Update helm docs (#786) #307
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| jobs: | |
| pre-build: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| tag: ${{ steps.tag.outputs.tag }} | |
| trail_name: ${{ steps.prep.outputs.trail_name }} | |
| trail_template_file: ${{ steps.prep.outputs.trail_template_file }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@v6 | |
| - name: Get tag | |
| id: tag | |
| uses: dawidd6/action-get-tag@v1 | |
| - name: Prepare | |
| id: prep | |
| run: | | |
| echo "TRAIL_NAME=${{ steps.tag.outputs.tag }}" >> $GITHUB_STATE | |
| echo "trail_name=${{ steps.tag.outputs.tag }}" >> $GITHUB_OUTPUT | |
| echo "TRAIL_TEMPLATE_FILE=release-flow-template.yml" >> $GITHUB_STATE | |
| echo "trail_template_file=release-flow-template.yml" >> $GITHUB_OUTPUT | |
| init-kosli: | |
| needs: [pre-build] | |
| uses: ./.github/workflows/init_kosli.yml | |
| with: | |
| FLOW_NAME: cli-release | |
| TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }} | |
| FLOW_TEMPLATE_FILE: ${{ needs.pre-build.outputs.trail_template_file }} | |
| KOSLI_ORG: kosli-public | |
| report_to_kosli: release | |
| secrets: | |
| kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }} | |
| pr_github_token: ${{ secrets.GITHUB_TOKEN }} | |
| never-alone-trail: | |
| needs: [pre-build, init-kosli] | |
| uses: ./.github/workflows/never_alone_trail.yml | |
| with: | |
| FLOW_NAME: cli-release-never-alone | |
| TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }} | |
| SOURCE_FLOW_NAME: cli | |
| ATTESTATION_NAME: never-alone-data | |
| PARENT_FLOW_NAME: cli-release | |
| PARENT_TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }} | |
| KOSLI_ORG: kosli-public | |
| secrets: | |
| kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }} | |
| pr_github_token: ${{ secrets.GITHUB_TOKEN }} | |
| test: | |
| needs: [pre-build, init-kosli] | |
| uses: ./.github/workflows/test.yml | |
| with: | |
| AWS_ACCOUNT_ID: 772819027869 | |
| AWS_REGION: eu-central-1 | |
| FLOW_NAME: cli-release | |
| TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }} | |
| KOSLI_ORG: kosli-public | |
| report_to_kosli: release | |
| secrets: | |
| github_access_token: ${{ secrets.KOSLI_GITHUB_TOKEN }} | |
| gitlab_access_token: ${{ secrets.KOSLI_GITLAB_TOKEN }} | |
| azure_access_token: ${{ secrets.KOSLI_AZURE_TOKEN }} | |
| azure_client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
| azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }} | |
| bitbucket_access_token: ${{ secrets.KOSLI_BITBUCKET_ACCESS_TOKEN }} | |
| slack_webhook: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }} | |
| slack_channel: ci-failures | |
| jira_api_token: ${{ secrets.KOSLI_JIRA_API_TOKEN }} | |
| snyk_token: ${{ secrets.SNYK_TOKEN }} | |
| kosli_reporting_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }} | |
| kosli_querying_api_token: ${{ secrets.KOSLI_API_TOKEN_PROD }} | |
| sonarqube_token: ${{ secrets.KOSLI_SONARQUBE_TOKEN }} | |
| docker: | |
| needs: [pre-build, init-kosli, test] | |
| uses: ./.github/workflows/docker.yml | |
| with: | |
| tag: ${{ needs.pre-build.outputs.tag }} | |
| platforms: linux/amd64,linux/arm64 | |
| flow_name: cli-release | |
| trail_name: ${{ needs.pre-build.outputs.trail_name }} | |
| kosli_org: kosli-public | |
| report_to_kosli: release | |
| secrets: | |
| slack_webhook: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }} | |
| slack_channel: ci-failures | |
| kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }} | |
| snyk_token: ${{ secrets.SNYK_TOKEN }} | |
| goreleaser: | |
| needs: [test] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| attestations: write | |
| outputs: | |
| artifacts: ${{ steps.prepare-artifacts-list.outputs.artifacts }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Jq | |
| uses: dcarbone/install-jq-action@v3 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version-file: '.go-version' | |
| check-latest: true | |
| # Use release notes from the tag body when present (set by interactive `make release` or `make release tag=vX.Y.Z` with dist/release_notes.md). Otherwise GoReleaser uses its default changelog. | |
| # Write to repo root so GoReleaser's --clean (which removes dist/) does not delete the file before it is read. | |
| - name: Get release notes from tag | |
| id: get-tag-notes | |
| run: | | |
| TAG="${GITHUB_REF#refs/tags/}" | |
| BODY=$(git tag -l --format='%(contents:body)' "$TAG") | |
| if [ -n "$BODY" ]; then | |
| printf '%s' "$BODY" > release_notes.md | |
| echo "args=--release-notes=release_notes.md" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v7 | |
| with: | |
| distribution: goreleaser-pro | |
| version: '~> v2' # latest | |
| args: release --clean ${{ steps.get-tag-notes.outputs.args }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| FURY_TOKEN: ${{ secrets.FURY_TOKEN }} | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| GORELEASER_KEY: ${{ secrets.KOSLI_GORELEASERPRO }} | |
| - name: Copy npm packages into dist for provenance | |
| run: find npm -name "*.tgz" -exec cp {} dist/ \; | |
| - uses: actions/upload-artifact@v7 | |
| with: | |
| name: dist | |
| path: dist | |
| retention-days: 1 | |
| - name: Prepare artifacts list | |
| id: prepare-artifacts-list | |
| run: | | |
| GORELEASER_ARTIFACTS=$(jq '[reduce .[] as $item ( | |
| []; | |
| if ($item.type == "Archive") then | |
| . + [{ template_name: ($item.goos + "-" + $item.goarch), path: $item.path }] | |
| elif ($item.type == "Linux Package") then | |
| . + [{ template_name: (($item.extra.Ext | ltrimstr(".")) + "-pkg-" + $item.goarch), path: $item.path }] | |
| else | |
| . | |
| end | |
| )][]' dist/artifacts.json) | |
| NPM_ARTIFACTS=$(find dist -maxdepth 1 -name "*.tgz" -printf '%f\n' \ | |
| | jq -R '{ | |
| template_name: ("npm-" + sub("-[0-9]+\\.[0-9]+\\.[0-9]+.*\\.tgz$"; "")), | |
| path: ("dist/" + .) | |
| }' \ | |
| | jq -s '.') | |
| ARTIFACTS=$(jq -n \ | |
| --argjson g "$GORELEASER_ARTIFACTS" \ | |
| --argjson n "$NPM_ARTIFACTS" \ | |
| '$g + $n') | |
| echo "artifacts<<nEOFn" >> $GITHUB_OUTPUT | |
| echo "${ARTIFACTS}" >> $GITHUB_OUTPUT | |
| echo "nEOFn" >> $GITHUB_OUTPUT | |
| binary-provenance: | |
| needs: [goreleaser, pre-build] | |
| name: Artifacts Binary Provenance | |
| uses: ./.github/workflows/binary_provenance.yml | |
| with: | |
| dir: dist | |
| artifacts: ${{ needs.goreleaser.outputs.artifacts }} | |
| flow_name: cli-release | |
| trail_name: ${{ needs.pre-build.outputs.trail_name }} | |
| kosli_org: kosli-public | |
| secrets: | |
| kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }} | |
| homebrew-pr: | |
| needs: [goreleaser, pre-build] | |
| name: Bump Homebrew formula | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| egress-policy: audit | |
| - uses: mislav/bump-homebrew-formula-action@v4 | |
| if: ${{ !contains(github.ref, '-') }} # skip prereleases | |
| with: | |
| # A PR will be sent to github.com/Homebrew/homebrew-core to update this formula: | |
| formula-name: kosli-cli | |
| env: | |
| # the personal access token should have "repo" & "workflow" scopes | |
| COMMITTER_TOKEN: ${{ secrets.COMMITTER_TOKEN }} | |
| docs-gen: | |
| needs: [goreleaser, pre-build] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 # needed to be able to generate legacy versions reference. | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version-file: '.go-version' | |
| check-latest: true | |
| - name: Generate docs | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # legacy-ref should happen first as it has the side effect of deleting generated files outside the legacy_ref | |
| run: | | |
| make legacy-ref-docs | |
| make cli-docs | |
| - name: Generate json | |
| run: | | |
| echo '{"currentversion": "${{ needs.pre-build.outputs.tag }}"}' > docs.kosli.com/assets/metadata.json | |
| - name: Deploy | |
| uses: s0/git-publish-subdir-action@develop | |
| env: | |
| REPO: self | |
| BRANCH: docs-main | |
| FOLDER: docs.kosli.com | |
| TARGET_DIR: docs.kosli.com | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| MESSAGE: "Release: {msg}" | |
| docs-repo-dispatch: | |
| needs: [pre-build, goreleaser] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| egress-policy: audit | |
| - name: Repository Dispatch | |
| uses: peter-evans/repository-dispatch@v4 | |
| with: | |
| token: ${{ secrets.DOCS_REPO_ACCESS_TOKEN }} | |
| repository: kosli-dev/docs | |
| event-type: cli-release | |
| client-payload: '{"kosli_cli_tag": "${{ needs.pre-build.outputs.tag }}"}' | |
| evidence-reporter-upload-package-and-deploy: | |
| needs: [pre-build, goreleaser] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| egress-policy: audit | |
| - name: Repository Dispatch | |
| uses: peter-evans/repository-dispatch@v4 | |
| with: | |
| token: ${{ secrets.KOSLI_REPORTER_REPO_ACCESS_TOKEN }} | |
| repository: kosli-dev/terraform-aws-evidence-reporter | |
| event-type: upload-package | |
| client-payload: '{"kosli_cli_tag": "${{ needs.pre-build.outputs.tag }}"}' | |
| environment-reporter-upload-package-and-deploy: | |
| needs: [pre-build, goreleaser] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| egress-policy: audit | |
| - name: Repository Dispatch | |
| uses: peter-evans/repository-dispatch@v4 | |
| with: | |
| token: ${{ secrets.KOSLI_REPORTER_REPO_ACCESS_TOKEN }} | |
| repository: kosli-dev/terraform-aws-kosli-reporter | |
| event-type: upload-package | |
| client-payload: '{"kosli_cli_tag": "${{ needs.pre-build.outputs.tag }}"}' | |
| environment-reporter-upload-layer: | |
| needs: [pre-build, goreleaser] | |
| uses: ./.github/workflows/upload-cli-layer.yml | |
| with: | |
| tag: ${{ needs.pre-build.outputs.tag }} | |
| AWS_ACCOUNT_ID: 585008075785 | |
| AWS_REGION: eu-central-1 | |
| slack-notification-on-failure: | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| actions: read | |
| contents: read | |
| needs: | |
| [ | |
| pre-build, | |
| init-kosli, | |
| never-alone-trail, | |
| test, | |
| docker, | |
| goreleaser, | |
| binary-provenance, | |
| homebrew-pr, | |
| docs-gen, | |
| docs-repo-dispatch, | |
| evidence-reporter-upload-package-and-deploy, | |
| environment-reporter-upload-package-and-deploy, | |
| environment-reporter-upload-layer | |
| ] | |
| if: ${{ always() && contains(join(needs.*.result, ','), 'failure') && github.ref == 'refs/heads/master' }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0 | |
| with: | |
| egress-policy: audit | |
| - name: Slack Notification on Failure | |
| uses: kosli-dev/reusable-actions/.github/actions/send-ci-failure-slack-message@main | |
| with: | |
| slack_url: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }} | |
| github_token: ${{ secrets.GITHUB_TOKEN }} |