Merge pull request #370 from vscheuber/main #322
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 'Frodo CLI Release Pipeline' | |
on: | |
pull_request: | |
branches: | |
- 'main' | |
paths-ignore: | |
- '**/README.md' | |
- '**/CODE_OF_CONDUCT.md' | |
- 'docs/**' | |
push: | |
branches: | |
- 'main' | |
paths-ignore: | |
- '**/pipeline.yml' | |
- '**/README.md' | |
- '**/CODE_OF_CONDUCT.md' | |
- 'docs/**' | |
workflow_dispatch: | |
env: | |
NODE_VERSION: 18 | |
jobs: | |
build: | |
name: 'Build' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
with: | |
# Need to specify ref and repository for PRs from forked repos | |
ref: ${{ github.event.pull_request.head.ref }} | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
cache: 'npm' | |
- name: Install dependencies | |
run: npm ci | |
- name: 'Prepare Version Bump' | |
id: version-bump | |
uses: 'phips28/gh-action-bump-version@master' | |
with: | |
major-wording: 'NO MAJOR RELEASES IN THIS BRANCH! Capped at 1.x to avoid version collisions.' | |
minor-wording: 'MINOR RELEASE' | |
patch-wording: 'PATCH RELEASE' | |
rc-wording: '' | |
tag-prefix: 'v' | |
default: prerelease | |
preid: '' | |
bump-policy: 'ignore' | |
skip-commit: 'true' | |
skip-tag: 'true' | |
skip-push: 'true' | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: 'Version From Tag' | |
id: version-from-tag | |
run: echo "version=$(echo '${{ steps.version-bump.outputs.newTag }}' | sed 's/v//')" >> "$GITHUB_OUTPUT" | |
- name: Build frodo-cli esm | |
run: npm run transpile-esm | |
- name: Build frodo-cli cjs | |
run: npm run transpile-cjs | |
- name: Lint | |
run: npm run lint | |
- name: Type Check | |
run: npx tsc | |
- name: Security Audit | |
run: npm audit --omit=dev --audit-level high | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: build | |
path: | | |
package.json | |
package-lock.json | |
esm | |
cjs | |
outputs: | |
newTag: ${{ steps.version-bump.outputs.newTag }} | |
newVersion: ${{ steps.version-from-tag.outputs.version }} | |
preRelease: ${{ contains(steps.version-bump.outputs.newTag, '-') }} | |
smoke-tests: | |
name: 'Smoke Tests' | |
needs: build | |
# You must use a Linux environment when using service containers or container jobs | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
node-version: [20, 18, 16] | |
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/ | |
# Service containers to run with `smoke-tests` | |
services: | |
# Label used to access the service container | |
squid: | |
image: ubuntu/squid | |
ports: | |
# Maps tcp port 3128 on the host to the same port in the service container | |
- 3128:3128 | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
with: | |
# Need to specify ref and repository for PRs from forked repos | |
ref: ${{ github.event.pull_request.head.ref }} | |
repository: ${{ github.event.pull_request.head.repo.full_name }} | |
- name: Use Node.js ${{ matrix.node-version }} | |
uses: actions/setup-node@v3 | |
with: | |
# See supported Node.js release schedule at https://nodejs.org/en/about/releases/ | |
node-version: ${{ matrix.node-version }} | |
cache: 'npm' | |
- uses: actions/download-artifact@v3 | |
with: | |
name: build | |
- name: Install dependencies | |
run: npm ci | |
- name: Install frodo-cli globally | |
run: npm i -g | |
- name: CLI Tests | |
env: | |
FRODO_MASTER_KEY: ${{ secrets.FRODO_MASTER_KEY }} | |
run: npm test | |
- name: Version Test | |
run: frodo -v | |
- name: Direct Tests | |
# don't run this test on PRs -> secrets are not available as workflow runs in the context of the external repo | |
if: github.event_name != 'pull_request' | |
