Add Cloud Run Job support and clean up cloud-run wire format server/#… #318
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: release | |
| on: | |
| push: | |
| tags: | |
| - "v*" | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| jobs: | |
| pre-build: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| tag: ${{ steps.tag.outputs.tag }} | |
| trail_name: ${{ steps.prep.outputs.trail_name }} | |
| trail_template_file: ${{ steps.prep.outputs.trail_template_file }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@v6 | |
| - name: Get tag | |
| id: tag | |
| uses: dawidd6/action-get-tag@v1 | |
| - name: Verify annotated tag | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: | | |
| TAG_TYPE=$(gh api repos/${{ github.repository }}/git/refs/tags/${{ steps.tag.outputs.tag }} --jq '.object.type') | |
| if [ "$TAG_TYPE" != "tag" ]; then | |
| echo "::error::Tag ${{ steps.tag.outputs.tag }} is lightweight, not annotated. Use 'make release' to cut releases." | |
| exit 1 | |
| fi | |
| - name: Prepare | |
| id: prep | |
| run: | | |
| echo "TRAIL_NAME=${{ steps.tag.outputs.tag }}" >> $GITHUB_STATE | |
| echo "trail_name=${{ steps.tag.outputs.tag }}" >> $GITHUB_OUTPUT | |
| echo "TRAIL_TEMPLATE_FILE=release-flow-template.yml" >> $GITHUB_STATE | |
| echo "trail_template_file=release-flow-template.yml" >> $GITHUB_OUTPUT | |
| init-kosli: | |
| needs: [pre-build] | |
| uses: ./.github/workflows/init_kosli.yml | |
| with: | |
| FLOW_NAME: cli-release | |
| TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }} | |
| FLOW_TEMPLATE_FILE: ${{ needs.pre-build.outputs.trail_template_file }} | |
| KOSLI_ORG: kosli-public | |
| report_to_kosli: release | |
| secrets: | |
| kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }} | |
| pr_github_token: ${{ secrets.GITHUB_TOKEN }} | |
| never-alone-trail: | |
| needs: [pre-build, init-kosli] | |
| uses: ./.github/workflows/never_alone_trail.yml | |
| with: | |
| FLOW_NAME: cli-release-never-alone | |
| TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }} | |
| SOURCE_FLOW_NAME: cli | |
| ATTESTATION_NAME: never-alone-data | |
| PARENT_FLOW_NAME: cli-release | |
| PARENT_TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }} | |
| KOSLI_ORG: kosli-public | |
| secrets: | |
| kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }} | |
| pr_github_token: ${{ secrets.GITHUB_TOKEN }} | |
| test: | |
| needs: [pre-build, init-kosli] | |
| uses: ./.github/workflows/test.yml | |
| with: | |
| AWS_ACCOUNT_ID: 772819027869 | |
| AWS_REGION: eu-central-1 | |
| FLOW_NAME: cli-release | |
| TRAIL_NAME: ${{ needs.pre-build.outputs.trail_name }} | |
| KOSLI_ORG: kosli-public | |
| report_to_kosli: release | |
| secrets: | |
| github_access_token: ${{ secrets.KOSLI_GITHUB_TOKEN }} | |
| gitlab_access_token: ${{ secrets.KOSLI_GITLAB_TOKEN }} | |
| azure_access_token: ${{ secrets.KOSLI_AZURE_TOKEN }} | |
| azure_client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
| azure_client_secret: ${{ secrets.AZURE_CLIENT_SECRET }} | |
| bitbucket_access_token: ${{ secrets.KOSLI_BITBUCKET_ACCESS_TOKEN }} | |
| slack_webhook: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }} | |
| slack_channel: ci-failures | |
| jira_api_token: ${{ secrets.KOSLI_JIRA_API_TOKEN }} | |
| snyk_token: ${{ secrets.SNYK_TOKEN }} | |
| kosli_reporting_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }} | |
| kosli_querying_api_token: ${{ secrets.KOSLI_API_TOKEN_PROD }} | |
| sonarqube_token: ${{ secrets.KOSLI_SONARQUBE_TOKEN }} | |
