| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120 |
- name: Create Release for esoctl
- on:
- workflow_dispatch:
- inputs:
- version:
- description: 'version to release, e.g. v0.1.0-esoctl'
- required: true
- default: 'v0.1.0-esoctl'
- source_ref:
- description: 'source ref to publish from. E.g.: main'
- required: true
- default: 'main'
- # this is required for security check even though we immediately set it to
- # write in the release job.
- permissions:
- contents: read
- jobs:
- release:
- name: Create Release for esoctl
- runs-on: ubuntu-latest
- permissions:
- contents: write # for publishing the release
- steps:
- - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
- with:
- egress-policy: audit
- - name: Checkout
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- with:
- fetch-depth: 0
- persist-credentials: false
- - name: Resolve and validate ref
- id: resolve_ref
- env:
- SOURCE_REF: ${{ github.event.inputs.source_ref }}
- run: |
- set -e
- # Try to fetch the ref from remote
- if git fetch origin "$SOURCE_REF"; then
- # Remote ref exists, use it
- RESOLVED_SHA=$(git rev-parse "origin/$SOURCE_REF")
- elif git rev-parse --verify "$SOURCE_REF" >/dev/null 2>&1; then
- # Local ref exists (e.g., a tag)
- RESOLVED_SHA=$(git rev-parse "$SOURCE_REF")
- else
- echo "Error: ref '$SOURCE_REF' not found"
- exit 1
- fi
- echo "Resolved to SHA: $RESOLVED_SHA"
- echo "sha=$RESOLVED_SHA" >> $GITHUB_OUTPUT
- - name: Checkout validated ref
- env:
- RESOLVED_SHA: ${{ steps.resolve_ref.outputs.sha }}
- run: git checkout "$RESOLVED_SHA"
- - name: Setup Go
- uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
- id: setup-go
- with:
- go-version-file: "go.mod"
- cache: false
- - name: Download Go modules
- run: go mod download
- - name: Install Syft
- uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
- - name: Import GPG key
- id: import_gpg
- uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
- env:
- GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
- GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
- with:
- gpg_private_key: ${{ env.GPG_PRIVATE_KEY }}
- passphrase: ${{ env.GPG_PASSPHRASE }}
- - name: Check if Tag Exists
- id: check_tag
- env:
- VERSION: ${{ github.event.inputs.version }}
- run: |
- if git rev-parse "$VERSION" >/dev/null 2>&1; then
- echo "Tag exists."
- exit 1
- fi
- - name: Configure Git credentials
- env:
- TOKEN: ${{ secrets.GITHUB_TOKEN }}
- GH_REPO: ${{ github.repository }}
- run: |
- git config user.name "$GITHUB_ACTOR"
- git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
- git remote set-url origin "https://x-access-token:${TOKEN}@github.com/${GH_REPO}.git"
- - name: Create Tag if Not Exists
- if: success()
- env:
- TAG: ${{ github.event.inputs.version }}
- run: |
- git tag $TAG
- git push origin $TAG
- - name: Run GoReleaser
- uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
- with:
- version: '~> v2'
- args: release --clean
- workdir: cmd/esoctl
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- GORELEASER_CURRENT_TAG: ${{ github.event.inputs.version }}
- GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
|
