Canary #157
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Canary | |
on: | |
workflow_dispatch: | |
permissions: | |
contents: write | |
packages: write | |
env: | |
GH_USER: "bearer-bot" | |
jobs: | |
tag: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Bump version and push tag | |
if: startsWith(github.ref, 'refs/tags') != true | |
id: tag_version | |
uses: mathieudutour/[email protected] | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
tag_prefix: v | |
default_bump: patch | |
append_to_pre_release_tag: "canary" | |
outputs: | |
ref: refs/tags/${{ steps.tag_version.outputs.new_tag || github.ref_name }} | |
build-linux: | |
needs: [tag] | |
name: build-linux | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ needs.tag.outputs.ref }} | |
- run: git fetch --force --tags | |
- shell: bash | |
run: | | |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV | |
- id: cache | |
uses: actions/cache@v3 | |
with: | |
path: dist/linux | |
key: linux-${{ env.sha_short }}-canary | |
- uses: ./.github/actions/linux-build | |
if: steps.cache.outputs.cache-hit != 'true' # do not run if cache hit | |
name: Run GoReleaser | |
with: | |
args: release --clean --split -f ./.goreleaser/canary.yaml | |
env: | |
GOOS: linux | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
DOCKER_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
DOCKER_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }} | |
build-darwin: | |
needs: [tag] | |
name: build-darwin | |
runs-on: macos-12 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ needs.tag.outputs.ref }} | |
- run: git fetch --force --tags | |
- name: Set up Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: 1.21 | |
- name: Setup Gon | |
run: brew install Bearer/tap/gon | |
- name: Import Code-Signing Certificates | |
uses: Apple-Actions/import-codesign-certs@v2 | |
with: | |
# The certificates in a PKCS12 file encoded as a base64 string | |
p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }} | |
# The password used to import the PKCS12 file. | |
p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }} | |
- shell: bash | |
run: | | |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV | |
- id: cache | |
uses: actions/cache@v3 | |
with: | |
path: dist/darwin | |
key: darwin-${{ env.sha_short }}-canary | |
- uses: goreleaser/goreleaser-action@v5 | |
if: steps.cache.outputs.cache-hit != 'true' # do not run if cache hit | |
name: Run GoReleaser | |
with: | |
distribution: goreleaser-pro | |
version: latest | |
args: release --clean --split -f ./.goreleaser/canary.yaml | |
env: | |
GOOS: darwin | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
AC_USERNAME: ${{ secrets.AC_USERNAME }} | |
AC_PASSWORD: ${{ secrets.AC_PASSWORD }} | |
AC_PROVIDER: ${{ secrets.AC_PROVIDER }} | |
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
publish: | |
needs: [tag, build-darwin, build-linux] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ needs.tag.outputs.ref }} | |
- run: | |
git fetch --force --tags | |
# copy the cashes from prepare | |
- shell: bash | |
run: | | |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV | |
- uses: actions/cache@v3 | |
with: | |
path: dist/linux | |
key: linux-${{ env.sha_short }}-canary | |
- uses: actions/cache@v3 | |
with: | |
path: dist/darwin | |
key: darwin-${{ env.sha_short }}-canary | |
- name: Release | |
uses: goreleaser/goreleaser-action@v5 | |
with: | |
distribution: goreleaser-pro | |
args: publish --merge | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/bearer/bearer:canary-amd64" | |
format: "table" | |
exit-code: 0 | |
ignore-unfixed: true | |
vuln-type: "os,library" | |
severity: "CRITICAL,HIGH" |