-
Notifications
You must be signed in to change notification settings - Fork 67
256 lines (240 loc) · 12.5 KB
/
release-please.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
on:
push:
branches:
- main
env:
# Stringified list of items that should be published
PUBLISHABLE_ITEMS: '["flagd","flagd-proxy"]'
REGISTRY: ghcr.io
REPO_OWNER: ${{ github.repository_owner }}
DEFAULT_GO_VERSION: '~1.21'
PUBLIC_KEY_FILE: publicKey.pub
GOPRIVATE: buf.build/gen/go
name: Release Please
jobs:
release-please:
name: Release Please
runs-on: ubuntu-latest
# Release-please creates a PR that tracks all changes
steps:
- name: Get current date
id: date
run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
- uses: google-github-actions/release-please-action@v3
id: release
with:
command: manifest
token: ${{secrets.GITHUB_TOKEN}}
default-branch: main
signoff: "OpenFeature Bot <[email protected]>"
- name: Dump Release Please Output
env:
RELEASE_PLEASE_OUTPUT: ${{ toJson(steps.release.outputs) }}
run: |
echo "$RELEASE_PLEASE_OUTPUT"
- name: Determine what should be published
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
id: items-to-publish
env:
CHANGED_ITEMS: "${{ steps.release.outputs.paths_released }}"
with:
# Release please outputs a string representation of an array under the key paths_released
# This script parses the output, and filters each of the changed items (provided as paths to the root of the package, e.g. flagd or core)
# to remove any values not present in the PUBLISHABLE_ITEMS array. This filtered array is then stringified and exported as items-to-publish.outputs.result
# this can be picked up by subsequent jobs and used in a matrix to loop over the PUBLISHABLE_ITEMS within the release
script: |
const changedItems = JSON.parse(process.env.CHANGED_ITEMS || '[]');
console.log("changed items", changedItems);
const eligibleItems = JSON.parse(process.env.PUBLISHABLE_ITEMS || '[]');
console.log("eligible items", eligibleItems);
const itemsToPublish = changedItems.filter(i => eligibleItems.includes(i));
console.log("items to publish", itemsToPublish);
return itemsToPublish;
outputs:
date: ${{ steps.date.outputs.date }}
items_to_publish: ${{ steps.items-to-publish.outputs.result }}
flagd_version: ${{ steps.release.outputs.flagd--version }}
flagd_tag_name: ${{ steps.release.outputs.flagd--tag_name }}
flagd-proxy_version: ${{ steps.release.outputs.flagd-proxy--version }}
flagd-proxy_tag_name: ${{ steps.release.outputs.flagd-proxy--tag_name }}
container-release:
name: Build and push containers to GHCR
needs: release-please
runs-on: ubuntu-latest
if: ${{ needs.release-please.outputs.items_to_publish != '' && toJson(fromJson(needs.release-please.outputs.items_to_publish)) != '[]' }}
strategy:
matrix:
path: ${{ fromJSON(needs.release-please.outputs.items_to_publish) }}
env:
TAG: ${{ needs.release-please.outputs[format('{0}_tag_name', matrix.path)] }}
VERSION: v${{ needs.release-please.outputs[format('{0}_version', matrix.path)] }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
ref: ${{ env.TAG }}
- name: Log in to the Container registry
uses: docker/login-action@3d58c274f17dffee475a5520cbe67f0a882c4dbb
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images: ${{ env.REGISTRY }}/${{ matrix.path }}
- name: Set up QEMU
uses: docker/setup-qemu-action@master
with:
platforms: all
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@master
- name: Build
id: build
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5
with:
builder: ${{ steps.buildx.outputs.name }}
context: .
file: ./${{ matrix.path }}/build.Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: |
${{ env.REGISTRY }}/${{ env.REPO_OWNER }}/${{ matrix.path }}:latest
${{ env.REGISTRY }}/${{ env.REPO_OWNER }}/${{ matrix.path }}:${{ env.VERSION }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
VERSION=${{ env.VERSION }}
COMMIT=${{ github.sha }}
DATE=${{ needs.release-please.outputs.date }}
- name: Install Cosign
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
- name: Sign the image
run: |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY ${{ env.REGISTRY }}/${{ env.REPO_OWNER }}/${{ matrix.path }}@${{ steps.build.outputs.digest }}
cosign public-key --key env://COSIGN_PRIVATE_KEY --outfile ${{ env.PUBLIC_KEY_FILE }}
env:
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
- name: Generate image SBOM file name
id: image-sbom-file-gen
run: echo "IMG_SBOM_FILE=${{ format('{0}-{1}-sbom.spdx', matrix.path, env.VERSION) }}" >> $GITHUB_OUTPUT
- name: SBOM for latest image
uses: anchore/sbom-action@b6a39da80722a2cb0ef5d197531764a89b5d48c3 # v0
with:
image: ${{ env.REGISTRY }}/${{ env.REPO_OWNER }}/${{ matrix.path }}:${{ env.VERSION }}
artifact-name: ${{ steps.image-sbom-file-gen.outputs.IMG_SBOM_FILE }}
output-file: ${{ steps.image-sbom-file-gen.outputs.IMG_SBOM_FILE }}
- name: Bundle release assets
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
with:
tag_name: ${{ env.TAG }}
files: |
${{ env.PUBLIC_KEY_FILE }}
${{ steps.image-sbom-file-gen.outputs.IMG_SBOM_FILE }}
release-go-binaries:
name: Create and publish binaries to GitHub
needs: release-please
runs-on: ubuntu-latest
if: ${{ needs.release-please.outputs.items_to_publish != '' && toJson(fromJson(needs.release-please.outputs.items_to_publish)) != '[]' }}
strategy:
matrix:
path: ${{ fromJSON(needs.release-please.outputs.items_to_publish) }}
env:
TAG: ${{ needs.release-please.outputs[format('{0}_tag_name', matrix.path)] }}
VERSION: v${{ needs.release-please.outputs[format('{0}_version', matrix.path)] }}
VERSION_NO_PREFIX: ${{ needs.release-please.outputs[format('{0}_version', matrix.path)] }}
COMMIT: ${{ github.sha }}
DATE: ${{ needs.release-please.outputs.date }}
BUILD_ARGS: '-a -ldflags "-X main.version=${VERSION} -X main.commit=${COMMIT} -X main.date=${DATE}"'
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
with:
ref: ${{ env.TAG }}
- name: Set up Go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5
with:
go-version: ${{ env.DEFAULT_GO_VERSION }}
- name: Download cyclonedx-gomod
uses: CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f # v2
with:
version: v1
- name: setup for builds
# TODO: The README should also be moved ready for bundling once both flagd-proxy and flagd have package specific READMEs
run: |
make workspace-init
mv ./${{ matrix.path }}/CHANGELOG.md CHANGELOG.md
cd ${{ matrix.path }} && cyclonedx-gomod app > ../sbom.xml
- name: build darwin arm64
run: |
env CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_darwin_arm64 ./${{ matrix.path }}/main.go
tar -cvzf ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Darwin_arm64.tar.gz ./${{ matrix.path }}_darwin_arm64 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
- name: build darwin x86_64
run: |
env CGO_ENABLED=0 GOOS=darwin GOARCH=amd64 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_darwin_x86_64 ./${{ matrix.path }}/main.go
tar -cvzf ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Darwin_x86_64.tar.gz ./${{ matrix.path }}_darwin_x86_64 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
- name: build linux arm64
run: |
env CGO_ENABLED=0 GOOS=linux GOARCH=arm64 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_linux_arm64 ./${{ matrix.path }}/main.go
tar -cvzf ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Linux_arm64.tar.gz ./${{ matrix.path }}_linux_arm64 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
- name: build linux x86_64
run: |
env CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_linux_x86_64 ./${{ matrix.path }}/main.go
tar -cvzf ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Linux_x86_64.tar.gz ./${{ matrix.path }}_linux_x86_64 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
- name: build linux i386
run: |
env CGO_ENABLED=0 GOOS=linux GOARCH=386 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_linux_i386 ./${{ matrix.path }}/main.go
tar -cvzf ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Linux_i386.tar.gz ./${{ matrix.path }}_linux_i386 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
# Windows artifacts use .zip archive
- name: build windows x86_64
run: |
env CGO_ENABLED=0 GOOS=windows GOARCH=amd64 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_windows_x86_64 ./${{ matrix.path }}/main.go
zip -r ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Windows_x86_64.zip ./${{ matrix.path }}_windows_x86_64 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
- name: build windows i386
run: |
env CGO_ENABLED=0 GOOS=windows GOARCH=386 go build ${{ env.BUILD_ARGS }} -o ./${{ matrix.path }}_windows_i386 ./${{ matrix.path }}/main.go
zip -r ${{ matrix.path }}_${{ env.VERSION_NO_PREFIX }}_Windows_i386.zip ./${{ matrix.path }}_windows_i386 ./LICENSE ./CHANGELOG.md ./README.md ./sbom.xml
# Bundle licenses
- name: Install go-licenses
run: go install github.com/google/go-licenses@latest
- name: Build license extraction locations
id: license-files
run: |
echo "LICENSE_FOLDER=${{ format('{0}-third-party-license', matrix.path) }}" >> $GITHUB_OUTPUT
echo "LICENSE_ERROR_FILE=${{ format('{0}-license-errors.txt', matrix.path) }}" >> $GITHUB_OUTPUT
- name: Run go-licenses for module ${{ matrix.path }}
run: go-licenses save ./${{ matrix.path }} --save_path=./${{ steps.license-files.outputs.LICENSE_FOLDER }} --force --logtostderr=false 2> ./${{ steps.license-files.outputs.LICENSE_ERROR_FILE }}
continue-on-error: true # tool set stderr which can be ignored and referred through error artefact
- name: Bundle license extracts
run: tar czf ./${{ steps.license-files.outputs.LICENSE_FOLDER }}.tar.gz ./${{ steps.license-files.outputs.LICENSE_FOLDER }}
# Bundle release artifacts
- name: Bundle release assets
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
with:
tag_name: ${{ env.TAG }}
files: |
./sbom.xml
./*.tar.gz
./*.zip
./${{ steps.license-files.outputs.LICENSE_ERROR_FILE }}
homebrew:
name: Bump homebrew-core formula
needs: release-please
runs-on: ubuntu-latest
# Only run on non-forked flagd releases
if: ${{ github.repository_owner == 'open-feature' && needs.release-please.outputs.flagd_tag_name }}
steps:
- uses: mislav/bump-homebrew-formula-action@v2
with:
formula-name: flagd
# https://github.com/mislav/bump-homebrew-formula-action/issues/58
formula-path: Formula/f/flagd.rb
tag-name: ${{ needs.release-please.outputs.flagd_tag_name }}
download-url: https://github.com/${{ github.repository }}.git
commit-message: |
{{formulaName}} ${{ needs.release-please.outputs.flagd_version }}
Created by https://github.com/mislav/bump-homebrew-formula-action
env:
COMMITTER_TOKEN: ${{ secrets.COMMITTER_TOKEN }}