AST Cli Release #518
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: AST Cli Release | |
on: | |
workflow_call: | |
inputs: | |
tag: | |
description: 'Next release tag' | |
required: true | |
type: string | |
dev: | |
description: 'Is dev build' | |
required: false | |
default: true | |
type: boolean | |
workflow_dispatch: | |
inputs: | |
tag: | |
description: 'Next release tag' | |
required: true | |
type: string | |
dev: | |
description: 'Is dev build' | |
required: false | |
default: true | |
type: boolean | |
permissions: | |
id-token: write | |
contents: write | |
jobs: | |
build: | |
runs-on: macos-13 | |
env: | |
AC_PASSWORD: ${{ secrets.AC_PASSWORD }} | |
APPLE_DEVELOPER_CERTIFICATE_P12_BASE64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }} | |
APPLE_DEVELOPER_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@1e31de5234b9f8995739874a8ce0492dc87873e2 #v4.0.0 | |
with: | |
fetch-depth: 0 | |
- name: Install Go | |
uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 #v4 | |
with: | |
go-version-file: go.mod | |
- name: Import Code-Signing Certificates | |
uses: Apple-Actions/import-codesign-certs@253ddeeac23f2bdad1646faac5c8c2832e800071 #v1 | |
with: | |
# The certificates in a PKCS12 file encoded as a base64 string | |
p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }} | |
# The password used to import the PKCS12 file. | |
p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }} | |
- name: Updating and upgrading brew | |
run: | | |
git config --global pack.windowMemory "100m" | |
git config --global pack.SizeLimit "100m" | |
git config --global pack.threads "1" | |
git config --global pack.window "0" | |
/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" | |
brew --version | |
- name: Install gon | |
run: | | |
brew install Bearer/tap/gon | |
- name: Setup Docker on macOS | |
if: inputs.dev == false | |
uses: douglascamata/setup-docker-macos-action@0f8f0e9f1033ccfb6676fe219e91781393f8ed4b #v1-alpha | |
- name: Test docker | |
if: inputs.dev == false | |
run: | | |
docker version | |
docker info | |
- name: Login to Docker Hub | |
if: inputs.dev == false | |
uses: docker/login-action@dd4fa0671be5250ee6f50aedf4cb05514abda2c7 #v1 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 #v2 | |
with: | |
role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN }} | |
aws-region: ${{ secrets.AWS_ASSUME_ROLE_REGION }} | |
- name: Tag | |
run: | | |
echo ${{ inputs.tag }} | |
echo "NEXT_VERSION=${{ inputs.tag }}" >> $GITHUB_ENV | |
tag=${{ inputs.tag }} | |
message='${{ inputs.tag }}: PR #${{ github.event.pull_request.number }} ${{ github.event.pull_request.title }}' | |
git config user.name "${GITHUB_ACTOR}" | |
git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" | |
git tag -a "${tag}" -m "${message}" | |
git push origin "${tag}" | |
- name: Build GoReleaser Args | |
run: | | |
args='release --clean --debug' | |
if [ ${{ inputs.dev }} = true ]; then | |
args=${args}' --config=".goreleaser-dev.yml"' | |
fi | |
echo "GR_ARGS=${args}" >> $GITHUB_ENV | |
- name: Echo GoReleaser Args | |
run: echo ${{ env.GR_ARGS }} | |
- name: Run GoReleaser | |
uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 #v3 | |
with: | |
version: v1.18.2 | |
args: ${{ env.GR_ARGS }} | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GO_BOT_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }} | |
S3_BUCKET_NAME: ${{ secrets.S3_BUCKET_NAME }} | |
S3_BUCKET_REGION: ${{ secrets.S3_BUCKET_REGION }} | |
SIGNING_REMOTE_SSH_USER: ${{ secrets.SIGNING_REMOTE_SSH_USER }} | |
SIGNING_REMOTE_SSH_HOST: ${{ secrets.SIGNING_REMOTE_SSH_HOST }} | |
SIGNING_REMOTE_SSH_PRIVATE_KEY: ${{ secrets.SIGNING_REMOTE_SSH_PRIVATE_KEY }} | |
SIGNING_HSM_CREDS: ${{ secrets.SIGNING_HSM_CREDS }} | |
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} # Secret for Cosign private key | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} # Secret for Cosign password | |
COSIGN_PUBLIC_KEY: ${{ secrets.COSIGN_PUBLIC_KEY }} # Secret for Cosign public key | |
- name: Verify Docker image signature | |
if: inputs.dev == false | |
run: | | |
echo "${{ secrets.COSIGN_PUBLIC_KEY }}" > cosign.pub | |
cosign verify --key cosign.pub checkmarx/ast-cli:${{ inputs.tag }} | |
env: | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
notify: | |
runs-on: ubuntu-latest | |
if: inputs.dev == false | |
needs: build | |
steps: | |
- name: Get latest release notes | |
id: release | |
env: | |
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
body_release="$(gh api -H "Accept: application/vnd.github.v3+json" /repos/Checkmarx/ast-cli/releases/latest | jq -r '.body' )" | |
body_release="${body_release//$'\n'/'%0A'}" | |
echo "::set-output name=body_release::$body_release" | |
- name: Converts Markdown to HTML | |
id: convert | |
uses: lifepal/markdown-to-html@71ed74a56602597c05dd7dd0e561631557158ed5 #v1.1 | |
with: | |
text: "${{ steps.release.outputs.body_release }}" | |
- name: Clean html | |
id: clean | |
run: | | |
clean="$(echo "${{ steps.convert.outputs.html }}" | awk '{gsub(/id=.[a-z]+/,"");print}' | tr -d '\n')" | |
echo "$clean" | |
echo "::set-output name=clean::$clean" | |
- name: Send a Notification | |
id: notify | |
uses: thechetantalwar/teams-notify@8a78811f5e8f58cdd204efebd79158006428c46b #v2 | |
with: | |
teams_webhook_url: ${{ secrets.TEAMS_WEBHOOK_URI }} | |
message: "${{ steps.clean.outputs.clean }}" |