Skip to content

CI

CI #455

Workflow file for this run

name: CI
on:
push:
branches:
- main
- release
tags:
- "beta-v*"
pull_request:
branches:
- main
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# Schedule
schedule:
- cron: "0 8 * * MON,THU" # Run every Monday and Thursday at 08:00 UTC
jobs:
ci:
runs-on: ubuntu-latest
outputs:
NPM_VERSION: ${{ steps.version.outputs.NPM_VERSION }}
PUBLISH_TAG: ${{ steps.version.outputs.PUBLISH_TAG }}
IMAGE_SUFFIX: ${{ steps.version.outputs.IMAGE_SUFFIX }}
strategy:
matrix:
node-version: [20]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: "npm"
check-latest: true
- run: npm install
- run: npm run prepublish
- run: npm run test
- id: version
run: |
npm install -g json
RETRACED_VERSION=$(echo $(cat ./package.json) | json version)
publishTag="latest"
imageSuffix=""
if [[ "$GITHUB_REF" == *\/release ]]
then
echo "Release branch"
else
echo "Dev branch"
publishTag="beta"
imageSuffix="-beta"
RETRACED_VERSION="${RETRACED_VERSION}-beta.${GITHUB_RUN_NUMBER}"
fi
echo "NPM_VERSION=${RETRACED_VERSION}" >> $GITHUB_OUTPUT
echo "PUBLISH_TAG=${publishTag}" >> $GITHUB_OUTPUT
echo "IMAGE_SUFFIX=${imageSuffix}" >> $GITHUB_OUTPUT
build:
needs: ci
runs-on: ubuntu-latest
steps:
- name: Check Out Repo
uses: actions/checkout@v4
- run: echo ${{ needs.ci.outputs.NPM_VERSION }}
- run: echo ${{ needs.ci.outputs.IMAGE_SUFFIX }}
- name: Get short SHA
id: slug
run: echo "SHA7=$(echo ${GITHUB_SHA} | cut -c1-7)" >> $GITHUB_OUTPUT
- name: Login to GitHub Container Registry
if: github.ref == 'refs/heads/release'
run: |
echo "${{secrets.GITHUB_TOKEN}}" | docker login ghcr.io -u ${{github.repository_owner}} --password-stdin
- name: Install Cosign
if: github.ref == 'refs/heads/release'
uses: sigstore/cosign-installer@main
- name: Check install!
if: github.ref == 'refs/heads/release'
run: cosign version
- name: place the cosign private key in a file
if: github.ref == 'refs/heads/release'
run: 'echo "$COSIGN_KEY" > /tmp/cosign.key'
shell: bash
env:
COSIGN_KEY: ${{secrets.COSIGN_KEY}}
- name: Create NPM Package SBOM Report [SPDX]
uses: anchore/sbom-action@v0
with:
format: spdx
artifact-name: sbom.spdx
- name: Publish report [SPDX]
uses: anchore/sbom-action/publish-sbom@v0
with:
sbom-artifact-match: ".*\\.spdx$"
- name: Create NPM Pacakge SBOM Report [CycloneDx]
uses: anchore/sbom-action@v0
with:
format: cyclonedx
artifact-name: sbom.cyclonedx
- name: Publish report [CycloneDx]
uses: anchore/sbom-action/publish-sbom@v0
with:
sbom-artifact-match: ".*\\.cyclonedx$"
- name: Remove older SBOMs
if: github.ref == 'refs/heads/release'
run: rm -rf sbom*.* || true
- name: Download artifact for SPDX Report
if: github.ref == 'refs/heads/release'
uses: actions/download-artifact@v3
with:
name: sbom.spdx
- name: Download artifact for CycloneDx Report
if: github.ref == 'refs/heads/release'
uses: actions/download-artifact@v3
with:
name: sbom.cyclonedx
- name: ORAS Setup
if: github.ref == 'refs/heads/release'
run: |
ORAS_VERSION="v0.8.1"
ORAS_FILENAME="oras_0.8.1_linux_amd64.tar.gz"
curl -LO "https://github.com/oras-project/oras/releases/download/${ORAS_VERSION}/${ORAS_FILENAME}"
mkdir oras_install
tar -xvf "${ORAS_FILENAME}" -C oras_install
./oras_install/oras push ghcr.io/${{github.repository}}/sbom${{ needs.ci.outputs.IMAGE_SUFFIX }}:npm-${{ needs.ci.outputs.NPM_VERSION }} ./*sbom.*
cd ..
- name: Push SBOM reports to GitHub Container Registry & Sign the sbom images
if: github.ref == 'refs/heads/release'
run: |
result=$(./oras_install/oras push ghcr.io/${{github.repository}}/sbom${{ needs.ci.outputs.IMAGE_SUFFIX }}:npm-${{ needs.ci.outputs.NPM_VERSION }} ./*sbom.*)
ORAS_DIGEST=$(echo $result | grep -oE 'sha256:[a-f0-9]{64}')
if [ -z "$ORAS_DIGEST" ]; then
echo "Error: ORAS_DIGEST is empty"
exit 1
fi
cd ..
cosign sign -y --key /tmp/cosign.key ghcr.io/${{github.repository}}/sbom${{ needs.ci.outputs.IMAGE_SUFFIX }}@${ORAS_DIGEST}
env:
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSWORD}}
publish:
needs: [ci, build]
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [18.x]
steps:
- uses: actions/checkout@v4
- run: echo ${{ needs.ci.outputs.NPM_VERSION }}
- run: echo ${{ needs.ci.outputs.PUBLISH_TAG }}
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
always-auth: true
node-version: ${{ matrix.node-version }}
registry-url: https://registry.npmjs.org
scope: "@retracedhq"
cache: "npm"
- run: npm install
working-directory: ./
- name: Publish NPM
if: github.ref == 'refs/heads/release' || contains(github.ref, 'refs/tags/beta-v')
run: |
npm install -g json
RETRACED_VERSION=${{ needs.ci.outputs.NPM_VERSION }}
json -I -f package.json -e "this.main=\"lib/index.js\""
json -I -f package.json -e "this.types=\"lib/index.d.ts\""
json -I -f package.json -e "this.version=\"${RETRACED_VERSION}\""
npm publish --tag ${{ needs.ci.outputs.PUBLISH_TAG }} --access public
working-directory: ./
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}