chore: finish transition to main branch (#561) #156
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# encoding: utf-8 | |
# This file is part of CycloneDX Python | |
# | |
# Licensed under the Apache License, Version 2.0 (the "License"); | |
# you may not use this file except in compliance with the License. | |
# You may obtain a copy of the License at | |
# | |
# http://www.apache.org/licenses/LICENSE-2.0 | |
# | |
# Unless required by applicable law or agreed to in writing, software | |
# distributed under the License is distributed on an "AS IS" BASIS, | |
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
# See the License for the specific language governing permissions and | |
# limitations under the License. | |
# | |
# SPDX-License-Identifier: Apache-2.0 | |
# Copyright (c) OWASP Foundation. All Rights Reserved. | |
name: Release | |
on: | |
push: | |
branches: ["main"] | |
workflow_dispatch: | |
concurrency: | |
group: release | |
cancel-in-progress: false | |
env: | |
REPORTS_DIR: CI_reports | |
DIST_DIR: dist | |
DIST_ARTIFACT: python-dist | |
PYTHON_VERISON: "3.10" | |
POETRY_VERSION: "1.1.15" | |
jobs: | |
release-PyPI: | |
name: "Release: GitHub, PyPI" | |
# https://github.community/t/how-do-i-specify-job-dependency-running-in-another-workflow/16482 | |
# limit this to being run on regular commits, not the commits that semantic-release will create | |
if: | | |
github.ref == 'refs/heads/main' && | |
!contains(github.event.head_commit.message, 'chore(release):') | |
runs-on: ubuntu-latest | |
outputs: | |
version-before: ${{ steps.before-release.outputs.version }} # version may be empty | |
released: ${{ steps.after-release.outputs.released }} # optional bool-ish string | |
version-after: ${{ steps.after-release.outputs.version }} # version may still be empty | |
steps: | |
- name: Checkout code | |
# see https://github.com/actions/checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # action `relekang/python-semantic-release` requires all git history | |
- name: Setup python ${{ env.PYTHON_VERISON }} | |
# see https://github.com/actions/setup-python | |
uses: actions/setup-python@v4 | |
with: | |
python-version: ${{ env.PYTHON_VERISON }} | |
- name: Setup poetry ${{ env.POETRY_VERSION }} | |
# see https://github.com/marketplace/actions/setup-poetry | |
uses: Gr1N/setup-poetry@v8 | |
with: | |
poetry-version: ${{ env.POETRY_VERSION }} | |
- name: pre-hook | |
id: before-release | |
run: | | |
VERSION="$(poetry version --short --no-interaction --no-ansi)" | |
# version may be empty at first | |
echo "version=$VERSION" >> $GITHUB_OUTPUT | |
- name: Python Semantic Release | |
id: semantic-release | |
# see https://python-semantic-release.readthedocs.io/en/latest/automatic-releases/github-actions.html | |
# see https://github.com/relekang/python-semantic-release | |
uses: relekang/[email protected] | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
repository_username: __token__ | |
repository_password: ${{ secrets.PYPI_TOKEN }} | |
pypi_token: ${{ secrets.PYPI_TOKEN }} | |
- name: post-hook | |
id: after-release | |
run: | | |
VERSION="$(poetry version --short --no-interaction --no-ansi)" | |
# version may still be empty | |
echo "version=$VERSION" >> $GITHUB_OUTPUT | |
if [ "$VERSION" != "$VERSION_PRE" ] | |
then | |
echo "released=true" >> $GITHUB_OUTPUT | |
fi | |
env: | |
VERSION_PRE: ${{ steps.before-release.outputs.version }} | |
- name: Artifact python dist | |
if: | | |
!failure() && !cancelled() && | |
steps.after-release.outputs.released | |
# see https://github.com/actions/upload-artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ env.DIST_ARTIFACT }} | |
path: ${{ env.DIST_DIR }}/ | |
if-no-files-found: error | |
# Dist results are required for further processing. | |
# Therefore, make sure that python-semantic-release is configuret to keep dist. | |
# see https://python-semantic-release.readthedocs.io/en/latest/configuration.html?highlight=remove_dist#remove-dist | |
release-DockerHub: | |
name: "Release: DockerHub" | |
needs: | |
- release-PyPI | |
if: | | |
!failure() && !cancelled() && | |
needs.release-PyPI.result == 'success' && | |
needs.release-PyPI.outputs.released && | |
needs.release-PyPI.outputs.version-after | |
runs-on: ubuntu-latest | |
env: | |
VERSION: ${{ needs.release-PyPI.outputs.version-after }} | |
ARTIFACT_DOCKER_SBOM: 'docker-image-bom' | |
DOCKER_REPO: cyclonedx/cyclonedx-python | |
steps: | |
- name: Checkout code (v${{ env.VERSION }}) | |
# see https://github.com/actions/checkout | |
uses: actions/checkout@v3 | |
with: | |
ref: v${{ env.VERSION }} | |
- name: setup dirs | |
run: | | |
mkdir "$REPORTS_DIR" | |
mkdir "$DIST_DIR" | |
- name: Fetch python dist artifact | |
# see https://github.com/actions/download-artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: ${{ env.DIST_ARTIFACT }} | |
path: ${{ env.DIST_DIR }}/ | |
- name: Build Docker Image (${{ env.VERSION }}) | |
run: > | |
docker build -f Dockerfile | |
--build-arg "VERSION=$VERSION" | |
-t "$DOCKER_REPO:$VERSION" | |
-t "$DOCKER_REPO:latest" | |
. | |
- name: Build own SBoM (XML) | |
run: > | |
docker run --rm "$DOCKER_REPO:$VERSION" | |
--environment | |
--format=xml | |
--output=- | |
> "$REPORTS_DIR/$ARTIFACT_DOCKER_SBOM.bom.xml" | |
- name: Build own SBoM (JSON) | |
run: > | |
docker run --rm "$DOCKER_REPO:$VERSION" | |
--environment | |
--format=json | |
--output=- | |
> "$REPORTS_DIR/$ARTIFACT_DOCKER_SBOM.bom.json" | |
- name: Artifact reports | |
if: ${{ ! cancelled() }} | |
# see https://github.com/actions/upload-artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: ${{ env.ARTIFACT_DOCKER_SBOM }} | |
path: ${{ env.REPORTS_DIR }}/*.bom.* | |
if-no-files-found: error | |
# publish AFTER the boms were build, as the bom-generation is kind of a test if the image works | |
- name: Publish Docker Image(s) | |
run: | | |
docker login --username "$DOCKERHUB_USERNAME" --password "$DOCKERHUB_TOKEN" | |
docker push "$DOCKER_REPO:$VERSION" | |
docker push "$DOCKER_REPO:latest" | |
env: | |
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | |
# TODO: publish all files in $REPORTS_DIR as release assets - see https://github.com/actions/upload-release-asset | |
- name: Destroy Docker image | |
# run regardless of outcome | |
if: ${{ always() }} | |
run: > | |
docker rmi -f | |
"$DOCKER_REPO:$VERSION" | |
"$DOCKER_REPO:latest" |