-
Notifications
You must be signed in to change notification settings - Fork 1
161 lines (143 loc) · 5.58 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# Terraform Provider release workflow.
name: Release
env:
JFROG_SERVER: eng-generic-dev-local
JFROG_CLI_BUILD_NAME: ${{ github.repository }}
SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
# This GitHub action creates a release when a tag that matches the pattern
# "v*" (e.g. v0.1.0) is created.
on:
push:
tags:
- 'v*'
branches:
- main
workflow_dispatch:
# Releases need permissions to read and write the repository contents.
# GitHub considers creating releases and uploading assets as writing contents.
permissions:
contents: write
jobs:
unit_test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Run unit tests
run: |
cd api/client
go test -race -coverprofile=coverage.out -v
ls -alt
go tool cover -func="coverage.out"
- name: Save unit tests coverage
uses: actions/upload-artifact@v4
with:
name: coverage
path: api/client/coverage.out
sonarqube:
# Sonar scan is not required for dependabot PRs
runs-on: ubuntu-latest
needs: unit_test
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
fetch-depth: 0
- name: Download coverage
uses: actions/download-artifact@v4
with:
name: coverage
- name: SonarQube Scan on PR
if: ${{ github.actor != 'dependabot[bot]' && github.event_name == 'pull_request' }}
uses: sonarsource/sonarqube-scan-action@master
with:
projectBaseDir: .
args: >
-Dsonar.projectKey=${{ github.event.repository.name }}
-Dsonar.pullrequest.key=${{ github.event.number }}
-Dsonar.pullrequest.branch=${{ github.head_ref }}
-Dsonar.pullrequest.base=${{ github.base_ref }}
-Dsonar.exclusions=provider/**,main.go,api/client/client_test.go
-Dsonar.go.coverage.reportPaths=coverage.out
env:
SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
SONAR_HOST_URL: https://sonar.dev.beyondtrust.com
- name: SonarQube Scan on branch
if: ${{ github.actor != 'dependabot[bot]' && github.event_name != 'pull_request' }}
uses: sonarsource/sonarqube-scan-action@master
with:
projectBaseDir: .
args: >
-Dsonar.projectKey=${{ github.event.repository.name }}
-Dsonar.exclusions=provider/**,main.go,api/client/client_test.go
-Dsonar.go.coverage.reportPaths=coverage.out
env:
SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
SONAR_HOST_URL: https://sonar.dev.beyondtrust.com
- name: SonarQube Quality Gate check
if: ${{ github.actor != 'dependabot[bot]' && inputs.quality_gate_check }}
uses: sonarsource/sonarqube-quality-gate-action@master
timeout-minutes: 5
env:
SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
goreleaser:
runs-on: ubuntu-latest
needs: [unit_test, sonarqube]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
# Allow goreleaser to access older tag information.
fetch-depth: 0
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
with:
go-version-file: 'go.mod'
cache: true
- name: Jfrog setup
uses: jfrog/setup-jfrog-cli@v3
env:
JF_ENV_1: ${{ secrets.ARTIFACTORY_DEPLOYER }}
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v6.0.0
id: import_gpg
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
# Release the tag into Github. If draft in .goreleaser.yml is on true, not going to auto-publish the build
# It would work only is the is a tag pushed.
- name: Run GoReleaser release
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
if: startsWith(github.ref, 'refs/tags/')
with:
args: release --clean
env:
# GitHub sets the GITHUB_TOKEN secret automatically.
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
# Builds binaries artifacts.
- name: Run GoReleaser build
uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
if: ${{ !startsWith(github.ref, 'refs/tags/') }}
with:
args: release --snapshot --clean
env:
# GitHub sets the GITHUB_TOKEN secret automatically.
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
- name: Preparing artifacts
run: |
cd dist
mkdir terraform-provider-passwordsafe
mv *.zip terraform-provider-passwordsafe
- name: Send artifacts to Jfrog
run: |
cd dist
jfrog rt u "terraform-provider-passwordsafe/*" ${{ env.JFROG_SERVER}}
- name: Publish Build Information
run: |
jfrog rt build-add-git
jfrog rt build-collect-env
jfrog rt build-publish ${{ env.JFROG_CLI_BUILD_NAME }} ${{ env.JFROG_CLI_BUILD_NUMBER }}
- name: Scan Build
run: jfrog rt build-scan ${{ env.JFROG_CLI_BUILD_NAME }} ${{ env.JFROG_CLI_BUILD_NUMBER }}