env: | |
FIDC_TENANT_URL: ${{ vars.FIDC_TENANT_URL }} | |
FRODO_SA_ID: ${{ vars.FIDC_TENANT_SA_ID }} | |
FRODO_SA_JWK: ${{ secrets.FIDC_TENANT_SA_JWK }} | |
run: | | |
frodo conn save "$FIDC_TENANT_URL" --no-log-api | |
frodo info "$FIDC_TENANT_URL" | |
- name: Proxy Tests | |
# don't run this test on PRs -> secrets are not available as workflow runs in the context of the external repo | |
if: github.event_name != 'pull_request' | |
env: | |
HTTPS_PROXY: 'http://127.0.0.1:3128' | |
FIDC_TENANT_URL: ${{ vars.FIDC_TENANT_URL }} | |
FRODO_SA_ID: ${{ vars.FIDC_TENANT_SA_ID }} | |
FRODO_SA_JWK: ${{ secrets.FIDC_TENANT_SA_JWK }} | |
run: | | |
frodo conn save "$FIDC_TENANT_URL" --no-log-api | |
frodo info "$FIDC_TENANT_URL" | |
release: | |
if: github.event_name != 'pull_request' | |
needs: [build, linux-binary-release, linux-arm64-binary-release, macos-binary-release, npm-release, windows-binary-release] | |
name: 'Release' | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
- uses: actions/download-artifact@v3 | |
with: | |
name: build | |
- uses: actions/download-artifact@v3 | |
with: | |
name: dist | |
- name: 'Github SHA' | |
id: github-sha | |
run: echo ${{ github.sha }} > Release.txt | |
- name: Update Changelog | |
uses: thomaseizinger/keep-a-changelog-new-release@1.3.0 | |
with: | |
tag: ${{ needs.build.outputs.newTag }} | |
- name: 'Output Changelog' | |
run: cat CHANGELOG.md | |
- name: 'Release Header' | |
id: release-header | |
run: echo "header=$(echo `grep '## \\[${{ needs.build.outputs.newVersion }}] -' CHANGELOG.md | sed 's/## //' | sed 's/\\[//' | sed 's/]//'`)" >> "$GITHUB_OUTPUT" | |
- name: 'Extract Release Notes' | |
id: extract-release-notes | |
uses: 'dahlia/submark@main' | |
with: | |
input-file: 'CHANGELOG.md' | |
heading-level: 2 | |
heading-title-text: '${{ steps.release-header.outputs.header }}' | |
ignore-case: true | |
omit-heading: true | |
- name: Commit updated changelog and version | |
id: commit-changelog | |
run: | | |
git config user.name "github-actions[bot]" | |
git config user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
git add CHANGELOG.md package.json | |
git commit --message "Updated changelog and version for release ${{ needs.build.outputs.newTag }}" | |
git push | |
- name: Release | |
uses: softprops/action-gh-release@v1 | |
with: | |
name: Frodo CLI ${{ needs.build.outputs.newVersion }} | |
tag_name: ${{ needs.build.outputs.newTag }} | |
body: ${{ steps.extract-release-notes.outputs.output-text }} | |
prerelease: ${{ needs.build.outputs.preRelease }} | |
generate_release_notes: ${{ contains(needs.build.outputs.newTag, '-') }} | |
files: | | |
CHANGELOG.md | |
LICENSE | |
Release.txt | |
frodo-linux-${{ needs.build.outputs.newVersion }}.zip | |
frodo-macos-${{ needs.build.outputs.newVersion }}.zip | |
frodo-win-${{ needs.build.outputs.newVersion }}.zip | |
frodo-linux-arm64-${{ needs.build.outputs.newVersion }}.zip | |
token: ${{ secrets.GITHUB_TOKEN }} | |
npm-release: | |
if: github.event_name != 'pull_request' | |
# npm-release only needs the build job but since it is inconvenient to unpublish an npm we want this job to run last | |
needs: [build, linux-binary-release, linux-arm64-binary-release, macos-binary-release, windows-binary-release] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
cache: 'npm' | |
- uses: actions/download-artifact@v3 | |
with: | |
name: build | |
- name: Install dependencies | |
run: npm ci | |
- name: Pre-Release | |
