Skip to content

Canary

Canary #174

Workflow file for this run

name: Canary
on:
workflow_dispatch:
permissions:
contents: write
packages: write
env:
GH_USER: "bearer-bot"
jobs:
tag:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Bump version and push tag
if: startsWith(github.ref, 'refs/tags') != true
id: tag_version
uses: mathieudutour/[email protected]
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
tag_prefix: v
default_bump: patch
append_to_pre_release_tag: "canary"
outputs:
ref: refs/tags/${{ steps.tag_version.outputs.new_tag || github.ref_name }}
build-linux:
needs: [tag]
name: build-linux
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ needs.tag.outputs.ref }}
- run: git fetch --force --tags
- shell: bash
run: |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- id: cache
uses: actions/cache@v4
with:
path: dist/linux
key: linux-${{ env.sha_short }}-canary
- uses: ./.github/actions/linux-build
if: steps.cache.outputs.cache-hit != 'true' # do not run if cache hit
name: Run GoReleaser
with:
args: release --clean --split -f ./.goreleaser/canary.yaml
env:
GOOS: linux
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
DOCKER_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKERHUB_TOKEN }}
build-darwin:
needs: [tag]
name: build-darwin
runs-on: macos-12
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ needs.tag.outputs.ref }}
- run: git fetch --force --tags
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: 1.21
- name: Setup Gon
run: brew install Bearer/tap/gon
- name: Import Code-Signing Certificates
uses: Apple-Actions/import-codesign-certs@v2
with:
# The certificates in a PKCS12 file encoded as a base64 string
p12-file-base64: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_P12_BASE64 }}
# The password used to import the PKCS12 file.
p12-password: ${{ secrets.APPLE_DEVELOPER_CERTIFICATE_PASSWORD }}
- shell: bash
run: |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- id: cache
uses: actions/cache@v4
with:
path: dist/darwin
key: darwin-${{ env.sha_short }}-canary
- uses: goreleaser/goreleaser-action@v5
if: steps.cache.outputs.cache-hit != 'true' # do not run if cache hit
name: Run GoReleaser
with:
distribution: goreleaser-pro
version: latest
args: release --clean --split -f ./.goreleaser/canary.yaml
env:
GOOS: darwin
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AC_USERNAME: ${{ secrets.AC_USERNAME }}
AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
AC_PROVIDER: ${{ secrets.AC_PROVIDER }}
AC_APPLICATION_IDENTITY: ${{ secrets.AC_APPLICATION_IDENTITY }}
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
publish:
needs: [tag, build-darwin, build-linux]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
ref: ${{ needs.tag.outputs.ref }}
- run:
git fetch --force --tags
# copy the cashes from prepare
- shell: bash
run: |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- uses: actions/cache@v4
with:
path: dist/linux
key: linux-${{ env.sha_short }}-canary
- uses: actions/cache@v4
with:
path: dist/darwin
key: darwin-${{ env.sha_short }}-canary
- name: Release
uses: goreleaser/goreleaser-action@v5
with:
distribution: goreleaser-pro
args: publish --merge
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "docker.io/bearer/bearer:canary-amd64"
format: "table"
exit-code: 0
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"