Skip to content

Update cosign-installer to latest release #1006

Update cosign-installer to latest release

Update cosign-installer to latest release #1006

Workflow file for this run

name: Build, Release & Publish
on:
push:
branches: [ release/v*.*.*, feature/*, master, dev, latest, testnet-*, mainnet-*, kira-* ]
pull_request:
branches: [ release/v*.*.*, bugfix/*, master, dev, latest, testnet-*, mainnet-*, kira-* ]
jobs:
build:
name: Repo Build
runs-on: ubuntu-20.04
permissions:
contents: read
packages: write
id-token: write
pull-requests: write
container:
image: ghcr.io/kiracore/docker/base-image:v0.13.14
steps:
# Work around https://github.com/actions/checkout/issues/760
- name: Add safe.directory
run: |
git config --global --add safe.directory /github/workspace
git config --global --add safe.directory $PWD
# ref.: https://github.com/actions/checkout, v3.0.0
- name: Checkout repository
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
- name: Checking dependency versions & packaging source files
run: |
echo "(current dir): $PWD" && ls -l ./
cd ../ && tar -czvf src.tar.gz -C ./sekai . && cp ./src.tar.gz ./sekai/src.tar.gz
cd ./sekai
. /etc/profile && echo "Utils Version: $(bash-utils bashUtilsVersion)"
go version
echo "ENVS: $(env)"
echo "HOME: $HOME"
echo " PWD: $PWD"
- name: Extract branch name on push
if: github.event_name == 'push'
shell: bash
run: |
echo "SOURCE_BRANCH=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
echo "DESTINATION_BRANCH=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
- name: Extract branch name on pull request
if: github.event_name == 'pull_request'
env:
REF_BRANCH: ${{ github.event.pull_request.head.ref }}
BASE_REF_BRANCH: ${{ github.base_ref }}
shell: bash
run: |
echo "SOURCE_BRANCH=$(echo ${{ env.REF_BRANCH }})" >> $GITHUB_ENV
echo "DESTINATION_BRANCH=$(echo ${{ env.BASE_REF_BRANCH }})" >> $GITHUB_ENV
- name: Inspecting & organizing artifacts
run: |
echo "(current dir): $PWD" && ls -l ./
chmod -Rv 555 ./scripts
RELEASE_VER="$(./scripts/version.sh)" && echo "RELEASE_VER=$RELEASE_VER" >> $GITHUB_ENV
RELEASE_BRANCH="release/$RELEASE_VER" && echo "RELEASE_BRANCH=$RELEASE_BRANCH" >> $GITHUB_ENV
REPOSITORY_NAME="${{ github.event.repository.name }}" && echo "REPOSITORY_NAME=$REPOSITORY_NAME" >> $GITHUB_ENV
git ls-remote https://github.com/kiracore/$REPOSITORY_NAME | egrep -q "refs/tags/${RELEASE_VER}$" && echo "RELEASE_EXISTS=true" >> $GITHUB_ENV || echo "RELEASE_EXISTS=false" >> $GITHUB_ENV
if [[ "$RELEASE_VER" =~ $VERSION_REGEX ]] && [[ "$SOURCE_BRANCH" =~ $VERSION_REGEX ]] && [ "$SOURCE_BRANCH" != "$RELEASE_VER" ] ; then
echo "ERROR: Version branch name MUST be the same as the app version, run scripts/version.sh to check app version!"
exit 1
else
echo "INFO: Variables setup succeeded"
fi
- name: Print debug data before testing
run: |
echo " Source branch: ${{ env.SOURCE_BRANCH }}"
echo "Destination branch: ${{ env.DESTINATION_BRANCH }}"
echo " Release branch: ${{ env.RELEASE_BRANCH }}"
echo " Event name: ${{ github.event_name }}"
echo " Repository name: ${{ env.REPOSITORY_NAME }}"
echo " Release version: ${{ env.RELEASE_VER }}"
echo " Release exists: ${{ env.RELEASE_EXISTS }}"
- name: Testing SEKAI
run: |
make test
make install
sekaid version
make test-local
- name: Publishing SEKAID binaries
shell: bash
run: |
make publish
touch ./RELEASE.md
cp -fv ./RELEASE.md ./bin/RELEASE.md
cp -fv ./src.tar.gz ./bin/source-code.tar.gz
chmod -Rv 777 ./bin
echo -e "\n\r\n\r\`\`\`" >> ./bin/RELEASE.md
echo -e " Release Versions: $RELEASE_VER\n\r" >> ./bin/RELEASE.md
echo -e " Release Date Time: $(date --rfc-2822)" >> ./bin/RELEASE.md
