-
Notifications
You must be signed in to change notification settings - Fork 2
183 lines (166 loc) · 5.89 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
name: release
on:
workflow_dispatch:
inputs:
publish:
type: boolean
description: Publish Release
default: false
tag:
type: string
description: Tag Name
required: true
previous-tag:
type: string
description: Previous Tag Name
default: '' # GoReleaser will detect the previous tag if not specified
jobs:
goreleaser:
runs-on: ubuntu-latest
concurrency:
group: release-${{ github.ref }}
permissions:
contents: write
env:
flags: ''
tag: ${{ inputs.tag || github.ref_name }}
outputs:
version: ${{ steps.semver.outputs.version }}
steps:
- id: semver
uses: matt-usurp/validate-semver@v1
with:
version: ${{ env.tag }}
- name: Validate tag prefix (v)
if: ${{ !startsWith(env.tag, 'v') }}
run: |
echo "::error::Tag name must start with 'v' (https://developer.hashicorp.com/terraform/registry/providers/publishing#creating-a-github-release)"
exit 1
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-go@v5
with:
go-version-file: go.mod
- name: Enable snapshot mode
if: ${{ github.event_name == 'workflow_dispatch' && !inputs.publish }}
run: echo "flags=--snapshot" >> "$GITHUB_ENV"
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v6
id: gpg
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
- name: Create tag
if: ${{ inputs.tag }}
run: git rev-parse --quiet --verify "refs/tags/$tag" || git tag "$tag"
- name: GoReleaser
uses: goreleaser/goreleaser-action@v5
with:
args: release --clean ${{ env.flags }}
env:
GORELEASER_CURRENT_TAG: ${{ env.tag }}
GORELEASER_PREVIOUS_TAG: ${{ inputs.previous-tag }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GPG_FINGERPRINT: ${{ steps.gpg.outputs.fingerprint }}
- uses: actions/upload-artifact@v4
with:
name: archives
path: |
dist/*.zip
dist/*.json
dist/*.yaml
dist/*.sig
dist/*_SHA256SUMS
- if: ${{ env.flags == '--snapshot' }}
name: Snapshot warning
run: echo "::warning::Snapshot release, not publishing artifacts (https://goreleaser.com/customization/snapshots/)"
s3:
needs: goreleaser
runs-on: ubuntu-latest
permissions:
id-token: write
env:
flags: ''
version: ${{ needs.goreleaser.outputs.version }}
upload_dir: ${{ github.workspace }}/upload
steps:
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ vars.AWS_ROLE_ARN }}
aws-region: us-west-2
- id: artifacts
uses: actions/download-artifact@v4
with:
name: archives
path: dist
- name: Enable dry run mode
if: ${{ github.event_name == 'workflow_dispatch' && !inputs.publish }}
run: echo "flags=--dryrun" >> "$GITHUB_ENV"
- name: Create upload directory
run: mkdir "$upload_dir"
- id: archives
name: Copy archives
run: |
i=0
while read -r archive; do
os=$(jq -r '.goos' <<< "$archive")
arch=$(jq -r '.goarch' <<< "$archive")
name=$(jq -r '.name' <<< "$archive")
path=$(jq -r '.path' <<< "$archive")
dir="${upload_dir}/os=${os}/arch=${arch}"
mkdir -p "$dir"
echo "Copying ${name} to ${dir}"
cp "$path" "$dir"
((i++)) || true
done < <(jq -c '.[] | select(.type == "Archive")' ${{ steps.artifacts.outputs.download-path }}/artifacts.json)
echo "count=${i}" >> "$GITHUB_OUTPUT"
- id: signatures
name: Copy checksum/signature
run: |
i=0
while read -r path; do
name=$(jq -r '.name' <<< "$path")
path=$(jq -r '.path' <<< "$path")
echo "Copying ${name} to ${upload_dir}"
cp "$path" "$upload_dir"
((i++)) || true
done < <(jq -c '.[] | select(.type | IN("Checksum", "Signature"))' ${{ steps.artifacts.outputs.download-path }}/artifacts.json)
echo "count=${i}" >> "$GITHUB_OUTPUT"
- name: Validate archives
if: ${{ steps.archives.outputs.count == '0' }}
run: |
echo "::error::No archives found, aborting release"
exit 1
- name: Validate signatures
if: ${{ steps.signatures.outputs.count != '2' }}
run: |
echo "::error::Expected 2 signatures, got ${{ steps.signatures.outputs.count }}, aborting release"
exit 1
- name: Print upload tree
if: always()
working-directory: ${{ env.upload_dir }}
run: tree
- name: Copy to S3
run: |
bucket="${{ vars.AWS_S3_REGISTRY_BUCKET }}"
prefix="${{ vars.AWS_S3_REGISTRY_PREFIX }}/version=${version}/"
s3_uri="s3://${bucket}/${prefix}"
echo "::group::aws s3 cp"
# shellcheck disable=SC2086
aws s3 cp $flags --recursive "$upload_dir" "$s3_uri"
echo "::endgroup::"
cd "$(mktemp -d)"
mkdir -p "$s3_uri"
cd "s3:"
cp --recursive "$upload_dir/"* "${bucket}/${prefix}"
{
echo "## S3 Registry Uploads"
if [[ "$flags" == "--dryrun" ]]; then
echo '⚠️ _Dry run mode was enabled, no files were actually uploaded to S3._'
fi
echo '* **Archives:** ${{ steps.archives.outputs.count }}'
echo '* **Signatures:** ${{ steps.signatures.outputs.count }}'
echo '```'
tree --noreport "$bucket"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"