github.com/anchore/syft@v1.38.2/.github/workflows/release.yaml (about) 1 name: "Release" 2 3 permissions: 4 contents: read 5 6 on: 7 workflow_dispatch: 8 inputs: 9 version: 10 description: tag the latest commit on main with the given version (prefixed with v) 11 required: true 12 phase: 13 description: the specific workflow phase to run or all 14 required: true 15 default: "all" 16 type: choice 17 options: 18 - "all" 19 - "install-script-only" 20 21 jobs: 22 quality-gate: 23 environment: release 24 runs-on: ubuntu-24.04 25 if: ${{ github.event.inputs.phase == 'all' }} 26 steps: 27 - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 28 with: 29 persist-credentials: false 30 31 - name: Bootstrap environment 32 uses: ./.github/actions/bootstrap 33 34 - name: Validate Apple notarization credentials 35 run: .tool/quill submission list 36 env: 37 QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} 38 QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} 39 QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} 40 41 - name: Check if running on main 42 if: github.ref != 'refs/heads/main' 43 # we are using the following flag when running `cosign blob-verify` for checksum signature verification: 44 # --certificate-identity-regexp "https://github.com/anchore/.github/workflows/release.yaml@refs/heads/main" 45 # if we are not on the main branch, the signature will not be verifiable since the suffix requires the main branch 46 # at the time of when the OIDC token was issued on the Github Actions runner. 47 run: echo "This can only be run on the main branch otherwise releases produced will not be verifiable with cosign" && exit 1 48 49 - name: Check if tag already exists 50 # note: this will fail if the tag already exists 51 run: | 52 [[ "$VERSION" == v* ]] || (echo "version '$VERSION' does not have a 'v' prefix" && exit 1) 53 git tag "$VERSION" 54 env: 55 VERSION: ${{ github.event.inputs.version }} 56 57 - name: Check static analysis results 58 uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0 59 id: static-analysis 60 with: 61 token: ${{ secrets.GITHUB_TOKEN }} 62 # This check name is defined as the github action job name (in .github/workflows/testing.yaml) 63 checkName: "Static analysis" 64 ref: ${{ github.event.pull_request.head.sha || github.sha }} 65 66 - name: Check unit test results 67 uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0 68 id: unit 69 with: 70 token: ${{ secrets.GITHUB_TOKEN }} 71 # This check name is defined as the github action job name (in .github/workflows/testing.yaml) 72 checkName: "Unit tests" 73 ref: ${{ github.event.pull_request.head.sha || github.sha }} 74 75 - name: Check integration test results 76 uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0 77 id: integration 78 with: 79 token: ${{ secrets.GITHUB_TOKEN }} 80 # This check name is defined as the github action job name (in .github/workflows/testing.yaml) 81 checkName: "Integration tests" 82 ref: ${{ github.event.pull_request.head.sha || github.sha }} 83 84 - name: Check acceptance test results (linux) 85 uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0 86 id: acceptance-linux 87 with: 88 token: ${{ secrets.GITHUB_TOKEN }} 89 # This check name is defined as the github action job name (in .github/workflows/testing.yaml) 90 checkName: "Acceptance tests (Linux)" 91 ref: ${{ github.event.pull_request.head.sha || github.sha }} 92 93 - name: Check acceptance test results (mac) 94 uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0 95 id: acceptance-mac 96 with: 97 token: ${{ secrets.GITHUB_TOKEN }} 98 # This check name is defined as the github action job name (in .github/workflows/testing.yaml) 99 checkName: "Acceptance tests (Mac)" 100 ref: ${{ github.event.pull_request.head.sha || github.sha }} 101 102 - name: Check cli test results (linux) 103 uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0 104 id: cli-linux 105 with: 106 token: ${{ secrets.GITHUB_TOKEN }} 107 # This check name is defined as the github action job name (in .github/workflows/testing.yaml) 108 checkName: "CLI tests (Linux)" 109 ref: ${{ github.event.pull_request.head.sha || github.sha }} 110 111 - name: Quality