-
Notifications
You must be signed in to change notification settings - Fork 2
137 lines (129 loc) · 4.21 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: release
on:
push:
branches:
- main
jobs:
tag:
name: Create version tag
runs-on: ubuntu-latest
outputs:
changelog: ${{ steps.tag.outputs.changelog }}
tag: ${{ steps.tag.outputs.new_tag }}
version: ${{ steps.tag.outputs.new_version }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Bump version and tag
uses: mathieudutour/github-tag-action@v6.2
id: tag
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
custom_release_rules: chore:patch:Chores
containers:
name: Create containers
runs-on: ubuntu-latest
needs: tag
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Go
uses: WillAbides/setup-go-faster@v1.14.0
with:
go-version: '1.22.0'
- name: Setup Ko
uses: imjasonh/setup-ko@v0.7
with:
version: v0.11.2
- name: Build and push containers
env:
VERSION: ${{ needs.tag.outputs.tag }}
run: |
ko build \
--platform=linux/amd64,linux/arm/v7,linux/arm64 \
--bare \
--tags=latest,${{ needs.tag.outputs.tag }} \
--image-label="org.opencontainers.image.title=${{ github.event.repository.name }}" \
--image-label="org.opencontainers.image.description=${{ github.event.repository.description }}" \
--image-label="org.opencontainers.image.source=https://github.com/${{ github.repository }}" \
--image-label="org.opencontainers.image.version=${{ needs.tag.outputs.tag }}" \
--image-label="org.opencontainers.image.revision=${{ github.sha }}" \
./
- name: Scan container
uses: aquasecurity/trivy-action@0.28.0
with:
image-ref: ghcr.io/${{ github.repository }}:latest
format: sarif
output: trivy-results.sarif
severity: CRITICAL,HIGH
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: trivy-results.sarif
binaries:
name: Create binaries
runs-on: ubuntu-latest
needs: tag
strategy:
matrix:
goos: [linux, windows, darwin]
goarch: ["386", amd64, arm, arm64]
exclude:
- goos: windows
goarch: "386"
- goos: windows
goarch: arm
- goos: windows
goarch: arm64
- goos: darwin
goarch: "386"
- goos: darwin
goarch: arm
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Go
uses: WillAbides/setup-go-faster@v1.14.0
with:
go-version: '1.22.0'
- name: Build binaries
env:
GOOS: ${{ matrix.goos }}
GOARCH: ${{ matrix.goarch }}
BINARY: ${{ github.event.repository.name }}-${{ needs.tag.outputs.tag }}-${{ matrix.goos }}-${{ matrix.goarch }}
VERSIONFLAG: -X 'main.Version=${{ needs.tag.outputs.tag }}'
run: |
go build -ldflags="${VERSIONFLAG}" -o ${BINARY}
- name: Save artifact
uses: actions/upload-artifact@v4
with:
name: ${{ github.event.repository.name }}-${{ needs.tag.outputs.tag }}-${{ matrix.goos }}-${{ matrix.goarch }}
path: ${{ github.event.repository.name }}-*-*-*
retention-days: 1
release:
name: Create release
runs-on: ubuntu-latest
needs:
- tag
- binaries
- containers
steps:
- name: Fetch binaries
uses: actions/download-artifact@v4
with:
pattern: ${{ github.event.repository.name }}-*-*-*
merge-multiple: true
- name: Create checksums
run: |
sha256sum ${{ github.event.repository.name }}-v*-*-* | tee ${{ github.event.repository.name }}-${{ needs.tag.outputs.tag }}.sha256
- name: Create release
uses: softprops/action-gh-release@v2
with:
tag_name: ${{ needs.tag.outputs.tag }}
name: Release ${{ needs.tag.outputs.version }}
body: |
Changes in this release:
${{ needs.tag.outputs.changelog }}
Docker image: ghcr.io/${{ github.repository }}:${{ needs.tag.outputs.tag }}
files: ${{ github.event.repository.name }}-v*-*-*,${{ github.event.repository.name }}-*.sha256