Skip to content

Merge pull request #455 from vscheuber/main #433

Merge pull request #455 from vscheuber/main

Merge pull request #455 from vscheuber/main #433

Workflow file for this run

name: 'Frodo CLI Release Pipeline'
on:
pull_request:
branches:
- 'main'
paths-ignore:
- '**/CODE_OF_CONDUCT.md'
- '**/README.md'
- 'docs/**'
push:
branches:
- 'main'
paths-ignore:
- '**/CODE_OF_CONDUCT.md'
- '**/README.md'
- '**/pipeline.yml'
- 'docs/**'
workflow_dispatch:
env:
NODE_VERSION: 22
jobs:
build:
name: 'Build'
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
# Need to specify ref and repository for PRs from forked repos
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Update package-log.json before version bump
run: npm i --package-lock-only
- name: Install dependencies
run: npm ci
- name: 'Prepare Version Bump'
id: version-bump
uses: 'phips28/gh-action-bump-version@master'
with:
major-wording: 'MAJOR RELEASE'
minor-wording: 'MINOR RELEASE'
patch-wording: 'PATCH RELEASE'
rc-wording: ''
tag-prefix: 'v'
default: prerelease
preid: ''
bump-policy: 'ignore'
skip-commit: 'true'
skip-tag: 'true'
skip-push: 'true'
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Update package-log.json after version bump
run: npm i --package-lock-only
- name: 'Version From Tag'
id: version-from-tag
run: echo "version=$(echo '${{ steps.version-bump.outputs.newTag }}' | sed 's/v//')" >> "$GITHUB_OUTPUT"
- name: Build frodo-cli
run: |
npm run build
- name: Lint
run: npm run lint
- name: Type Check
run: npx tsc
- name: Security Audit
run: npm audit --audit-level high
- uses: actions/upload-artifact@v4
with:
name: build
path: |
package.json
package-lock.json
dist
outputs:
newTag: ${{ steps.version-bump.outputs.newTag }}
newVersion: ${{ steps.version-from-tag.outputs.version }}
preRelease: ${{ contains(steps.version-bump.outputs.newTag, '-') }}
test:
name: 'Test'
needs: build
# You must use a Linux environment when using service containers or container jobs
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [22, 20, 18]
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
# Service containers to run with `test`
services:
# Label used to access the service container
squid:
image: ubuntu/squid
ports:
# Maps tcp port 3128 on the host to the same port in the service container
- 3128:3128
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
# Need to specify ref and repository for PRs from forked repos
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/
node-version: ${{ matrix.node-version }}
cache: 'npm'
- uses: actions/download-artifact@v4
with:
name: build
- name: Install dependencies
run: npm ci
- name: Install frodo-cli globally
run: npm i -g
- name: CLI Tests
env:
FRODO_MASTER_KEY: ${{ secrets.FRODO_MASTER_KEY }}
run: npm test
- name: Version Test
run: frodo -v
- name: Direct Tests
# don't run this test on PRs -> secrets are not available as workflow runs in the context of the external repo
if: github.event_name != 'pull_request'
env:
FIDC_TENANT_URL: ${{ vars.FIDC_TENANT_URL }}
FRODO_SA_ID: ${{ vars.FIDC_TENANT_SA_ID }}
FRODO_SA_JWK: ${{ secrets.FIDC_TENANT_SA_JWK }}
run: |
frodo conn save "$FIDC_TENANT_URL" --no-log-api
frodo info "$FIDC_TENANT_URL"
- name: Proxy Tests
# don't run this test on PRs -> secrets are not available as workflow runs in the context of the external repo
if: github.event_name != 'pull_request'
env:
HTTPS_PROXY: 'http://127.0.0.1:3128'
FIDC_TENANT_URL: ${{ vars.FIDC_TENANT_URL }}
FRODO_SA_ID: ${{ vars.FIDC_TENANT_SA_ID }}
FRODO_SA_JWK: ${{ secrets.FIDC_TENANT_SA_JWK }}
run: |
frodo conn save "$FIDC_TENANT_URL" --no-log-api
frodo info "$FIDC_TENANT_URL"
release:
if: github.event_name != 'pull_request'
needs: [build, linux-binary-release, linux-arm64-binary-release, macos-binary-release, npm-release, windows-binary-release]
name: 'Release'
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: actions/download-artifact@v4
with:
name: build
- name: Download MacOS Binary Release
uses: actions/download-artifact@v4
with:
name: macos-binary-release
- name: Download Linux Binary Release
uses: actions/download-artifact@v4
with:
name: linux-binary-release