| docker: | |
| needs: [pre-build, init-kosli, test] | |
| uses: ./.github/workflows/docker.yml | |
| with: | |
| tag: ${{ needs.pre-build.outputs.tag }} | |
| platforms: linux/amd64,linux/arm64 | |
| flow_name: cli-release | |
| trail_name: ${{ needs.pre-build.outputs.trail_name }} | |
| kosli_org: kosli-public | |
| report_to_kosli: release | |
| secrets: | |
| slack_webhook: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }} | |
| slack_channel: ci-failures | |
| kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }} | |
| snyk_token: ${{ secrets.SNYK_TOKEN }} | |
| goreleaser: | |
| needs: [test] | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| attestations: write | |
| outputs: | |
| artifacts: ${{ steps.prepare-artifacts-list.outputs.artifacts }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install Jq | |
| uses: dcarbone/install-jq-action@v3 | |
| - name: Set up Go | |
| uses: actions/setup-go@v6 | |
| with: | |
| go-version-file: '.go-version' | |
| check-latest: true | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '24' | |
| registry-url: 'https://registry.npmjs.org' | |
| # Use release notes from the tag body when present (set by interactive `make release` or `make release tag=vX.Y.Z` with dist/release_notes.md). Otherwise GoReleaser uses its default changelog. | |
| # Write to repo root so GoReleaser's --clean (which removes dist/) does not delete the file before it is read. | |
| - name: Get release notes from tag | |
| id: get-tag-notes | |
| run: | | |
| TAG="${GITHUB_REF#refs/tags/}" | |
| BODY=$(git tag -l --format='%(contents:body)' "$TAG") | |
| if [ -n "$BODY" ]; then | |
| printf '%s' "$BODY" > release_notes.md | |
| echo "args=--release-notes=release_notes.md" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@v7 | |
| with: | |
| distribution: goreleaser-pro | |
| version: '~> v2' # latest | |
| args: release --clean ${{ steps.get-tag-notes.outputs.args }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| FURY_TOKEN: ${{ secrets.FURY_TOKEN }} | |
| GORELEASER_KEY: ${{ secrets.KOSLI_GORELEASERPRO }} | |
| - name: Copy npm packages into dist for provenance | |
| run: find npm -name "*.tgz" -exec cp {} dist/ \; | |
| - uses: actions/upload-artifact@v7 | |
| with: | |
| name: dist | |
| path: dist | |
| retention-days: 1 | |
| - name: Prepare artifacts list | |
| id: prepare-artifacts-list | |
| run: | | |
| GORELEASER_ARTIFACTS=$(jq '[reduce .[] as $item ( | |
| []; | |
| if ($item.type == "Archive") then | |
| . + [{ template_name: ($item.goos + "-" + $item.goarch), path: $item.path }] | |
| elif ($item.type == "Linux Package") then | |
| . + [{ template_name: (($item.extra.Ext | ltrimstr(".")) + "-pkg-" + $item.goarch), path: $item.path }] | |
| else | |
| . | |
| end | |
| )][]' dist/artifacts.json) | |
| NPM_ARTIFACTS=$(find dist -maxdepth 1 -name "*.tgz" -printf '%f\n' \ | |
| | jq -R '{ | |
| template_name: ("npm-" + sub("-[0-9]+\\.[0-9]+\\.[0-9]+.*\\.tgz$"; "")), | |
| path: ("dist/" + .) | |
| }' \ | |
| | jq -s '.') | |
| ARTIFACTS=$(jq -n \ | |
| --argjson g "$GORELEASER_ARTIFACTS" \ | |
| --argjson n "$NPM_ARTIFACTS" \ | |
| '$g + $n') | |
| echo "artifacts<<nEOFn" >> $GITHUB_OUTPUT | |
| echo "${ARTIFACTS}" >> $GITHUB_OUTPUT | |
| echo "nEOFn" >> $GITHUB_OUTPUT | |
| binary-provenance: | |
| needs: [goreleaser, pre-build] | |
| name: Artifacts Binary Provenance | |
| uses: ./.github/workflows/binary_provenance.yml | |
| with: | |
| dir: dist | |
