generated from bitwarden/template
-
Notifications
You must be signed in to change notification settings - Fork 1
154 lines (131 loc) · 4.78 KB
/
cd.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
---
name: CD
on:
push:
branches:
- main
paths:
- "src/**"
workflow_dispatch:
inputs:
release_type:
description: 'Release type'
required: true
default: 'Dry Run'
options:
- 'Dry Run'
- 'Release'
jobs:
version-type:
uses: ./.github/workflows/_version_type.yml
version-bump:
name: Version bump
runs-on: ubuntu-22.04
needs: version-type
outputs:
version: ${{ steps.get-version.outputs.version }}
steps:
- name: Check out repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Python
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version-file: ".python-version"
- name: Install hatch
run: pip install hatch
- name: Get current version
run: echo "OLD_VERSION=$(hatch version)" >> $GITHUB_ENV
- name: Bump version
run: hatch bump ${{ needs.version-type.outputs.version }}
- name: Get bumped version
id: get-version
run: |
VERSION=$(hatch version)
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Login to Azure - CI Subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "github-gpg-private-key,
github-gpg-private-key-passphrase,
github-pat-bitwarden-devops-bot-repo-scope"
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
with:
gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: Setup git
run: |
git config --local user.email "[email protected]"
git config --local user.name "bitwarden-devops-bot"
- name: Commit version bump
env:
OLD_VERSION: ${{ env.OLD_VERSION }}
VERSION: ${{ steps.get-version.outputs.version }}
if: ${{ github.event_name == 'push' }} || ${{ inputs.release_type != 'Dry Run' }}
run: |
git commit -am "Bump version from $OLD_VERSION to $VERSION"
git tag $VERSION
git push
git push --tags
release:
name: GitHub release
runs-on: ubuntu-22.04
needs: version-bump
if: ${{ github.event_name == 'push' }} || ${{ inputs.release_type != 'Dry Run' }}
steps:
- name: Check out repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Create GitHub release
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
commit: ${{ github.sha }}
tag: v${{ steps.version-bump.outputs.version }}
name: Version version-bump
token: ${{ secrets.GITHUB_TOKEN }}
draft: false
deploy:
name: Deploy workflow-linter (v2)
runs-on: ubuntu-22.04
needs: version-bump
steps:
- name: Check out repo
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Set up Python
uses: actions/setup-python@0a5c61591373683505ea898e09a3ea4f39ef2b9c # v5.0.0
with:
python-version-file: ".python-version"
- name: Install hatch
run: pip install hatch
- name: Login to Azure - CI Subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve pypi api token
id: retrieve-secret
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "pypi-api-token,
pypi-test-api-token"
- name: Build
run: hatch build
- name: Publish
if: ${{ github.event_name == 'push' }} || ${{ inputs.release_type != 'Dry Run' }}
env:
HATCH_INDEX_USER: __token__
HATCH_INDEX_AUTH: ${{ steps.retrieve-secret.outputs.pypi-api-token }}
run: hatch publish
- name: Dry Run - Publish
if: ${{ github.event_name == 'workflow_dispatch' }} && ${{ inputs.release_type == 'Dry Run' }}
env:
HATCH_INDEX_USER: __token__
HATCH_INDEX_AUTH: ${{ steps.retrieve-secret.outputs.pypi-test-api-token }}
run: hatch publish -r test