-
-
Notifications
You must be signed in to change notification settings - Fork 0
134 lines (119 loc) · 4.33 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
name: Release
on:
push:
branches: master
paths:
- '.github/workflows/release.yml'
- 'api/*.py'
- 'pyproject.toml'
- 'Dockerfile'
jobs:
release:
name: Release
if: |
github.actor != 'dependabot[bot]' &&
github.actor != 'github-actions[bot]' &&
github.actor != 'protected-auto-commits[bot]'
runs-on: ubuntu-latest
concurrency: release
permissions:
id-token: write
contents: write
issues: write
pull-requests: write
steps:
- name: GitHub App Token
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.GH_APP_ID }}
private-key: ${{ secrets.GH_PRIVATE_KEY }}
- name: Checkout Repo
uses: actions/checkout@v4
with:
fetch-depth: 0
fetch-tags: true
token: ${{ steps.app-token.outputs.token }}
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: '3.12'
cache: "pip"
- name: Cache Dependencies
uses: actions/cache@v4
with:
path: ~/.cache/pip
key: ${{ runner.os }}-pip-${{ hashFiles('requirements.txt') }}
restore-keys: |
${{ runner.os }}-pip-
- name: Install Dependencies
run: |
python -m pip install --upgrade pip
pip install python-semantic-release
- name: Setup Git
run: |
git fetch origin
git reset --hard origin/${{ github.ref_name }}
- name: Semantic Release
uses: python-semantic-release/python-semantic-release@v9.8.8
with:
github_token: ${{ steps.app-token.outputs.token }}
docker:
name: Docker
runs-on: ubuntu-latest
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
needs: release
steps:
- name: Checkout Code
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Extract Docker Metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards
tags: |
type=ref,event=branch
type=ref,event=pr
type=semver,pattern={{version}}
type=sha
- name: Build & Push Docker Image
uses: docker/build-push-action@v6
with:
context: .
sbom: ${{ github.event_name != 'pull_request' }}
push: ${{ github.event_name != 'pull_request' }}
load: ${{ github.event_name == 'pull_request' }}
tags: |
${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards:latest
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
file: Dockerfile
- name: Docker Scout Scan
uses: docker/scout-action@v1.14.0
with:
command: quickview, cves
image: ${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards:latest
to: ${{ vars.DOCKER_USERNAME }}/wakatime-leaderboards:latest
only-severities: critical, high
only-fixed: true
write-comment: true
github-token: ${{ secrets.GITHUB_TOKEN }}
sarif-file: docker-scout-results.sarif
- name: Upload Scout Scan Results
if: always()
uses: actions/upload-artifact@v4
with:
name: docker-scout-results
path: docker-scout-results.sarif