echo " sekai-darwin-amd64.deb: sha256:$(sha256sum ./bin/sekai-darwin-amd64.deb | awk '{ print $1 }')" >> ./bin/RELEASE.md
echo " sekai-darwin-arm64.deb: sha256:$(sha256sum ./bin/sekai-darwin-arm64.deb | awk '{ print $1 }')" >> ./bin/RELEASE.md
echo " sekai-linux-amd64.deb: sha256:$(sha256sum ./bin/sekai-linux-amd64.deb | awk '{ print $1 }')" >> ./bin/RELEASE.md
echo " sekai-linux-arm64.deb: sha256:$(sha256sum ./bin/sekai-linux-arm64.deb | awk '{ print $1 }')" >> ./bin/RELEASE.md
echo "sekai-windows-amd64.exe: sha256:$(sha256sum ./bin/sekai-windows-amd64.exe | awk '{ print $1 }')" >> ./bin/RELEASE.md
echo "sekai-windows-arm64.exe: sha256:$(sha256sum ./bin/sekai-windows-arm64.exe | awk '{ print $1 }')" >> ./bin/RELEASE.md
echo " source-code.tar.gz: sha256:$(sha256sum ./bin/source-code.tar.gz | awk '{ print $1 }')" >> ./bin/RELEASE.md
echo " sekai-utils.sh: sha256:$(sha256sum ./bin/sekai-utils.sh | awk '{ print $1 }')" >> ./bin/RELEASE.md
echo " sekai-env.sh: sha256:$(sha256sum ./bin/sekai-env.sh | awk '{ print $1 }')" >> ./bin/RELEASE.md
echo -e "\`\`\`" >> ./bin/RELEASE.md
tar -czvf deb.tar.gz -C ./bin .
- name: Uploading artifacts
uses: actions/[email protected]
with:
name: sekai-bin-deb
path: ./deb.tar.gz
release:
name: Create Release
runs-on: ubuntu-20.04
needs: [build]
permissions:
contents: write
packages: write
id-token: write
pull-requests: write
steps:
# Install the cosign tool
# ref.: https://github.com/sigstore/cosign-installer, v2.2.0
- name: Install cosign
uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8
with:
cosign-release: 'v2.0.0'
- name: Confirm installation!
uses: cosign version
- name: Download artifacts
uses: actions/[email protected]
with:
name: sekai-bin-deb
- name: Inspecting & organizing artifacts
run: |
echo "(current dir): $PWD" && ls -l ./
tar xvf ./deb.tar.gz
chmod -Rv 777 ./
RELEASE_VER=$(cat ./RELEASE.md | tac | grep -Fn -m 1 'Release Versions: ' | rev | cut -d ":" -f1 | rev | xargs | tr -dc '[:alnum:]\-\.' || echo '')
RELEASE_BRANCH="release/$RELEASE_VER" && echo "RELEASE_BRANCH=$RELEASE_BRANCH" >> $GITHUB_ENV
echo "RELEASE_VER=$RELEASE_VER" >> $GITHUB_ENV
REPOSITORY_NAME="${{ github.event.repository.name }}"
echo "REPOSITORY_NAME=$REPOSITORY_NAME" >> $GITHUB_ENV
git ls-remote https://github.com/kiracore/$REPOSITORY_NAME | egrep -q "refs/tags/${RELEASE_VER}$" && echo "RELEASE_EXISTS=true" >> $GITHUB_ENV || echo "RELEASE_EXISTS=false" >> $GITHUB_ENV
[[ "$RELEASE_VER" == *"-rc"* ]] && echo "PRE_RELEASE=true" >> $GITHUB_ENV || echo "PRE_RELEASE=false" >> $GITHUB_ENV
# Branch name is also a version of the release
# ref: https://stackoverflow.com/questions/58033366/how-to-get-the-current-branch-within-github-actions
- name: Extract branch name on push
if: github.event_name == 'push'
shell: bash
run: |
echo "SOURCE_BRANCH=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
echo "DESTINATION_BRANCH=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_ENV
- name: Extract branch name on pull request
if: github.event_name == 'pull_request'
env:
REF_BRANCH: ${{ github.event.pull_request.head.ref }}
BASE_REF_BRANCH: ${{ github.base_ref }}
shell: bash
run: |
echo "SOURCE_BRANCH=$(echo ${{ env.REF_BRANCH }})" >> $GITHUB_ENV
echo "DESTINATION_BRANCH=$(echo ${{ env.BASE_REF_BRANCH }})" >> $GITHUB_ENV
- name: Print debug data before publishing
run: |
echo " Source branch: ${{ env.SOURCE_BRANCH }}"
echo " Dest. branch: ${{ env.DESTINATION_BRANCH }}"
echo "Release branch: ${{ env.RELEASE_BRANCH }}"
echo " Repo Name: ${{ env.REPOSITORY_NAME }}"
echo " Event name: ${{ github.event_name }}"
echo " Release ver.: ${{ env.RELEASE_VER }}"
echo "Release exists: ${{ env.RELEASE_EXISTS }}"
echo " Pre-release: ${{ env.PRE_RELEASE }}"
- name: Reject on error