gate 112 if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success' 113 env: 114 STATIC_ANALYSIS_STATUS: ${{ steps.static-analysis.conclusion }} 115 UNIT_TEST_STATUS: ${{ steps.unit.outputs.conclusion }} 116 INTEGRATION_TEST_STATUS: ${{ steps.integration.outputs.conclusion }} 117 ACCEPTANCE_LINUX_STATUS: ${{ steps.acceptance-linux.outputs.conclusion }} 118 ACCEPTANCE_MAC_STATUS: ${{ steps.acceptance-mac.outputs.conclusion }} 119 CLI_LINUX_STATUS: ${{ steps.cli-linux.outputs.conclusion }} 120 run: | 121 echo "Static Analysis Status: $STATIC_ANALYSIS_STATUS" 122 echo "Unit Test Status: $UNIT_TEST_STATUS" 123 echo "Integration Test Status: $INTEGRATION_TEST_STATUS" 124 echo "Acceptance Test (Linux) Status: $ACCEPTANCE_LINUX_STATUS" 125 echo "Acceptance Test (Mac) Status: $ACCEPTANCE_MAC_STATUS" 126 echo "CLI Test (Linux) Status: $CLI_LINUX_STATUS" 127 false 128 129 release: 130 needs: [quality-gate] 131 runs-on: ubuntu-24.04 132 if: ${{ github.event.inputs.phase == 'all' }} 133 permissions: 134 contents: write 135 packages: write 136 # required for goreleaser signs section with cosign 137 id-token: write 138 steps: 139 - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 140 with: 141 fetch-depth: 0 142 persist-credentials: true 143 144 - name: Bootstrap environment 145 uses: ./.github/actions/bootstrap 146 147 - name: Login to Docker Hub 148 uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 #v3.5.0 149 with: 150 username: ${{ secrets.ANCHOREOSSWRITE_DH_USERNAME }} 151 password: ${{ secrets.ANCHOREOSSWRITE_DH_PAT }} 152 153 - name: Login to GitHub Container Registry 154 uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 #v3.5.0 155 with: 156 registry: ghcr.io 157 username: ${{ github.actor }} 158 password: ${{ secrets.GITHUB_TOKEN }} 159 160 - name: Tag release 161 run: | 162 git config --global user.name "anchoreci" 163 git config --global user.email "anchoreci@users.noreply.github.com" 164 git tag -a "$VERSION" -m "Release $VERSION" 165 git push origin --tags 166 env: 167 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 168 VERSION: ${{ github.event.inputs.version }} 169 170 - name: Build & publish release artifacts 171 run: make ci-release 172 env: 173 # for mac signing and notarization... 174 QUILL_SIGN_P12: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_CHAIN }} 175 QUILL_SIGN_PASSWORD: ${{ secrets.ANCHORE_APPLE_DEVELOPER_ID_CERT_PASS }} 176 QUILL_NOTARY_ISSUER: ${{ secrets.APPLE_NOTARY_ISSUER }} 177 QUILL_NOTARY_KEY_ID: ${{ secrets.APPLE_NOTARY_KEY_ID }} 178 QUILL_NOTARY_KEY: ${{ secrets.APPLE_NOTARY_KEY }} 179 # for creating the release (requires write access to packages and content) 180 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 181 # for updating brew formula in anchore/homebrew-syft 182 GITHUB_BREW_TOKEN: ${{ secrets.ANCHOREOPS_GITHUB_OSS_WRITE_TOKEN }} 183 184 - uses: anchore/sbom-action@fbfd9c6c189226748411491745178e0c2017392d #v0.20.10 185 continue-on-error: true 186 with: 187 file: go.mod 188 artifact-name: sbom.spdx.json 189 190 - uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e #v3.19.0 191 continue-on-error: true 192 with: 193 status: ${{ job.status }} 194 fields: repo,workflow,action,eventName 195 text: "A new Syft release has been published: https://github.com/anchore/syft/releases/tag/${{ github.event.inputs.version }}" 196 env: 197 SLACK_WEBHOOK_URL: ${{ secrets.SLACK_TOOLBOX_WEBHOOK_URL }} 198 if: ${{ success() }} 199 200 release-install-script: 201 needs: [release] 202 if: ${{ always() && (needs.release.result == 'success' || github.event.inputs.phase == 'install-script-only') }} 203 uses: "anchore/workflows/.github/workflows/release-install-script.yaml@main" 204 with: 205 tag: ${{ github.event.inputs.version }} 206 secrets: 207 # needed for r2... 208 R2_INSTALL_ACCESS_KEY_ID: ${{ secrets.OSS_R2_INSTALL_ACCESS_KEY_ID }} 209 R2_INSTALL_SECRET_ACCESS_KEY: ${{ secrets.OSS_R2_INSTALL_SECRET_ACCESS_KEY }} 210 R2_ENDPOINT: ${{ secrets.TOOLBOX_CLOUDFLARE_R2_ENDPOINT }} 211 # needed for s3... 212 S3_INSTALL_AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }} 213 S3_INSTALL_AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}