Release #145
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Release" | |
| permissions: {} | |
| # there should never be two releases in progress at the same time | |
| concurrency: | |
| group: release | |
| cancel-in-progress: false | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version: | |
| description: tag the latest commit on main with the given version (prefixed with v) | |
| required: true | |
| jobs: | |
| version-available: | |
| uses: anchore/workflows/.github/workflows/check-version-available.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0 | |
| permissions: | |
| contents: read # for reading latest tags | |
| with: | |
| version: ${{ github.event.inputs.version }} | |
| check-gate: | |
| permissions: | |
| checks: read # required for getting the status of specific check names | |
| contents: read # needed for using the wait-for-check action upstream | |
| uses: anchore/workflows/.github/workflows/check-gate.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0 | |
| with: | |
| # these are checks that should be run on pull-request and merges to main. | |
| # we do NOT want to kick off a release if these have not been verified on main. | |
| # Please see the validations.yaml and nightly-quality-gate.yaml workflows for the names that should be used here. | |
| checks: '["Static Analysis", "Test Gate", "Publish Pre-Prod"]' | |
| tag: | |
| needs: [check-gate, version-available] | |
| runs-on: ubuntu-latest | |
| # the release environment exposes DEPLOY_KEY, the SSH key authorized to push tags to this repo. | |
| # GITHUB_TOKEN cannot push to branch-protected refs, so we authenticate via deploy key instead. | |
| environment: release | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| # in order to properly resolve the version from git | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Tag release | |
| uses: anchore/workflows/.github/actions/create-tag-via-deploy-key@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0 | |
| with: | |
| tag: ${{ github.event.inputs.version }} | |
| deploy-key: ${{ secrets.DEPLOY_KEY }} | |
| release-pypi: | |
| needs: | |
| - tag | |
| runs-on: ubuntu-latest | |
| # important! PyPI OIDC auth will fail without environment: release | |
| environment: release | |
| permissions: | |
| contents: read | |
| # required to authenticate with PyPI via OIDC token | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 | |
| with: | |
| # in order to properly resolve the version from git | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Bootstrap environment | |
| uses: ./.github/actions/bootstrap | |
| # note: authentication is via the OIDC token | |
| - name: Publish to PyPI | |
| run: make ci-publish-pypi | |
| release-docker: | |
| needs: | |
| - tag | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 | |
| with: | |
| # in order to properly resolve the version from git | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Bootstrap environment | |
| uses: ./.github/actions/bootstrap | |
| - name: Login to ghcr.io | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_ACTOR: ${{ github.actor }} | |
| run: | | |
| echo "$GITHUB_TOKEN" | .tool/crane auth login ghcr.io --username "$GITHUB_ACTOR" --password-stdin | |
| echo "$GITHUB_TOKEN" | docker login ghcr.io --username "$GITHUB_ACTOR" --password-stdin | |
| - name: Promote commit image to release | |
| run: | | |
| make ci-promote-release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| release-github: | |
| needs: | |
| - tag | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| packages: write | |
| issues: read | |
| pull-requests: read | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 | |
| with: | |
| # in order to properly resolve the version from git | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Bootstrap environment | |
| uses: ./.github/actions/bootstrap | |
| - name: Create github release | |
| env: | |
| VERSION: ${{ github.event.inputs.version }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Validate version format | |
| if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
| echo "Error: Version must match pattern v*.*.* (e.g., v1.2.3)" | |
| exit 1 | |
| fi | |
| make changelog | |
| gh release create "$VERSION" -F CHANGELOG.md -t "$VERSION" |