CI #1265
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- main | |
- release | |
tags: | |
- "beta-v*" | |
pull_request: | |
branches: | |
- main | |
# Allows you to run this workflow manually from the Actions tab | |
workflow_dispatch: | |
# Schedule | |
schedule: | |
- cron: "0 8 * * MON,THU" # Run every Monday and Thursday at 08:00 UTC | |
jobs: | |
ci: | |
runs-on: ubuntu-latest | |
outputs: | |
NPM_VERSION: ${{ steps.version.outputs.NPM_VERSION }} | |
PUBLISH_TAG: ${{ steps.version.outputs.PUBLISH_TAG }} | |
IMAGE_SUFFIX: ${{ steps.version.outputs.IMAGE_SUFFIX }} | |
strategy: | |
matrix: | |
node-version: [20] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Use Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ matrix.node-version }} | |
cache: "npm" | |
check-latest: true | |
- run: npm install | |
- run: npm run check-format | |
- run: npm run prepublish | |
- run: npm run test | |
- id: version | |
run: | | |
npm install -g json | |
RETRACED_VERSION=$(echo $(cat ./package.json) | json version) | |
publishTag="latest" | |
imageSuffix="" | |
if [[ "$GITHUB_REF" == *\/release ]] | |
then | |
echo "Release branch" | |
else | |
echo "Dev branch" | |
publishTag="beta" | |
imageSuffix="-beta" | |
RETRACED_VERSION="${RETRACED_VERSION}-beta.${GITHUB_RUN_NUMBER}" | |
fi | |
echo "NPM_VERSION=${RETRACED_VERSION}" >> $GITHUB_OUTPUT | |
echo "PUBLISH_TAG=${publishTag}" >> $GITHUB_OUTPUT | |
echo "IMAGE_SUFFIX=${imageSuffix}" >> $GITHUB_OUTPUT | |
build: | |
needs: ci | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check Out Repo | |
uses: actions/checkout@v4 | |
- run: echo ${{ needs.ci.outputs.NPM_VERSION }} | |
- run: echo ${{ needs.ci.outputs.IMAGE_SUFFIX }} | |
- name: Get short SHA | |
id: slug | |
run: echo "SHA7=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_OUTPUT | |
- name: Login to GitHub Container Registry | |
if: github.ref == 'refs/heads/release' | |
run: | | |
echo "${{secrets.GITHUB_TOKEN}}" | docker login ghcr.io -u ${{github.repository_owner}} --password-stdin | |
- name: Install Cosign | |
if: github.ref == 'refs/heads/release' | |
uses: sigstore/cosign-installer@main | |
- name: Check install! | |
if: github.ref == 'refs/heads/release' | |
run: cosign version | |
- name: place the cosign private key in a file | |
if: github.ref == 'refs/heads/release' | |
run: 'echo "$COSIGN_KEY" > /tmp/cosign.key' | |
shell: bash | |
env: | |
COSIGN_KEY: ${{secrets.COSIGN_KEY}} | |
- name: Create NPM Package SBOM Report [SPDX] | |
uses: anchore/sbom-action@v0 | |
with: | |
format: spdx | |
artifact-name: sbom.spdx | |
upload-artifact-retention: 1 | |
- name: Publish report [SPDX] | |
uses: anchore/sbom-action/publish-sbom@v0 | |
with: | |
sbom-artifact-match: ".*\\.spdx$" | |
- name: Create NPM Pacakge SBOM Report [CycloneDx] | |
uses: anchore/sbom-action@v0 | |
with: | |
format: cyclonedx | |
artifact-name: sbom.cyclonedx | |
upload-artifact-retention: 1 | |
- name: Publish report [CycloneDx] | |
uses: anchore/sbom-action/publish-sbom@v0 | |
with: | |
sbom-artifact-match: ".*\\.cyclonedx$" | |
- name: Remove older SBOMs | |
if: github.ref == 'refs/heads/release' | |
run: rm -rf sbom*.* || true | |
- name: Download artifact for SPDX Report | |
if: github.ref == 'refs/heads/release' | |
uses: actions/download-artifact@v4 | |
with: | |
name: sbom.spdx | |
- name: Download artifact for CycloneDx Report | |
if: github.ref == 'refs/heads/release' | |
uses: actions/download-artifact@v4 | |
with: | |
name: sbom.cyclonedx | |
- name: ORAS Setup | |
if: github.ref == 'refs/heads/release' | |
run: | | |
ORAS_VERSION="v0.8.1" | |
ORAS_FILENAME="oras_0.8.1_linux_amd64.tar.gz" | |
curl -LO "https://github.com/oras-project/oras/releases/download/${ORAS_VERSION}/${ORAS_FILENAME}" | |
mkdir oras_install | |
tar -xvf "${ORAS_FILENAME}" -C oras_install | |
./oras_install/oras push ghcr.io/${{github.repository}}/sbom${{ needs.ci.outputs.IMAGE_SUFFIX }}:npm-${{ needs.ci.outputs.NPM_VERSION }} ./*sbom.* | |
cd .. | |
- name: Push SBOM reports to GitHub Container Registry & Sign the sbom images | |
if: github.ref == 'refs/heads/release' | |
run: | | |
result=$(./oras_install/oras push ghcr.io/${{github.repository}}/sbom${{ needs.ci.outputs.IMAGE_SUFFIX }}:npm-${{ needs.ci.outputs.NPM_VERSION }} ./*sbom.*) | |
ORAS_DIGEST=$(echo $result | grep -oE 'sha256:[a-f0-9]{64}') | |
if [ -z "$ORAS_DIGEST" ]; then | |
echo "Error: ORAS_DIGEST is empty" | |
exit 1 | |
fi | |
cd .. | |
cosign sign -y --key /tmp/cosign.key ghcr.io/${{github.repository}}/sbom${{ needs.ci.outputs.IMAGE_SUFFIX }}@${ORAS_DIGEST} | |
env: | |
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}} | |
publish: | |
needs: [ci, build] | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
node-version: [20] | |
steps: | |
- uses: actions/checkout@v4 | |
- run: echo ${{ needs.ci.outputs.NPM_VERSION }} | |
- run: echo ${{ needs.ci.outputs.PUBLISH_TAG }} | |
- name: Use Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@v4 | |
with: | |
always-auth: true | |
node-version: ${{ matrix.node-version }} | |
registry-url: https://registry.npmjs.org | |
scope: "@retracedhq" | |
cache: "npm" | |
- run: npm install | |
working-directory: ./ | |
- name: Publish NPM | |
if: github.ref == 'refs/heads/release' || contains(github.ref, 'refs/tags/beta-v') | |
run: | | |
npm install -g json | |
RETRACED_VERSION=${{ needs.ci.outputs.NPM_VERSION }} | |
json -I -f package.json -e "this.main=\"lib/index.js\"" | |
json -I -f package.json -e "this.types=\"lib/index.d.ts\"" | |
json -I -f package.json -e "this.version=\"${RETRACED_VERSION}\"" | |
npm publish --tag ${{ needs.ci.outputs.PUBLISH_TAG }} --access public | |
working-directory: ./ | |
env: | |
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |