }}" "${{ steps.get_version.outputs.version }}" | |
git push --atomic --tags origin HEAD | |
build-release: | |
name: "Build release (${{ matrix.target }})" | |
needs: tag-release | |
uses: ./.github/workflows/build.yml | |
with: | |
ref: ${{ needs.tag-release.outputs.ref }} | |
permissions: | |
contents: read | |
packages: write | |
attestations: write | |
id-token: write | |
attest-bridge: | |
name: Attest Bridge | |
needs: build-release | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
attestations: write | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install toolchain | |
uses: dtolnay/rust-toolchain@stable | |
- name: Install cargo-sbom | |
uses: taiki-e/install-action@v2 | |
with: | |
tool: cargo-sbom | |
- name: Generate SBOM | |
run: cargo sbom --cargo-package op-bridge --output-format=spdx_json_2_3 > sbom-bridge.spdx.json | |
- name: Fetch release artefacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: op-bridge | |
merge-multiple: true | |
- name: Attest SBOM | |
uses: actions/attest-sbom@v1 | |
with: | |
subject-path: op-bridge | |
sbom-path: sbom-bridge.spdx.json | |
- name: Store SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sbom-bridge.spdx.json | |
path: sbom-bridge.spdx.json | |
attest-cluster: | |
name: Attest Cluster | |
needs: build-release | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
attestations: write | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install toolchain | |
uses: dtolnay/rust-toolchain@stable | |
- name: Install cargo-sbom | |
uses: taiki-e/install-action@v2 | |
with: | |
tool: cargo-sbom | |
- name: Generate SBOM | |
run: cargo sbom --cargo-package op-cluster --output-format=spdx_json_2_3 > sbom-cluster.spdx.json | |
- name: Fetch release artefacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: op-cluster | |
merge-multiple: true | |
- name: Attest SBOM | |
uses: actions/attest-sbom@v1 | |
with: | |
subject-path: op-cluster | |
sbom-path: sbom-cluster.spdx.json | |
- name: Store SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sbom-cluster.spdx.json | |
path: sbom-cluster.spdx.json | |
attest-clusters: | |
name: Attest Clusters | |
needs: build-release | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
attestations: write | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install toolchain | |
uses: dtolnay/rust-toolchain@stable | |
- name: Install cargo-sbom | |
uses: taiki-e/install-action@v2 | |
with: | |
tool: cargo-sbom | |
- name: Generate SBOM | |
run: cargo sbom --cargo-package op-clusters --output-format=spdx_json_2_3 > sbom-clusters.spdx.json | |
- name: Fetch release artefacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: op-clusters | |
merge-multiple: true | |
- name: Attest SBOM | |
uses: actions/attest-sbom@v1 | |
with: | |
subject-path: op-clusters | |
sbom-path: sbom-clusters.spdx.json | |
- name: Store SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sbom-clusters.spdx.json | |
path: sbom-clusters.spdx.json | |
attest-filesystem: | |
name: Attest Filesystem | |
needs: build-release | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
attestations: write | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install toolchain | |
uses: dtolnay/rust-toolchain@stable | |
- name: Install cargo-sbom | |
uses: taiki-e/install-action@v2 | |
with: | |
tool: cargo-sbom | |
- name: Generate SBOM | |
run: cargo sbom --cargo-package op-filesystem --output-format=spdx_json_2_3 > sbom-filesystem.spdx.json | |
- name: Fetch release artefacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: op-filesystem | |
merge-multiple: true | |
- name: Attest SBOM | |
uses: actions/attest-sbom@v1 | |
with: | |
subject-path: op-filesystem | |
sbom-path: sbom-filesystem.spdx.json | |
- name: Store SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sbom-filesystem.spdx.json | |
path: sbom-filesystem.spdx.json | |
attest-freeipa: | |
name: Attest FreeIPA | |
needs: build-release | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