| artifacts: ${{ needs.goreleaser.outputs.artifacts }} | |
| flow_name: cli-release | |
| trail_name: ${{ needs.pre-build.outputs.trail_name }} | |
| kosli_org: kosli-public | |
| secrets: | |
| kosli_api_token: ${{ secrets.KOSLI_PUBLIC_API_TOKEN }} | |
| homebrew-pr: | |
| needs: [goreleaser, pre-build] | |
| name: Bump Homebrew formula | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | |
| with: | |
| egress-policy: audit | |
| - uses: mislav/bump-homebrew-formula-action@v4 | |
| if: ${{ !contains(github.ref, '-') }} # skip prereleases | |
| with: | |
| # A PR will be sent to github.com/Homebrew/homebrew-core to update this formula: | |
| formula-name: kosli-cli | |
| env: | |
| # the personal access token should have "repo" & "workflow" scopes | |
| COMMITTER_TOKEN: ${{ secrets.COMMITTER_TOKEN }} | |
| docs-repo-dispatch: | |
| needs: [pre-build, goreleaser] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | |
| with: | |
| egress-policy: audit | |
| - name: Repository Dispatch | |
| uses: peter-evans/repository-dispatch@v4 | |
| with: | |
| token: ${{ secrets.DOCS_REPO_ACCESS_TOKEN }} | |
| repository: kosli-dev/docs | |
| event-type: cli-release | |
| client-payload: '{"kosli_cli_tag": "${{ needs.pre-build.outputs.tag }}"}' | |
| evidence-reporter-upload-package-and-deploy: | |
| needs: [pre-build, goreleaser, environment-reporter-upload-layer] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | |
| with: | |
| egress-policy: audit | |
| - name: Repository Dispatch | |
| uses: peter-evans/repository-dispatch@v4 | |
| with: | |
| token: ${{ secrets.KOSLI_REPORTER_REPO_ACCESS_TOKEN }} | |
| repository: kosli-dev/terraform-aws-evidence-reporter | |
| event-type: upload-package | |
| client-payload: '{"kosli_cli_tag": "${{ needs.pre-build.outputs.tag }}"}' | |
| environment-reporter-upload-package-and-deploy: | |
| needs: [pre-build, goreleaser, environment-reporter-upload-layer] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | |
| with: | |
| egress-policy: audit | |
| - name: Repository Dispatch | |
| uses: peter-evans/repository-dispatch@v4 | |
| with: | |
| token: ${{ secrets.KOSLI_REPORTER_REPO_ACCESS_TOKEN }} | |
| repository: kosli-dev/terraform-aws-kosli-reporter | |
| event-type: upload-package | |
| client-payload: '{"kosli_cli_tag": "${{ needs.pre-build.outputs.tag }}"}' | |
| environment-reporter-upload-layer: | |
| needs: [pre-build, goreleaser] | |
| uses: ./.github/workflows/upload-cli-layer.yml | |
| with: | |
| tag: ${{ needs.pre-build.outputs.tag }} | |
| AWS_ACCOUNT_ID: 585008075785 | |
| AWS_REGION: eu-central-1 | |
| slack-notification-on-failure: | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| actions: read | |
| contents: read | |
| needs: | |
| [ | |
| pre-build, | |
| init-kosli, | |
| never-alone-trail, | |
| test, | |
| docker, | |
| goreleaser, | |
| binary-provenance, | |
| homebrew-pr, | |
| docs-repo-dispatch, | |
| evidence-reporter-upload-package-and-deploy, | |
| environment-reporter-upload-package-and-deploy, | |
| environment-reporter-upload-layer | |
| ] | |
| if: ${{ always() && contains(join(needs.*.result, ','), 'failure') && github.ref == 'refs/heads/main' }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 | |
| with: | |
| egress-policy: audit | |
| - name: Slack Notification on Failure | |
| uses: kosli-dev/reusable-actions/.github/actions/send-ci-failure-slack-message@main | |
| with: | |
| slack_url: ${{ secrets.MERKELY_SLACK_CI_FAILURES_WEBHOOK }} | |
| github_token: ${{ secrets.GITHUB_TOKEN }} |