if: ${{ fromJSON(needs.build.outputs.preRelease) }} | |
uses: JS-DevTools/npm-publish@v1 | |
with: | |
access: public | |
tag: 'next' | |
token: ${{ secrets.NPM_ACCESS_TOKEN }} | |
- name: Release | |
if: ${{ ! fromJSON(needs.build.outputs.preRelease) }} | |
uses: JS-DevTools/npm-publish@v1 | |
with: | |
access: public | |
token: ${{ secrets.NPM_ACCESS_TOKEN }} | |
- name: Add next tag | |
if: ${{ ! fromJSON(needs.build.outputs.preRelease) }} | |
run: | | |
export INPUT_TOKEN=${{ secrets.NPM_ACCESS_TOKEN }} | |
npm whoami | |
npm dist-tag add @rockcarver/frodo-cli@${{ needs.build.outputs.newVersion }} next | |
homebrew-formula-update: | |
if: github.event_name != 'pull_request' | |
name: Bump Homebrew formula | |
needs: [release, build, npm-release] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: mislav/bump-homebrew-formula-action@v2 | |
if: ${{ ! fromJSON(needs.build.outputs.preRelease) }} | |
with: | |
formula-name: frodo-cli | |
formula-path: Formula/frodo-cli.rb | |
homebrew-tap: rockcarver/homebrew-frodo-cli | |
push-to: rockcarver/homebrew-frodo-cli | |
tag-name: ${{ needs.build.outputs.newTag }} | |
download-url: https://github.com/rockcarver/frodo-cli.git | |
env: | |
COMMITTER_TOKEN: ${{ secrets.PAT_HOMEBREW_FORMULA_REPO }} | |
- uses: mislav/bump-homebrew-formula-action@v2 | |
if: ${{ fromJSON(needs.build.outputs.preRelease) }} | |
with: | |
formula-name: frodo-cli-next | |
formula-path: Formula/frodo-cli-next.rb | |
homebrew-tap: rockcarver/homebrew-frodo-cli | |
push-to: rockcarver/homebrew-frodo-cli | |
tag-name: ${{ needs.build.outputs.newTag }} | |
download-url: https://github.com/rockcarver/frodo-cli.git | |
env: | |
COMMITTER_TOKEN: ${{ secrets.PAT_HOMEBREW_FORMULA_REPO }} | |
macos-binary-release: | |
# don't run on PRs, since secrets are not available | |
if: github.event_name != 'pull_request' | |
needs: [build, smoke-tests] | |
runs-on: macos-latest | |
timeout-minutes: 15 | |
steps: | |
- name: Install the Apple certificate | |
env: | |
DEVELOPMENT_CERTIFICATE_DATA: ${{ secrets.DEVELOPMENT_CERTIFICATE_DATA }} | |
DEVELOPMENT_CERTIFICATE_PASSPHRASE: ${{ secrets.DEVELOPMENT_CERTIFICATE_PASSPHRASE }} | |
INTERMEDIATE_CERTIFICATE_DATA: ${{ secrets.INTERMEDIATE_CERTIFICATE_DATA }} | |
KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} | |
run: | | |
# create variables | |
CERTIFICATE_PATH=$RUNNER_TEMP/build_certificate.p12 | |
INTERMEDIATE_CERTIFICATE_PATH=$RUNNER_TEMP/intermediate_certificate.p12 | |
KEYCHAIN_PATH=$RUNNER_TEMP/app-signing.keychain-db | |
# import certificates from secrets | |
echo -n "$DEVELOPMENT_CERTIFICATE_DATA" | base64 --decode --output $CERTIFICATE_PATH | |
echo -n "$INTERMEDIATE_CERTIFICATE_DATA" | base64 --decode --output $INTERMEDIATE_CERTIFICATE_PATH | |
# create temporary keychain | |
security create-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
security set-keychain-settings -lut 21600 $KEYCHAIN_PATH | |
security unlock-keychain -p "$KEYCHAIN_PASSWORD" $KEYCHAIN_PATH | |
# import certificate to keychain | |
security import $CERTIFICATE_PATH -P "$DEVELOPMENT_CERTIFICATE_PASSPHRASE" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
#security import $INTERMEDIATE_CERTIFICATE_PATH -P "$DEVELOPMENT_CERTIFICATE_PASSPHRASE" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH | |
security list-keychain -d user -s $KEYCHAIN_PATH | |
- uses: actions/download-artifact@v3 | |
with: | |
name: build | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
cache: 'npm' | |
- name: Install dependencies | |
run: npm ci | |
