Skip to content
Release

fix(ci): use single quotes in release.yaml #90

Sign in to view logs

fix(ci): use single quotes in release.yaml

fix(ci): use single quotes in release.yaml #90

Workflow file for this run

.github/workflows/release.yaml at 02ecf09
---
name: Release
on:
push:
branches:
- main
workflow_call:
secrets:
ADFINISBOT_PAT:
required: true
jobs:
semrel:
name: Semantic Release
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4
with:
token: ${{ secrets.ADFINISBOT_PAT }}
- name: Semantic Release
uses: go-semantic-release/action@v1
id: semrel
with:
github-token: ${{ secrets.ADFINISBOT_PAT }}
allow-initial-development-versions: true
- name: Adjust Versions
if: steps.semrel.outputs.version != ''
run: |
sed -r 's/"(0.0.0|latest)"/"${{ steps.semrel.outputs.version }}"/g' -i ./ember/package.json ./api/pyproject.toml ./charts/outdated/Chart.yaml
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
if: steps.semrel.outputs.version != ''
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Docker Buildx
if: steps.semrel.outputs.version != ''
uses: docker/setup-buildx-action@v3
- name: Build and Push API Docker Image
if: steps.semrel.outputs.version != ''
uses: docker/build-push-action@v5
id: docker-api
with:
context: ./api/
target: prod
push: true
tags: |
ghcr.io/${{ github.repository }}/api:${{ steps.semrel.outputs.version }}
ghcr.io/${{ github.repository }}/api:latest
- name: Build and Push Ember Docker Image
if: steps.semrel.outputs.version != ''
uses: docker/build-push-action@v5
id: docker-ember
with:
context: ./ember/
push: true
tags: |
ghcr.io/${{ github.repository }}/ember:${{ steps.semrel.outputs.version }}
ghcr.io/${{ github.repository }}/ember:latest
- name: Run Trivy vulnerability scanner on api
uses: aquasecurity/[email protected]
with:
image-ref: ghcr.io/${{ github.repository }}/api
format: "json"
output: "api.json"
- name: Run Trivy vulnerability scanner on ember
uses: aquasecurity/[email protected]
with:
image-ref: ghcr.io/${{ github.repository }}/ember
format: "json"
output: "ember.json"
- name: Sign the image with GitHub OIDC Token using cosign
run: cosign sign --yes ${{ github.repository }}/${{ inputs.image-ref }}@latest
if: ${{ inputs.sign }}
- name: Convert api trivy results to CycloneDX
uses: aquasecurity/[email protected]
with:
image-ref: api.json
scan-type: "convert"
format: "cyclonedx"
# skip --vuln-type arg
vuln-type: ""
output: "api.cdx"
- name: Convert ember trivy results to CycloneDX
uses: aquasecurity/[email protected]
with:
image-ref: ember.json
scan-type: "convert"
format: "cyclonedx"
# skip --vuln-type arg
vuln-type: ""
output: "ember.cdx"
- name: Attach an SBOM attestation to the signed api image
run: cosign attest --yes --type cyclonedx --predicate api.cdx ${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }}
- name: Attach an SBOM attestation to the signed ember image
run: cosign attest --yes --type cyclonedx --predicate ember.cdx ${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }}
- name: Set up Helm
if: steps.semrel.outputs.version != ''
uses: azure/[email protected]
with:
version: v3.14.0
- name: Package Chart
if: steps.semrel.outputs.version != ''
run: |
helm repo add bitnami https://charts.bitnami.com/bitnami
helm dependency build charts/outdated
helm package --destination=dist charts/outdated
- name: Push Chart
if: steps.semrel.outputs.version != ''
run: helm push dist/*.tgz oci://ghcr.io/${{ github.repository }}/helm
trivy-scan-api:
if: always()
needs: semrel
uses: ./.github/workflows/trivy-scan.yaml
with:
image-ref: api
attest: ${{ needs.semrel.result == 'success' }}
trivy-scan-ember:
if: always()
needs: semrel
uses: ./.github/workflows/trivy-scan.yaml
with:
image-ref: ember
attest: ${{ needs.semrel.result == 'success' }}