-
Notifications
You must be signed in to change notification settings - Fork 2
123 lines (105 loc) · 3.93 KB
/
release.yml
File metadata and controls
123 lines (105 loc) · 3.93 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
name: Release
on:
push:
tags:
- 'v*'
permissions:
contents: write
id-token: write
attestations: write
packages: read
jobs:
release:
name: "Release"
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
with:
egress-policy: audit
- name: "Setup: Checkout"
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
fetch-depth: 0
- name: "Setup: Node"
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
with:
node-version: 24
- name: "Setup: Bun"
uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 # v2.2.0
with:
bun-version: latest
- name: "Setup: Cosign"
uses: sigstore/cosign-installer@f713795cb21599bc4e5c4b58cbad1da852d7eeb9 # v3.9.1
- name: "Setup: Install Dependencies"
run: bun install --frozen-lockfile
- name: "Build: Bundle"
run: bun run build
- name: "Sentry: Upload Source Maps"
if: env.SENTRY_AUTH_TOKEN != ''
env:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
SENTRY_ORG: elide-dev
SENTRY_PROJECT: setup-elide
run: |
npx @sentry/cli releases new "setup-elide@${GITHUB_REF_NAME#v}"
npx @sentry/cli releases files "setup-elide@${GITHUB_REF_NAME#v}" upload-sourcemaps dist/ --ext js --ext map
npx @sentry/cli releases finalize "setup-elide@${GITHUB_REF_NAME#v}"
npx @sentry/cli releases deploys "setup-elide@${GITHUB_REF_NAME#v}" new -e production
- name: "Build: Package Artifact"
run: |
TAG="${GITHUB_REF_NAME}"
mkdir -p artifacts
tar -czf "artifacts/setup-elide-${TAG}.tar.gz" \
action.yml \
dist/index.js \
dist/index.js.map \
dist/post.js \
dist/post.js.map \
package.json \
.github/LICENSE
sha256sum "artifacts/setup-elide-${TAG}.tar.gz" > "artifacts/setup-elide-${TAG}.tar.gz.sha256"
echo "ARTIFACT=artifacts/setup-elide-${TAG}.tar.gz" >> "$GITHUB_ENV"
echo "ARTIFACT_SHA=artifacts/setup-elide-${TAG}.tar.gz.sha256" >> "$GITHUB_ENV"
- name: "SBOM: Generate"
uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
with:
path: .
format: spdx-json
output-file: artifacts/sbom.spdx.json
- name: "Sign: Cosign"
run: |
cosign sign-blob \
--yes \
--bundle "artifacts/setup-elide-${GITHUB_REF_NAME}.tar.gz.cosign-bundle" \
"$ARTIFACT"
- name: "Attest: Build Provenance"
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-path: ${{ env.ARTIFACT }}
- name: "Attest: SBOM"
uses: actions/attest-sbom@c604332985a26aa8cf1bdc465b92731239ec6b9e # v4.1.0
with:
subject-path: ${{ env.ARTIFACT }}
sbom-path: artifacts/sbom.spdx.json
- name: "Release: Create"
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
with:
generate_release_notes: true
make_latest: true
fail_on_unmatched_files: true
files: |
${{ env.ARTIFACT }}
${{ env.ARTIFACT_SHA }}
artifacts/sbom.spdx.json
artifacts/setup-elide-${{ github.ref_name }}.tar.gz.cosign-bundle
- name: "Release: Update Major Tag"
run: |
TAG="${GITHUB_REF_NAME}"
# Extract major version: v4.1.0 -> v4
MAJOR="${TAG%%.*}"
if [[ "$MAJOR" =~ ^v[0-9]+$ ]]; then
git tag -f "$MAJOR" "$TAG"
git push -f origin "$MAJOR"
echo "Updated major tag $MAJOR -> $TAG"
fi