- name: Build | |
run: npm run dist-pkg | |
- name: Sign distribution binary | |
run: | | |
cat > entitlements.plist <<DELIM | |
<dict> | |
<key>com.apple.security.cs.allow-unsigned-executable-memory</key> | |
<true/> | |
</dict> | |
DELIM | |
codesign -f -s 'Developer ID Application' --options runtime --entitlements entitlements.plist --timestamp --deep frodo | |
# | |
# Fail early on failing tests. | |
# | |
- name: 'Test' | |
run: | | |
./frodo -v | |
./frodo journey -h | |
./frodo journey export -h | |
- name: Create zip file | |
run: ditto -c -k frodo frodo-macos-${{ needs.build.outputs.newVersion }}.zip | |
- name: Notorize | |
run: xcrun notarytool submit --apple-id ${{ secrets.AC_USERNAME }} --password ${{ secrets.AC_PASSWORD }} --team-id ${{ secrets.AC_TEAM_ID }} --wait frodo-macos-${{ needs.build.outputs.newVersion }}.zip | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: dist | |
path: frodo-macos-${{ needs.build.outputs.newVersion }}.zip | |
linux-binary-release: | |
# run on PRs for e2e testing binary builds as linux builds do not require secrets. | |
needs: [build, smoke-tests] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/download-artifact@v3 | |
with: | |
name: build | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
cache: 'npm' | |
- name: Install dependencies | |
run: npm ci | |
- name: Build | |
run: npm run dist-pkg | |
# | |
# Fail early on failing tests. | |
# | |
- name: 'Test' | |
run: | | |
./frodo -v | |
./frodo journey -h | |
./frodo journey export -h | |
- name: Archive distribution binary | |
run: zip -Z bzip2 frodo-linux-${{ needs.build.outputs.newVersion }}.zip frodo | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: dist | |
path: frodo-linux-${{ needs.build.outputs.newVersion }}.zip | |
linux-arm64-binary-release: | |
# don't run on PRs to speed up the checks | |
if: github.event_name != 'pull_request' | |
needs: [build, smoke-tests] | |
runs-on: self-hosted | |
steps: | |
- uses: actions/download-artifact@v3 | |
with: | |
name: build | |
- uses: actions/setup-node@v3 | |
with: | |
# runner currently only supports 16 due to GLIBC_2.28 dependency in node 18 | |
node-version: 16 | |
cache: 'npm' | |
- name: Install dependencies | |
run: npm ci | |
- name: Build | |
run: npm run dist-pkg | |
# | |
# Fail early on failing tests. | |
# | |
- name: 'Test' | |
run: | | |
./frodo -v | |
./frodo journey -h | |
./frodo journey export -h | |
- name: Archive distribution binary | |
run: zip -Z bzip2 frodo-linux-arm64-${{ needs.build.outputs.newVersion }}.zip frodo | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: dist | |
path: frodo-linux-arm64-${{ needs.build.outputs.newVersion }}.zip | |
windows-binary-release: | |
# don't run on PRs to speed up the checks | |
if: github.event_name != 'pull_request' | |
needs: [build, smoke-tests] | |
runs-on: windows-latest | |
steps: | |
- uses: actions/download-artifact@v3 | |
with: | |
name: build | |
- uses: actions/setup-node@v3 | |
with: | |
node-version: ${{ env.NODE_VERSION }} | |
cache: 'npm' | |
- name: Install dependencies | |
run: npm ci | |
- name: Build | |
run: npm run dist-pkg | |
# | |
# Fail early on failing tests. | |
# | |
- name: 'Test' | |
run: | | |
./frodo.exe -v | |
./frodo.exe journey -h | |
./frodo.exe journey export -h | |
- name: Archive distribution binary | |
run: 7z a -tzip frodo-win-${{ needs.build.outputs.newVersion }}.zip frodo.exe | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: dist | |
path: frodo-win-${{ needs.build.outputs.newVersion }}.zip |