Skip to content

Add actions/setup-go action to list of approved actions (#45) #38

Add actions/setup-go action to list of approved actions (#45)

Add actions/setup-go action to list of approved actions (#45) #38

Workflow file for this run

name: CD
on:
push:
branches:
- main
paths:
- "src/**"
workflow_dispatch:
jobs:
version-type:
name: Get version type
if: github.actor != 'bitwarden-devops-bot'
uses: ./.github/workflows/_version_type.yml
version-bump:
name: Version bump
if: github.actor != 'bitwarden-devops-bot'
runs-on: ubuntu-24.04
needs: version-type
outputs:
version: ${{ steps.get-version.outputs.version }}
steps:
- name: Generate GH App token
uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1.11.1
id: app-token
with:
app-id: ${{ secrets.BW_GHAPP_ID }}
private-key: ${{ secrets.BW_GHAPP_KEY }}
- name: Login to Azure - CI Subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "github-gpg-private-key,
github-gpg-private-key-passphrase"
- name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}
- name: Set up Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version-file: ".python-version"
- name: Install hatch
run: pip install hatch
- name: Get current version
run: echo "OLD_VERSION=$(hatch version)" >> $GITHUB_ENV
- name: Bump version
run: hatch version ${{ needs.version-type.outputs.version_bump_type }}
- name: Get bumped version
id: get-version
run: |
VERSION=$(hatch version)
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
with:
gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: Setup git
run: |
git config --local user.email "[email protected]"
git config --local user.name "bitwarden-devops-bot"
- name: Commit version bump
env:
OLD_VERSION: ${{ env.OLD_VERSION }}
VERSION: ${{ steps.get-version.outputs.version }}
run: |
git commit -am "Bump version from $OLD_VERSION to $VERSION"
git tag v$VERSION
git push
git push --tags
release:
name: GitHub release
if: github.actor != 'bitwarden-devops-bot'
runs-on: ubuntu-22.04
needs: version-bump
steps:
- name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Create GitHub release
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
commit: ${{ github.sha }}
tag: v${{ needs.version-bump.outputs.version }}
name: v${{ needs.version-bump.outputs.version }}
token: ${{ secrets.GITHUB_TOKEN }}
draft: false
deploy:
name: Deploy workflow-linter (v2)
if: github.actor != 'bitwarden-devops-bot'
runs-on: ubuntu-22.04
needs: version-bump
steps:
- name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version-file: ".python-version"
- name: Install hatch
run: pip install hatch
- name: Login to Azure - CI Subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve pypi api token
id: retrieve-secret
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "pypi-api-token"
- name: Build
run: hatch build
- name: Publish
env:
HATCH_INDEX_USER: __token__
HATCH_INDEX_AUTH: ${{ steps.retrieve-secret.outputs.pypi-api-token }}
run: hatch publish