docs: fix linting #28
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| permissions: | |
| contents: read | |
| jobs: | |
| publish_provider: | |
| runs-on: ubuntu-latest | |
| name: Publish Provider | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| permissions: | |
| contents: write # for goreleaser/goreleaser-action to create a GitHub release | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
| with: | |
| # Allow goreleaser to access older tag information. | |
| fetch-depth: 0 | |
| - name: Install Go | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version-file: 'go.work' | |
| - name: Install Syft | |
| uses: anchore/sbom-action/download-syft@ab5d7b5f48981941c4c5d6bf33aeb98fe3bae38c # v0.15.10 | |
| - name: Install pulumictl | |
| uses: jaxxstorm/action-install-gh-release@71d17cb091aa850acb2a1a4cf87258d183eb941b # v1.11.0 | |
| with: | |
| repo: pulumi/pulumictl | |
| - name: Set PreRelease Version | |
| run: echo "GORELEASER_CURRENT_TAG=v$(pulumictl get version --language generic)" >> $GITHUB_ENV | |
| - name: Run GoReleaser | |
| id: run-goreleaser | |
| uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 | |
| with: | |
| args: -p 3 release --clean --timeout 60m0s | |
| version: latest | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate subject | |
| id: hash | |
| env: | |
| ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}" | |
| run: | | |
| set -euo pipefail | |
| checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path') | |
| echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT" | |
| provenance: | |
| needs: [publish_provider] | |
| permissions: | |
| actions: read # To read the workflow path. | |
| id-token: write # To sign the provenance. | |
| contents: write # To add assets to a release. | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@c747fe7769adf3656dc7d588b161cb614d7abfee # v1.10.0 | |
| with: | |
| base64-subjects: "${{ needs.publish_provider.outputs.hashes }}" | |
| upload-assets: true # upload to a new release | |
| verification: | |
| needs: [publish_provider, provenance] | |
| runs-on: ubuntu-latest | |
| permissions: read-all | |
| steps: | |
| - name: Install the verifier | |
| uses: slsa-framework/slsa-verifier/actions/installer@eb7007070baa04976cb9e25a0d8034f8db030a86 # v2.5.1 | |
| - name: Download assets | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}" | |
| run: | | |
| set -euo pipefail | |
| gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz" | |
| gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.sbom" | |
| gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE" | |
| - name: Verify assets | |
| env: | |
| CHECKSUMS: ${{ needs.publish_provider.outputs.hashes }} | |
| PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}" | |
| run: | | |
| set -euo pipefail | |
| checksums=$(echo "$CHECKSUMS" | base64 -d) | |
| while read -r line; do | |
| fn=$(echo $line | cut -d ' ' -f2) | |
| echo "Verifying $fn" | |
| slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \ | |
| --source-uri "github.com/$GITHUB_REPOSITORY" \ | |
| --source-tag "$GITHUB_REF_NAME" \ | |
| "$fn" | |
| done <<<"$checksums" | |
| publish_sdk: | |
| runs-on: ubuntu-latest | |
| name: Publish SDK | |
| permissions: | |
| id-token: write | |
| contents: read | |
| needs: [publish_provider] | |
| strategy: | |
| max-parallel: 10 | |
| matrix: | |
| node-version: [18.x] | |
| dotnet-version: [3.1.301] | |
| python-version: [3.9] | |
| language: | |
| - go | |
| - nodejs | |
| - python | |
| - dotnet | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Go | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version-file: 'go.work' | |
| cache: true | |
| - name: Install pulumictl | |
| uses: jaxxstorm/action-install-gh-release@71d17cb091aa850acb2a1a4cf87258d183eb941b # v1.11.0 | |
| with: | |
| repo: pulumi/pulumictl | |
| - name: Install Pulumi CLI | |
| uses: pulumi/actions@4b4f7c2d7fc9b1f9db3cc704398a9c25d43da056 # v5.2.0 | |
| - name: Setup DotNet | |
| uses: actions/setup-dotnet@4d6c8fcf3c8f7a60068d26b594648e99df24cee3 # v4.0.0 | |
| with: | |
| dotnet-version: "${{ matrix.dotnet-version }}" | |
| if: matrix.language == 'dotnet' | |
| - name: Setup Python | |
| uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 | |
| with: | |
| python-version: "${{ matrix.python-version }}" | |
| if: matrix.language == 'python' | |
| - name: Use Node.js | |
| uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2 | |
| with: | |
| node-version: "${{ matrix.node-version }}" | |
| if: matrix.language == 'nodejs' | |
| - name: Install Plugins | |
| run: make install_plugins | |
| - name: Update Path | |
| run: echo "${{ github.workspace }}/bin" >> $GITHUB_PATH | |
| - name: Build SDK | |
| run: make build_${{ matrix.language }} | |
| - name: Publish .NET SDK | |
| run: | | |
| dotnet nuget push -s "${{ env.NUGET_FEED_URL }}" -k "${{ secrets.NUGET_PUBLISH_KEY }}" ${{github.workspace}}/sdk/dotnet/bin/Debug/*.nupkg | |
| env: | |
| NUGET_PUBLISH_KEY: ${{ secrets.NUGET_TOKEN }} | |
| NUGET_FEED_URL: https://api.nuget.org/v3/index.json | |
| if: matrix.language == 'dotnet' | |
| - name: Publish Python SDK | |
| uses: pypa/gh-action-pypi-publish@81e9d935c883d0b210363ab89cf05f3894778450 # v1.8.14 | |
| with: | |
| skip-existing: true | |
| packages-dir: "${{ github.workspace }}/sdk/python/bin/dist/" | |
| if: matrix.language == 'python' | |
| - name: Publish NodeJS SDK | |
| uses: JS-DevTools/npm-publish@19c28f1ef146469e409470805ea4279d47c3d35c # v3.1.1 | |
| with: | |
| package: ./sdk/nodejs/bin/package.json | |
| access: public | |
| token: ${{ secrets.NPM_TOKEN }} | |
| provenance: true | |
| if: matrix.language == 'nodejs' | |
| tag_sdk: | |
| runs-on: ubuntu-latest | |
| name: Tag SDK Release | |
| permissions: | |
| id-token: write | |
| contents: write | |
| needs: | |
| - publish_sdk | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Git | |
| run: | | |
| git config --local user.email "[email protected]" | |
| git config --local user.name "ctfer-io[bot]" | |
| - name: Get Tag Name | |
| run: | | |
| REF_NAME=`git describe --abbrev=0 --tags` | |
| echo "REF_NAME=${REF_NAME}" >> $GITHUB_ENV | |
| - name: Tag SDK Version | |
| run: | | |
| git tag -a sdk/${{ env.REF_NAME }} -m sdk/${{ env.REF_NAME }} | |
| - name: Push to Repository | |
| run: | | |
| git push origin sdk/${{ env.REF_NAME }} |