-
Notifications
You must be signed in to change notification settings - Fork 18
118 lines (105 loc) · 5.06 KB
/
release.yml
File metadata and controls
118 lines (105 loc) · 5.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# Terraform Provider release workflow.
name: Release
# This GitHub action creates a release when a tag that matches the pattern
# "v*" (e.g. v0.1.0) is created.
on:
push:
tags:
- 'v*'
# Releases need permissions to read and write the repository contents.
# GitHub considers creating releases and uploading assets as writing contents.
permissions:
contents: write
jobs:
goreleaser:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
# Allow goreleaser to access older tag information.
fetch-depth: 0
- uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
with:
go-version-file: 'go.mod'
cache: true
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@2dc316deee8e90f13e1a351ab510b4d5bc0c82cd # v7.0.0
id: import_gpg
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
- name: Install Syft
uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
- name: Generate SPDX SBOM
run: |
VERSION=${GITHUB_REF#refs/tags/}
syft scan dir:. -o spdx-json=terraform-provider-catalystcenter_${VERSION}_sbom.spdx.json \
--source-name terraform-provider-catalystcenter \
--source-version ${VERSION}
- name: Generate CycloneDX SBOM
run: |
VERSION=${GITHUB_REF#refs/tags/}
syft scan dir:. -o cyclonedx-json=terraform-provider-catalystcenter_${VERSION}_sbom.cyclonedx.json \
--source-name terraform-provider-catalystcenter \
--source-version ${VERSION}
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
with:
args: release --clean
env:
# GitHub sets the GITHUB_TOKEN secret automatically.
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
- name: Upload SBOM artifacts for repo update
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: sbom-files
path: |
terraform-provider-catalystcenter_*_sbom.spdx.json
terraform-provider-catalystcenter_*_sbom.cyclonedx.json
retention-days: 1
update-sbom-in-repo:
needs: goreleaser
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Checkout repository
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
ref: main
fetch-depth: 1
- name: Download SBOM artifacts
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: sbom-files
- name: Update SBOM in repository
run: |
VERSION=${GITHUB_REF#refs/tags/}
# Create version-specific directory
mkdir -p sbom/${VERSION}
# Copy SBOM files to version-specific directory
cp terraform-provider-catalystcenter_${VERSION}_sbom.spdx.json sbom/${VERSION}/sbom.spdx.json
cp terraform-provider-catalystcenter_${VERSION}_sbom.cyclonedx.json sbom/${VERSION}/sbom.cyclonedx.json
echo "✓ Created sbom/${VERSION}/ with SBOM files"
# Also update sbom/latest/ for convenience
cp sbom/${VERSION}/sbom.spdx.json sbom/latest/sbom.spdx.json
cp sbom/${VERSION}/sbom.cyclonedx.json sbom/latest/sbom.cyclonedx.json
# Get Syft version from the SBOM file itself (contains tool metadata)
SYFT_VERSION=$(jq -r '.creationInfo.creators[1]' sbom/latest/sbom.spdx.json | sed 's/Tool: syft-/v/')
# Update sbom/latest/README.md with version information
awk -v ver="${VERSION}" '/^\*\*Provider Version\*\*:/ {print "**Provider Version**: " ver; next} {print}' sbom/latest/README.md > sbom/latest/README.md.tmp && mv sbom/latest/README.md.tmp sbom/latest/README.md
awk -v date="$(date -u +%Y-%m-%d)" '/^\*\*Generated\*\*:/ {print "**Generated**: " date; next} {print}' sbom/latest/README.md > sbom/latest/README.md.tmp && mv sbom/latest/README.md.tmp sbom/latest/README.md
awk -v syft="${SYFT_VERSION}" '/^\*\*Syft Version\*\*:/ {print "**Syft Version**: " syft; next} {print}' sbom/latest/README.md > sbom/latest/README.md.tmp && mv sbom/latest/README.md.tmp sbom/latest/README.md
echo "✓ Updated sbom/latest/README.md"
- name: Commit and push SBOM updates
run: |
VERSION=${GITHUB_REF#refs/tags/}
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
git add sbom/
git commit -m "Add SBOM for ${VERSION}
- Created sbom/${VERSION}/ with version-specific SBOM files
- Updated sbom/latest/ to reference ${VERSION}
Generated by GitHub Actions release workflow."
git push origin main