attestations: write | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install toolchain | |
uses: dtolnay/rust-toolchain@stable | |
- name: Install cargo-sbom | |
uses: taiki-e/install-action@v2 | |
with: | |
tool: cargo-sbom | |
- name: Generate SBOM | |
run: cargo sbom --cargo-package op-freeipa --output-format=spdx_json_2_3 > sbom-freeipa.spdx.json | |
- name: Fetch release artefacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: op-freeipa | |
merge-multiple: true | |
- name: Attest SBOM | |
uses: actions/attest-sbom@v1 | |
with: | |
subject-path: op-freeipa | |
sbom-path: sbom-freeipa.spdx.json | |
- name: Store SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sbom-freeipa.spdx.json | |
path: sbom-freeipa.spdx.json | |
attest-portal: | |
name: Attest Portal | |
needs: build-release | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
attestations: write | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install toolchain | |
uses: dtolnay/rust-toolchain@stable | |
- name: Install cargo-sbom | |
uses: taiki-e/install-action@v2 | |
with: | |
tool: cargo-sbom | |
- name: Generate SBOM | |
run: cargo sbom --cargo-package op-portal --output-format=spdx_json_2_3 > sbom-portal.spdx.json | |
- name: Fetch release artefacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: op-portal | |
merge-multiple: true | |
- name: Attest SBOM | |
uses: actions/attest-sbom@v1 | |
with: | |
subject-path: op-portal | |
sbom-path: sbom-portal.spdx.json | |
- name: Store SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sbom-portal.spdx.json | |
path: sbom-portal.spdx.json | |
attest-provider: | |
name: Attest Provider | |
needs: build-release | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
attestations: write | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install toolchain | |
uses: dtolnay/rust-toolchain@stable | |
- name: Install cargo-sbom | |
uses: taiki-e/install-action@v2 | |
with: | |
tool: cargo-sbom | |
- name: Generate SBOM | |
run: cargo sbom --cargo-package op-provider --output-format=spdx_json_2_3 > sbom-provider.spdx.json | |
- name: Fetch release artefacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: op-provider | |
merge-multiple: true | |
- name: Attest SBOM | |
uses: actions/attest-sbom@v1 | |
with: | |
subject-path: op-provider | |
sbom-path: sbom-provider.spdx.json | |
- name: Store SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sbom-provider.spdx.json | |
path: sbom-provider.spdx.json | |
attest-slurm: | |
name: Attest Slurm | |
needs: build-release | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
attestations: write | |
id-token: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install toolchain | |
uses: dtolnay/rust-toolchain@stable | |
- name: Install cargo-sbom | |
uses: taiki-e/install-action@v2 | |
with: | |
tool: cargo-sbom | |
- name: Generate SBOM | |
run: cargo sbom --cargo-package op-slurm --output-format=spdx_json_2_3 > sbom-slurm.spdx.json | |
- name: Fetch release artefacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: op-slurm | |
merge-multiple: true | |
- name: Attest SBOM | |
uses: actions/attest-sbom@v1 | |
with: | |
subject-path: op-slurm | |
sbom-path: sbom-slurm.spdx.json | |
- name: Store SBOM | |
uses: actions/upload-artifact@v4 | |
with: | |
name: sbom-slurm.spdx.json | |
path: sbom-slurm.spdx.json | |
make-release: | |
name: Make release ${{ needs.tag-release.outputs.ref }} | |
needs: [build-release, tag-release, attest-bridge, attest-cluster, | |
attest-clusters, attest-filesystem, attest-freeipa, | |
attest-portal, attest-provider, attest-slurm] | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
steps: | |
- name: Fetch release artefacts | |
uses: actions/download-artifact@v4 | |
with: | |
pattern: op-* | |
- name: Release | |
uses: softprops/action-gh-release@v2 | |
with: | |
tag_name: ${{ needs.tag-release.outputs.ref }} | |
files: op-* | |
body: ${{ needs.tag-release.outputs.changelog }} |