Create automated Signed releases. #6366
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Integrate | |
# Run this workflow every time a new commit pushed to your repository | |
on: | |
push: | |
paths-ignore: | |
- '**/*.md' | |
- 'public/dist/*.js' | |
- 'public/dist/**/*.js' | |
- 'public/Lychee-front' | |
pull_request: | |
paths-ignore: | |
- '**/*.md' | |
- 'public/dist/*.js' | |
- 'public/dist/**/*.js' | |
- 'public/Lychee-front' | |
# Allow manually triggering the workflow. | |
workflow_dispatch: | |
# Declare default permissions as read only. | |
permissions: read-all | |
jobs: | |
# kill_previous: | |
# name: 0️⃣ Kill previous runs | |
# runs-on: ubuntu-latest | |
# # We want to run on external PRs, but not on our own internal PRs as they'll be run by the push to the branch. | |
# if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository) | |
# steps: | |
# - name: Harden Runner | |
# uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
# with: | |
# egress-policy: audit | |
# - name: Cancel Previous Runs | |
# uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1 | |
# with: | |
# access_token: ${{ github.token }} | |
# php_syntax_errors: | |
# name: 1️⃣ PHP 8.2 - Syntax errors | |
# runs-on: ubuntu-latest | |
# needs: | |
# - kill_previous | |
# steps: | |
# - name: Harden Runner | |
# uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
# with: | |
# egress-policy: audit | |
# - name: Setup PHP Action | |
# uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 | |
# with: | |
# php-version: 8.2 | |
# - name: Checkout code | |
# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
# - name: Install dependencies | |
# uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 | |
# - name: Check source code for syntax errors | |
# run: vendor/bin/parallel-lint --exclude .git --exclude vendor . | |
# code_style_errors: | |
# name: 2️⃣ PHP 8.2 - Code Style errors | |
# runs-on: ubuntu-latest | |
# needs: | |
# - php_syntax_errors | |
# steps: | |
# - name: Harden Runner | |
# uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
# with: | |
# egress-policy: audit | |
# - name: Set up PHP | |
# uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 | |
# with: | |
# php-version: 8.2 | |
# - name: Checkout code | |
# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
# - name: Install dependencies | |
# uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 | |
# - name: Check source code for code style errors | |
# run: PHP_CS_FIXER_IGNORE_ENV=1 vendor/bin/php-cs-fixer fix --config=.php-cs-fixer.php --verbose --diff --dry-run | |
# check_js: | |
# name: 2️⃣ JS front-end | |
# uses: ./.github/workflows/js_check.yml | |
# needs: | |
# - php_syntax_errors | |
# phpstan: | |
# name: 2️⃣ PHP 8.2 - PHPStan | |
# runs-on: ubuntu-latest | |
# needs: | |
# - php_syntax_errors | |
# steps: | |
# - name: Harden Runner | |
# uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
# with: | |
# egress-policy: audit | |
# - name: Checkout code | |
# uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
# - name: Setup PHP | |
# uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 | |
# with: | |
# php-version: 8.2 | |
# coverage: none | |
# - name: Install Composer dependencies | |
# uses: ramsey/composer-install@57532f8be5bda426838819c5ee9afb8af389d51a # 3.0.0 | |
# - name: Run PHPStan | |
# run: vendor/bin/phpstan analyze | |
# tests_legacy: | |
# name: 2️⃣ PHP tests legacy | |
# needs: | |
# - php_syntax_errors | |
# uses: ./.github/workflows/php_tests.yml | |
# with: | |
# test-suite: 'Feature_v1' | |
# env-file: '.env.legacy' | |
# secrets: | |
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
# CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
# tests: | |
# name: 2️⃣ PHP tests | |
# needs: | |
# - php_syntax_errors | |
# uses: ./.github/workflows/php_tests.yml | |
# with: | |
# test-suite: 'Unit,Feature_v2' | |
# env-file: '.env' | |
# secrets: | |
# SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} | |
# CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
# dist: | |
# name: 3️⃣ PHP dist | |
# needs: | |
# - code_style_errors | |
# uses: ./.github/workflows/php_dist.yml | |
createArtifact: | |
name: 4️⃣ Build Artifact | |
# For testing purpose we disable this. | |
# if: github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/') | |
# needs: | |
# - phpstan | |
# - dist | |
# - tests | |
# - tests_legacy | |
# - check_js | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
id-token: write | |
attestations: write | |
env: | |
extensions: bcmath, curl, dom, gd, imagick, json, libxml, mbstring, pcntl, pdo, pdo_sqlite, pdo_mysql, pdo_pgsql, pgsql, sqlite3, zip | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- name: Checkout code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup PHP | |
uses: shivammathur/setup-php@c541c155eee45413f5b09a52248675b1a2575231 # 2.31.1 | |
with: | |
php-version: 8.2 | |
extensions: ${{ env.extensions }} | |
coverage: none | |
- name: Use Node.js 20 | |
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 | |
with: | |
node-version: 20 | |
- name: Build Dist | |
run: | | |
make clean dist | |
- name: Upload build artifact | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: Lychee.zip | |
path: Lychee.zip | |
if-no-files-found: error # 'warn' or 'ignore' are also available, defaults to `warn` | |
- name: Download generated artifact | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.18 | |
with: | |
name: Lychee.zip | |
# path: '${{ github.workspace }}/Lychee.zip' | |
- name: Attest | |
uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1.4.4 | |
with: | |
# Path to the artifact serving as the subject of the attestation. Must | |
# specify exactly one of "subject-path" or "subject-digest". May contain a | |
# glob pattern or list of paths (total subject count cannot exceed 2500). | |
subject-path: '${{ github.workspace }}/Lychee.zip' | |
# SHA256 digest of the subject for the attestation. Must be in the form | |
# "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one | |
# of "subject-path" or "subject-digest". | |
# subject-digest: | |
# Subject name as it should appear in the attestation. Required unless | |
# "subject-path" is specified, in which case it will be inferred from the | |
# path. | |
# subject-name: Lychee | |
# Whether to push the attestation to the image registry. Requires that the | |
# "subject-name" parameter specify the fully-qualified image name and that | |
# the "subject-digest" parameter be specified. Defaults to false. | |
# push-to-registry: | |
# Whether to attach a list of generated attestations to the workflow run | |
# summary page. Defaults to true. | |
# show-summary: | |
# The GitHub token used to make authenticated API requests. Default is | |
# ${{ github.token }} | |
github-token: ${{ github.token }} | |
release: | |
name: 5️⃣ Release | |
# if: github.ref == 'refs/heads/master' | |
needs: | |
- createArtifact | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
id-token: write | |
env: | |
extensions: bcmath, curl, dom, gd, imagick, json, libxml, mbstring, pcntl, pdo, pdo_sqlite, pdo_mysql, pdo_pgsql, pgsql, sqlite3, zip | |
steps: | |
- name: Install Cosign | |
uses: sigstore/[email protected] | |
- name: Download generated artifact | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.18 | |
with: | |
name: Lychee.zip | |
# path: '${{ github.workspace }}/Lychee.zip' | |
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | |
- name: Sign release with a key | |
run: | | |
cosign sign-blob --yes --key env://COSIGN_PRIVATE_KEY --output-signature sig.asc Lychee.zip | |
env: | |
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
- name: Create release | |
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 | |
with: | |
files: | | |
sig.asc | |
Lychee.zip | |
token: ${{ secrets.GITHUB_TOKEN }} | |
draft: true | |