-
Notifications
You must be signed in to change notification settings - Fork 4
198 lines (172 loc) · 6.98 KB
/
deploy-release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
# SPDX-FileCopyrightText: 2024 Skatteverket - Swedish Tax Agency
#
# SPDX-License-Identifier: CC0-1.0
---
name: Deploy release
on:
workflow_dispatch:
pull_request:
types:
- closed
permissions:
actions: read
contents: write
id-token: write
jobs:
build-release:
if: (github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && contains(github.event.pull_request.labels.*.name, 'release')) )
name: Build release
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
changelog: ${{ steps.get-changelog.outputs.changelog }}
version: ${{ steps.get-version.outputs.version }}
branch: ${{ steps.get-branch.outputs.branch }}
runs-on: ubuntu-latest
steps:
# Checkout project repository
- name: Checkout
uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 #v4.2.0
# Install pnpm
- name: Install pnpm
uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
with:
run_install: false
# Setup Node.js environment
- name: Install Node.js
uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
with:
node-version-file: ".nvmrc"
cache: pnpm
registry-url: https://registry.npmjs.org
# Import GPG key to use for signing
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PRIVATE_KEY_PASSWORD }}
# Configure Git
- name: Git configuration
run: |
git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
git config --global user.name "GitHub Actions"
# Get branch name
- id: get-branch
name: Get branch name
run: |
echo "BRANCH_NAME=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_ENV"
echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> "$GITHUB_OUTPUT"
# Get release tag
- name: Bump release version
if: contains(env.BRANCH_NAME, 'beta') != true
run: |
echo "RELEASE_TAG=latest" >> "$GITHUB_ENV"
# Get release tag if pre release
- name: Bump pre-release version
if: contains(env.BRANCH_NAME, 'beta')
run: |
echo "RELEASE_TAG=beta" >> "$GITHUB_ENV"
# Create semver version
- id: get-version
name: Get version
run: |
NEW_VERSION=${{ env.BRANCH_NAME }}
NEW_VERSION=${NEW_VERSION//-beta}
NEW_VERSION=${NEW_VERSION//release\/}
echo "NEW_VERSION=${NEW_VERSION}" >> "$GITHUB_ENV"
echo "NEW_SEMVER_VERSION=${NEW_VERSION//v}" >> "$GITHUB_ENV"
echo "version=${NEW_VERSION}" >> "$GITHUB_OUTPUT"
# Install dependencies
- name: Install dependencies
run: pnpm install --frozen-lockfile
# Build
- name: Build
run: |
pnpm run -r build
cp ./packages/react-mla/package.json ./packages/react-mla/dist
cp ./packages/webcomponent-mla/package.json ./packages/webcomponent-mla/dist
# Publish version to public repository
- name: Publish react-mla
run: pnpm publish ./packages/react-mla --access restricted --tag ${{ env.RELEASE_TAG }} --no-git-checks --dry-run
env:
NODE_AUTH_TOKEN: ${{ secrets.NPMJS_ACCESS_TOKEN }}
# Publish version to public repository
- name: Publish webcomponent-mla
run: pnpm publish ./packages/webcomponent-mla --access restricted --tag ${{ env.RELEASE_TAG }} --no-git-checks --dry-run
env:
NODE_AUTH_TOKEN: ${{ secrets.NPMJS_ACCESS_TOKEN }}
# Read version changelog
- id: get-changelog
name: Get version changelog
uses: superfaceai/release-changelog-action@38646ad355e5d79bf7aa12e233a1573e4d36faee # v2.1.3
with:
path-to-changelog: CHANGELOG.md
version: ${{ env.NEW_VERSION }}
operation: read
# Generate hashes needed for provenance
- id: hash
name: Generate hashes for release artifacts
shell: bash
run: |
echo "hashes=$(sha256sum ./packages/webcomponent-mla/dist/mla-component.umd.cjs | base64 -w0)" >> "$GITHUB_OUTPUT"
# Create signature
- name: Create signature
run: |
gpg --armor --detach-sign ./packages/webcomponent-mla/dist/mla-component.umd.cjs
# Upload artifact
- name: Upload mla-component.umd.cjs
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 #v4.4.0
with:
name: mla-component.umd.cjs
path: ./packages/webcomponent-mla/dist/mla-component.umd.cjs
if-no-files-found: error
retention-days: 5
# Upload signature
- name: Upload mla-component.umd.cjs
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 #v4.4.0
with:
name: mla-component.umd.cjs.asc
path: ./packages/webcomponent-mla/dist/mla-component.umd.cjs.asc
if-no-files-found: error
retention-days: 5
# This step calls the generic workflow to generate provenance.
provenance:
needs: [build-release]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
with:
base64-subjects: "${{ needs.build-release.outputs.hashes }}"
upload-assets: false
# This step uploads our artifacts to the tagged GitHub release.
release:
name: Create release
needs: [build-release, provenance]
runs-on: ubuntu-latest
steps:
- name: Download mla-component.umd.cjs
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: mla-component.umd.cjs
- name: Download mla-component.umd.cjs.asc
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: mla-component.umd.cjs.asc
- name: Download mla-component.umd.cjs.intoto.jsonl
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
with:
name: mla-component.umd.cjs.intoto.jsonl
# Update GitHub release with changelog
- name: Update GitHub release documentation
uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
with:
tag_name: ${{ needs.build-release.outputs.version }}
body: ${{ needs.build-release.outputs.changelog }}
prerelease: contains(needs.build-release.outputs.branch, 'beta')
files: |
mla-component.umd.cjs
mla-component.umd.cjs.asc
mla-component.umd.cjs.intoto.jsonl
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}