- name: Download Linux Arm64 Binary Release
uses: actions/download-artifact@v4
with:
name: linux-arm64-binary-release
- name: Download Windows Binary Release
uses: actions/download-artifact@v4
with:
name: windows-binary-release
- name: 'Github SHA'
id: github-sha
run: echo ${{ github.sha }} > Release.txt
- name: Update Changelog
uses: thomaseizinger/keep-a-changelog-new-release@v3
with:
tag: ${{ needs.build.outputs.newTag }}
- name: 'Output Changelog'
run: cat CHANGELOG.md
- name: 'Release Header'
id: release-header
run: echo "header=$(echo `grep '## \\[${{ needs.build.outputs.newVersion }}] -' CHANGELOG.md | sed 's/## //' | sed 's/\\[//' | sed 's/]//'`)" >> "$GITHUB_OUTPUT"
- name: 'Extract Release Notes'
id: extract-release-notes
uses: 'dahlia/submark@main'
with:
input-file: 'CHANGELOG.md'
heading-level: 2
heading-title-text: '${{ steps.release-header.outputs.header }}'
ignore-case: true
omit-heading: true
- name: Commit updated changelog and version
id: commit-changelog
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
git add CHANGELOG.md package.json package-lock.json
git commit --message "Updated changelog and version for release ${{ needs.build.outputs.newTag }}"
git push
- name: Release
uses: softprops/action-gh-release@v2
with:
name: Frodo CLI ${{ needs.build.outputs.newVersion }}
tag_name: ${{ needs.build.outputs.newTag }}
body: ${{ steps.extract-release-notes.outputs.output-text }}
prerelease: ${{ needs.build.outputs.preRelease }}
generate_release_notes: ${{ contains(needs.build.outputs.newTag, '-') }}
files: |
CHANGELOG.md
LICENSE
Release.txt
frodo-linux-${{ needs.build.outputs.newVersion }}.zip
frodo-macos-${{ needs.build.outputs.newVersion }}.zip
frodo-win-${{ needs.build.outputs.newVersion }}.zip
frodo-linux-arm64-${{ needs.build.outputs.newVersion }}.zip
token: ${{ secrets.GITHUB_TOKEN }}
npm-release:
if: github.event_name != 'pull_request'
# npm-release only needs the build job but since it is inconvenient to unpublish an npm we want this job to run last
needs: [build, linux-binary-release, linux-arm64-binary-release, macos-binary-release, windows-binary-release]
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- uses: actions/download-artifact@v4
with:
name: build
- name: Install dependencies
run: npm ci
- name: Pre-Release
if: ${{ fromJSON(needs.build.outputs.preRelease) }}
uses: JS-DevTools/npm-publish@v3
with:
access: public
tag: 'next'
token: ${{ secrets.NPM_ACCESS_TOKEN }}
- name: Release
if: ${{ ! fromJSON(needs.build.outputs.preRelease) }}
uses: JS-DevTools/npm-publish@v3
with:
access: public
token: ${{ secrets.NPM_ACCESS_TOKEN }}
- name: Add next tag
if: ${{ ! fromJSON(needs.build.outputs.preRelease) }}
run: |
echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_ACCESS_TOKEN }}" >> ~/.npmrc
npm whoami
npm dist-tag add @rockcarver/frodo-cli@${{ needs.build.outputs.newVersion }} next
homebrew-formula-update:
if: github.event_name != 'pull_request'
name: Bump Homebrew formula
needs: [release, build, npm-release]
runs-on: ubuntu-latest
steps:
- uses: mislav/bump-homebrew-formula-action@v3
if: ${{ ! fromJSON(needs.build.outputs.preRelease) }}
with:
formula-name: frodo-cli
formula-path: Formula/frodo-cli.rb
homebrew-tap: rockcarver/homebrew-frodo-cli
push-to: rockcarver/homebrew-frodo-cli
tag-name: ${{ needs.build.outputs.newTag }}
download-url: https://github.com/rockcarver/frodo-cli.git
env:
COMMITTER_TOKEN: ${{ secrets.PAT_HOMEBREW_FORMULA_REPO }}
- uses: mislav/bump-homebrew-formula-action@v3
# if: ${{ fromJSON(needs.build.outputs.preRelease) }}
with:
formula-name: frodo-cli-next
formula-path: Formula/frodo-cli-next.rb
homebrew-tap: rockcarver/homebrew-frodo-cli
push-to: rockcarver/homebrew-frodo-cli
tag-name: ${{ needs.build.outputs.newTag }}
download-url: https://github.com/rockcarver/frodo-cli.git
env:
COMMITTER_TOKEN: ${{ secrets.PAT_HOMEBREW_FORMULA_REPO }}
macos-binary-release:
# don't run on PRs, since secrets are not available
if: github.event_name != 'pull_request'
needs: [build, test]
runs-on: macos-latest
timeout-minutes: 15
steps:
- name: Install the Apple certificate
env:
DEVELOPMENT_CERTIFICATE_DATA: ${{ secrets.DEVELOPMENT_CERTIFICATE_DATA }}