# ref.: https://github.com/andrewslotin/rummelsnuff, v1.1.0
uses: andrewslotin/rummelsnuff@a0c9c1929f44eefff922aced1ee4dd64eddf12d6
if: ${{ failure() }}
with:
spam_label: "Build Errors"
close_spam_prs: "yes"
access_token: ${{ secrets.GITHUB_TOKEN }}
# ref: https://github.com/softprops/action-gh-release, v0.1.14
# Release on merge only (push action) - this should run only once
- name: Signing release files
if: |
github.event_name == 'push' &&
( env.RELEASE_EXISTS == false || env.RELEASE_EXISTS == 'false' ) &&
( startsWith(env.SOURCE_BRANCH, 'release/v') && contains(env.SOURCE_BRANCH, '.') )
shell: bash
env:
KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
run: |
echo "$KEY" > ../cosign.key
for FILE in *; do FILE_NAME=$(basename $FILE); cosign sign-blob --key=../cosign.key --output-signature=./${FILE_NAME}.sig ./$FILE_NAME; done
rm -fv ../cosign.key
# ref: https://github.com/softprops/action-gh-release, v0.1.14
# Release on merge only (push action) - this should run only once
- name: Publish release
if: |
github.event_name == 'push' &&
( env.RELEASE_EXISTS == false || env.RELEASE_EXISTS == 'false' ) &&
( startsWith(env.SOURCE_BRANCH, 'release/v') && contains(env.SOURCE_BRANCH, '.') )
uses: softprops/action-gh-release@1e07f4398721186383de40550babbdf2b84acfc5
with:
body_path: RELEASE.md
tag_name: ${{ env.RELEASE_VER }}
name: ${{ env.RELEASE_VER }}
prerelease: ${{ env.PRE_RELEASE }}
draft: false
fail_on_unmatched_files: true
files: |
./sekai-linux-amd64.deb
./sekai-linux-amd64.deb.sig
./sekai-linux-arm64.deb
./sekai-linux-arm64.deb.sig
./sekai-darwin-amd64.deb
./sekai-darwin-amd64.deb.sig
./sekai-darwin-arm64.deb
./sekai-darwin-arm64.deb.sig
./sekai-windows-amd64.exe
./sekai-windows-amd64.exe.sig
./sekai-windows-arm64.exe
./sekai-windows-arm64.exe.sig
./sekai-utils.sh
./sekai-utils.sh.sig
./sekai-env.sh
./sekai-env.sh.sig
./source-code.tar.gz
./source-code.tar.gz.sig
# ref.: https://github.com/hmarr/auto-approve-action, v2.1.0
# Do NOT approve IF release exists and the source branch is NOT a version branch
- name: Approve pull request on success
uses: hmarr/auto-approve-action@5d04a5ca6da9aeb8ca9f31a5239b96fc3e003029
if: |
( github.event_name == 'pull_request' ) &&
( env.SOURCE_BRANCH == env.RELEASE_BRANCH || env.DESTINATION_BRANCH == env.RELEASE_BRANCH )
with:
github-token: "${{ secrets.GITHUB_TOKEN }}"
- name: Cleanup all resources
shell: bash
run: |
rm -rfv ./*
echo "(current dir): $PWD" && ls -l ./
# Work around https://github.com/actions/checkout/issues/760
- name: Add safe.directory
run: |
git config --global --add safe.directory /github/workspace
git config --global --add safe.directory $PWD
# ref.: https://github.com/actions/checkout, v3.0.0
- name: Checkout repository
uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
- name: Create PR from a version branch to latest
# ref. repo-sync/pull-request is broken, using cea2aj/pull-request instead
uses: cea2aj/pull-request@84eb0c3478f13651e5649367941b867ca02d7926
if: |
github.event_name == 'push' &&
( startsWith(env.SOURCE_BRANCH, 'release/v') && contains(env.SOURCE_BRANCH, '.') )
with:
github_token: ${{ secrets.REPO_ACCESS }}
source_branch: ${{ env.SOURCE_BRANCH }}
destination_branch: 'latest'
pr_title: "${{ env.SOURCE_BRANCH }} -> latest"
pr_label: "kira-automation,automerge"
pr_allow_empty: true
- name: Auto-merge version branch to latest branch
uses: pascalgn/automerge-action@04dfc9eae2586d19b7362d4f6413c48135d9c25a
if: github.event_name == 'pull_request' && env.DESTINATION_BRANCH == 'latest' &&
( startsWith(env.SOURCE_BRANCH, 'release/v') && contains(env.SOURCE_BRANCH, '.') )
env:
MERGE_LABELS: "automerge"
GITHUB_TOKEN: "${{ secrets.REPO_ACCESS }}"
LOG: "TRACE"