Skip to content

Create automated Signed releases. #6362

Create automated Signed releases.

Create automated Signed releases. #6362

Workflow file for this run

name: Integrate
# Run this workflow every time a new commit pushed to your repository
on:
push:
paths-ignore:
- '**/*.md'
- 'public/dist/*.js'
- 'public/dist/**/*.js'
- 'public/Lychee-front'
pull_request:
paths-ignore:
- '**/*.md'
- 'public/dist/*.js'
- 'public/dist/**/*.js'
- 'public/Lychee-front'
# Allow manually triggering the workflow.
workflow_dispatch:
# Declare default permissions as read only.
permissions: read-all
jobs:
# kill_previous:
# name: 0️⃣ Kill previous runs
# runs-on: ubuntu-latest
# # We want to run on external PRs, but not on our own internal PRs as they'll be run by the push to the branch.
# if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository)
# steps:
# - name: Harden Runner
# uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
# with:
# egress-policy: audit
# - name: Cancel Previous Runs
# uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1
# with:
# access_token: ${{ github.token }}
# php_syntax_errors:
# name: 1️⃣ PHP 8.2 - Syntax errors
# runs-on: ubuntu-latest
# needs:
# - kill_previous
# steps:
# - name: Harden Runner
# uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
# with:
# egress-policy: audit
# - name: Setup PHP Action
# uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1
# with:
# php-version: 8.2
# - name: Checkout code
# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# - name: Install dependencies
# uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
# - name: Check source code for syntax errors
# run: vendor/bin/parallel-lint --exclude .git --exclude vendor .
# code_style_errors:
# name: 2️⃣ PHP 8.2 - Code Style errors
# runs-on: ubuntu-latest
# needs:
# - php_syntax_errors
# steps:
# - name: Harden Runner
# uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
# with:
# egress-policy: audit
# - name: Set up PHP
# uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1
# with:
# php-version: 8.2
# - name: Checkout code
# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# - name: Install dependencies
# uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
# - name: Check source code for code style errors
# run: PHP_CS_FIXER_IGNORE_ENV=1 vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.php --verbose --diff --dry-run
# check_js:
# name: 2️⃣ JS front-end
# uses: ./.github/workflows/js_check.yml
# needs:
# - php_syntax_errors
# phpstan:
# name: 2️⃣ PHP 8.2 - PHPStan
# runs-on: ubuntu-latest
# needs:
# - php_syntax_errors
# steps:
# - name: Harden Runner
# uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
# with:
# egress-policy: audit
# - name: Checkout code
# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
# - name: Setup PHP
# uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1
# with:
# php-version: 8.2
# coverage: none
# - name: Install Composer dependencies
# uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0
# - name: Run PHPStan
# run: vendor/bin/phpstan analyze
# tests_legacy:
# name: 2️⃣ PHP tests legacy
# needs:
# - php_syntax_errors
# uses: ./.github/workflows/php_tests.yml
# with:
# test-suite: 'Feature_v1'
# env-file: '.env.legacy'
# secrets:
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
# tests:
# name: 2️⃣ PHP tests
# needs:
# - php_syntax_errors
# uses: ./.github/workflows/php_tests.yml
# with:
# test-suite: 'Unit,Feature_v2'
# env-file: '.env'
# secrets:
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
# CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
# dist:
# name: 3️⃣ PHP dist
# needs:
# - code_style_errors
# uses: ./.github/workflows/php_dist.yml
createArtifact:
name: 4️⃣ Build Artifact
# For testing purpose we disable this.
# if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')
# needs:
# - phpstan
# - dist
# - tests
# - tests_legacy
# - check_js
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
attestations: write
env:
extensions: bcmath, curl, dom, gd, imagick, json, libxml, mbstring, pcntl, pdo, pdo_sqlite, pdo_mysql, pdo_pgsql, pgsql, sqlite3, zip
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup PHP
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1
with:
php-version: 8.2
extensions: ${{ env.extensions }}
coverage: none
- name: Use Node.js 20
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 20
- name: Build Dist
run: |
make clean dist
- name: Upload build artifact
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
with:
name: Lychee.zip
path: Lychee.zip
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn`
- name: Download generated artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.18
with:
name: Lychee.zip
# path: '${{ github.workspace }}/Lychee.zip'
- name: Attest
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4
with:
# Path to the artifact serving as the subject of the attestation. Must
# specify exactly one of "subject-path" or "subject-digest". May contain a
# glob pattern or list of paths (total subject count cannot exceed 2500).
subject-path: '${{ github.workspace }}/Lychee.zip'
# SHA256 digest of the subject for the attestation. Must be in the form
# "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one
# of "subject-path" or "subject-digest".
# subject-digest:
# Subject name as it should appear in the attestation. Required unless
# "subject-path" is specified, in which case it will be inferred from the
# path.
# subject-name: Lychee
# Whether to push the attestation to the image registry. Requires that the
# "subject-name" parameter specify the fully-qualified image name and that
# the "subject-digest" parameter be specified. Defaults to false.
# push-to-registry:
# Whether to attach a list of generated attestations to the workflow run
# summary page. Defaults to true.
# show-summary:
# The GitHub token used to make authenticated API requests. Default is
# ${{ github.token }}
github-token: ${{ github.token }}
release:
name: 5️⃣ Release
if: github.ref == 'refs/heads/master'
needs:
- createArtifact
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
env:
extensions: bcmath, curl, dom, gd, imagick, json, libxml, mbstring, pcntl, pdo, pdo_sqlite, pdo_mysql, pdo_pgsql, pgsql, sqlite3, zip
steps:
- name: Install Cosign
uses: sigstore/[email protected]
- name: Download generated artifact
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.18
with:
name: Lychee.zip
# path: '${{ github.workspace }}/Lychee.zip'
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
- name: Sign image with a key
run: |
DIGEST=$(shasum -a 256 Lychee.zip | cut -d' ' -f 1) && echo "$DIGEST"
cosign sign --yes --key env://COSIGN_PRIVATE_KEY --output-signature sig.asc $DIGEST
env:
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
- name: Create release
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
with:
files: |
sig.asc
Lychee.zip
token: ${{ secrets.GITHUB_TOKEN }}
draft: true