DEVELOPMENT_CERTIFICATE_PASSPHRASE: ${{ secrets.DEVELOPMENT_CERTIFICATE_PASSPHRASE }}
INTERMEDIATE_CERTIFICATE_DATA: ${{ secrets.INTERMEDIATE_CERTIFICATE_DATA }}
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }}
run: |
# create variables
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12
INTERMEDIATE_CERTIFICATE_PATH=$RUNNER_TEMP/intermediate_certificate.p12
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db
# import certificates from secrets
echo -n "$DEVELOPMENT_CERTIFICATE_DATA" | base64 --decode --output $CERTIFICATE_PATH
echo -n "$INTERMEDIATE_CERTIFICATE_DATA" | base64 --decode --output $INTERMEDIATE_CERTIFICATE_PATH
# create temporary keychain
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH
# import certificate to keychain
security import $CERTIFICATE_PATH -P "$DEVELOPMENT_CERTIFICATE_PASSPHRASE" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
#security import $INTERMEDIATE_CERTIFICATE_PATH -P "$DEVELOPMENT_CERTIFICATE_PASSPHRASE" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
security list-keychain -d user -s $KEYCHAIN_PATH
- uses: actions/download-artifact@v4
with:
name: build
- uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build
run: npm run dist-pkg
- name: Sign distribution binary
run: |
cat > entitlements.plist <<DELIM
<dict>
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict>
DELIM
codesign -f -s 'Developer ID Application' --options runtime --entitlements entitlements.plist --timestamp --deep frodo
#
# Fail early on failing tests.
#
- name: 'Test'
run: |
./frodo -v
./frodo journey -h
./frodo journey export -h
- name: Create zip file
run: ditto -c -k frodo frodo-macos-${{ needs.build.outputs.newVersion }}.zip
- name: Notorize
run: xcrun notarytool submit --apple-id ${{ secrets.AC_USERNAME }} --password ${{ secrets.AC_PASSWORD }} --team-id ${{ secrets.AC_TEAM_ID }} --wait frodo-macos-${{ needs.build.outputs.newVersion }}.zip
- uses: actions/upload-artifact@v4
with:
name: macos-binary-release
path: frodo-macos-${{ needs.build.outputs.newVersion }}.zip
linux-binary-release:
# run on PRs for e2e testing binary builds as linux builds do not require secrets.
needs: [build, test]
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@v4
with:
name: build
- uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build
run: npm run dist-pkg
#
# Fail early on failing tests.
#
- name: 'Test'
run: |
./frodo -v
./frodo journey -h
./frodo journey export -h
- name: Archive distribution binary
run: zip -Z bzip2 frodo-linux-${{ needs.build.outputs.newVersion }}.zip frodo
- uses: actions/upload-artifact@v4
with:
name: linux-binary-release
path: frodo-linux-${{ needs.build.outputs.newVersion }}.zip
linux-arm64-binary-release:
# don't run on PRs to speed up the checks
if: github.event_name != 'pull_request'
needs: [build, test]
runs-on: [self-hosted, ARM64]
steps:
- uses: actions/download-artifact@v4
with:
name: build
- uses: actions/setup-node@v4
with:
# runner currently only supports 16 due to GLIBC_2.28 dependency in node 18
node-version: 16
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build
run: npm run dist-pkg
#
# Fail early on failing tests.
#
- name: 'Test'
run: |
./frodo -v
./frodo journey -h
./frodo journey export -h
- name: Archive distribution binary
run: zip -Z bzip2 frodo-linux-arm64-${{ needs.build.outputs.newVersion }}.zip frodo
- uses: actions/upload-artifact@v4
with:
name: linux-arm64-binary-release
path: frodo-linux-arm64-${{ needs.build.outputs.newVersion }}.zip
windows-binary-release:
# don't run on PRs to speed up the checks
if: github.event_name != 'pull_request'
needs: [build, test]
runs-on: windows-latest
steps:
- uses: actions/download-artifact@v4
with:
name: build
- uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build
run: npm run dist-pkg
#
# Fail early on failing tests.
#
- name: 'Test'
run: |
./frodo.exe -v
./frodo.exe journey -h
./frodo.exe journey export -h
- name: Archive distribution binary
run: 7z a -tzip frodo-win-${{ needs.build.outputs.newVersion }}.zip frodo.exe
- uses: actions/upload-artifact@v4
with:
name: windows-binary-release
path: frodo-win-${{ needs.build.outputs.newVersion }}.zip