-
Notifications
You must be signed in to change notification settings - Fork 54
187 lines (158 loc) · 6.59 KB
/
Copy pathpackage-and-upload-assets.yml
File metadata and controls
187 lines (158 loc) · 6.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
name: Package and Upload Release Assets
# Global variables
env:
FILES_TO_PACKAGE: "gemini-extension.json GEMINI.md LICENSE commands/ mcp-server/ skills/"
on:
release:
types: [created]
# This allows you to run the workflow manually from the Actions tab
workflow_dispatch:
inputs:
tag_name:
description: 'The tag of the release to upload assets to'
required: true
type: string
jobs:
# Build the MCP server and uploads the entire workspace as an artifact for the next job
build:
runs-on: ubuntu-latest
steps:
# 1. Checks out your repository's code
- name: Checkout code
uses: actions/checkout@v4
# 2. Sets up the Node.js environment
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '20' # Specify the Node.js version you use
cache: 'npm'
# Tell the cache where to find the package-lock.json
cache-dependency-path: mcp-server/package-lock.json
# 3. Install MCP server dependencies
# The MCP server needs its dependencies bundled in the release
- name: Install MCP server dependencies
working-directory: ./mcp-server
run: npm ci
# 4. Runs your build script
- name: Run build
working-directory: ./mcp-server
run: npm run build
# 5. Upload build artifacts
- name: Upload build artifacts
uses: actions/upload-artifact@v4
with:
name: build-output
path: .
# Downloads OSV scanner and packages release archives.
package:
needs: build
runs-on: ubuntu-latest
strategy:
matrix:
platform:
- { os: "linux", archive_name: "linux.x64.security.tar.gz", source_binary: "osv-scanner_linux_amd64", output_binary: "osv-scanner" }
- { os: "darwin", archive_name: "darwin.x64.security.tar.gz", source_binary: "osv-scanner_darwin_amd64", output_binary: "osv-scanner" }
- { os: "darwin", archive_name: "darwin.arm64.security.tar.gz", source_binary: "osv-scanner_darwin_arm64", output_binary: "osv-scanner" }
- { os: "win32", archive_name: "win32.x64.security.zip", source_binary: "osv-scanner_windows_amd64.exe", output_binary: "osv-scanner.exe" }
steps:
- name: Download build artifacts
uses: actions/download-artifact@v4
with:
name: build-output
path: .
# Determine OSV scanner version and record it in `tag`
- name: Get latest OSV scanner version
id: osv_scanner_version
run: |
# LATEST_TAG=$(curl -sSLf "https://api.github.com/repos/google/osv-scanner/releases/latest" | jq -r .tag_name)
# Manually pin to v2.2.4 for now because of https://github.com/google/osv-scanner/issues/2421
LATEST_TAG="v2.2.4"
echo "tag=${LATEST_TAG}" >> $GITHUB_OUTPUT
- name: Download OSV scanner binary
env:
SOURCE_BINARY: ${{ matrix.platform.source_binary }}
OSV_SCANNER_VERSION: ${{ steps.osv_scanner_version.outputs.tag }}
run: |
DOWNLOAD_URL="https://github.com/google/osv-scanner/releases/download/${OSV_SCANNER_VERSION}/${SOURCE_BINARY}"
echo "Downloading binary from: ${DOWNLOAD_URL}"
curl -Lf -o "${SOURCE_BINARY}" "${DOWNLOAD_URL}"
chmod +x ${SOURCE_BINARY}
echo "Binary downloaded and prepared."
ls -l
- name: Install slsa-verifier
uses: slsa-framework/slsa-verifier/actions/installer@v2.7.1
- name: Verify OSV scanner binary
env:
SOURCE_BINARY: ${{ matrix.platform.source_binary }}
OSV_SCANNER_VERSION: ${{ steps.osv_scanner_version.outputs.tag }}
run: |
PROVENANCE_URL="https://github.com/google/osv-scanner/releases/download/${OSV_SCANNER_VERSION}/multiple.intoto.jsonl"
echo "Downloading provenance from: ${PROVENANCE_URL}"
curl -Lf -o multiple.intoto.jsonl "${PROVENANCE_URL}"
echo "Verifying binary with slsa-verifier"
slsa-verifier verify-artifact \
"${SOURCE_BINARY}" \
--provenance-path multiple.intoto.jsonl \
--source-uri "github.com/google/osv-scanner" \
--source-tag "${OSV_SCANNER_VERSION}"
- name: Create release archive
id: create_archive
env:
ARCHIVE_NAME: ${{ matrix.platform.archive_name }}
SOURCE_BINARY: ${{ matrix.platform.source_binary }}
OS_PLATFORM: ${{ matrix.platform.os }}
OUTPUT_BINARY: ${{ matrix.platform.output_binary }}
run: |
echo "Packaging ${SOURCE_BINARY} and extension contents into ${ARCHIVE_NAME}"
mkdir staging
cp "${SOURCE_BINARY}" "staging/${OUTPUT_BINARY}"
cp -r ${FILES_TO_PACKAGE} staging/
if [[ "${OS_PLATFORM}" == "win32" ]]; then
echo "Modifying gemini-extension.json for Windows..."
jq '.mcpServers.osvScanner.command += ".exe"' gemini-extension.json > staging/gemini-extension.json
echo "Modification complete."
fi
echo "All assets staged."
ls -l staging
# Create archive
if [[ "${OS_PLATFORM}" == "win32" ]]; then
(cd staging && zip -r ../"${ARCHIVE_NAME}" *)
else
tar -czvf "${ARCHIVE_NAME}" -C staging .
fi
echo "Created archive: ${ARCHIVE_NAME}"
echo "archive_path=${ARCHIVE_NAME}" >> $GITHUB_OUTPUT
- name: Upload archive as workflow artifact
uses: actions/upload-artifact@v4
with:
name: release-archive-${{ matrix.platform.archive_name }}
path: ${{ steps.create_archive.outputs.archive_path }}
# This job gathers all archives and uploads them to the GitHub Release.
upload:
name: Upload all assets to release
runs-on: ubuntu-latest
needs: package
permissions:
contents: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Download all release archives
uses: actions/download-artifact@v4
with:
path: release-archives
pattern: release-archive-*
merge-multiple: true
- name: List downloaded files
run: |
echo "--- Downloaded files ---"
ls -R release-archives
echo "------------------------"
- name: Upload all assets to GitHub Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TAG_NAME: ${{ github.event.release.tag_name || inputs.tag_name }}
run: |
gh release upload \
${TAG_NAME} \
release-archives/*