Skip to content

Release

Release #145

Workflow file for this run

name: "Release"
permissions: {}
# there should never be two releases in progress at the same time
concurrency:
group: release
cancel-in-progress: false
on:
workflow_dispatch:
inputs:
version:
description: tag the latest commit on main with the given version (prefixed with v)
required: true
jobs:
version-available:
uses: anchore/workflows/.github/workflows/check-version-available.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
permissions:
contents: read # for reading latest tags
with:
version: ${{ github.event.inputs.version }}
check-gate:
permissions:
checks: read # required for getting the status of specific check names
contents: read # needed for using the wait-for-check action upstream
uses: anchore/workflows/.github/workflows/check-gate.yaml@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
with:
# these are checks that should be run on pull-request and merges to main.
# we do NOT want to kick off a release if these have not been verified on main.
# Please see the validations.yaml and nightly-quality-gate.yaml workflows for the names that should be used here.
checks: '["Static Analysis", "Test Gate", "Publish Pre-Prod"]'
tag:
needs: [check-gate, version-available]
runs-on: ubuntu-latest
# the release environment exposes DEPLOY_KEY, the SSH key authorized to push tags to this repo.
# GITHUB_TOKEN cannot push to branch-protected refs, so we authenticate via deploy key instead.
environment: release
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
# in order to properly resolve the version from git
fetch-depth: 0
persist-credentials: false
- name: Tag release
uses: anchore/workflows/.github/actions/create-tag-via-deploy-key@b3e328b5ae31ba96297e2ed9a6124e5e6352a4c5 # v0.7.0
with:
tag: ${{ github.event.inputs.version }}
deploy-key: ${{ secrets.DEPLOY_KEY }}
release-pypi:
needs:
- tag
runs-on: ubuntu-latest
# important! PyPI OIDC auth will fail without environment: release
environment: release
permissions:
contents: read
# required to authenticate with PyPI via OIDC token
id-token: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
# in order to properly resolve the version from git
fetch-depth: 0
persist-credentials: false
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
# note: authentication is via the OIDC token
- name: Publish to PyPI
run: make ci-publish-pypi
release-docker:
needs:
- tag
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
# in order to properly resolve the version from git
fetch-depth: 0
persist-credentials: false
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
- name: Login to ghcr.io
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_ACTOR: ${{ github.actor }}
run: |
echo "$GITHUB_TOKEN" | .tool/crane auth login ghcr.io --username "$GITHUB_ACTOR" --password-stdin
echo "$GITHUB_TOKEN" | docker login ghcr.io --username "$GITHUB_ACTOR" --password-stdin
- name: Promote commit image to release
run: |
make ci-promote-release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-github:
needs:
- tag
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
issues: read
pull-requests: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
with:
# in order to properly resolve the version from git
fetch-depth: 0
persist-credentials: false
- name: Bootstrap environment
uses: ./.github/actions/bootstrap
- name: Create github release
env:
VERSION: ${{ github.event.inputs.version }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
# Validate version format
if [[ ! "$VERSION" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "Error: Version must match pattern v*.*.* (e.g., v1.2.3)"
exit 1
fi
make changelog
gh release create "$VERSION" -F CHANGELOG.md -t "$VERSION"