Release Jib CLI #25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release Jib CLI | |
on: | |
workflow_dispatch: | |
inputs: | |
release_version: | |
description: new release version | |
required: true | |
default: (for example, 0.1.0) | |
jobs: | |
release: | |
name: Release Jib CLI | |
runs-on: ubuntu-latest | |
outputs: | |
hashes: ${{ steps.hash.outputs.hashes }} | |
upload_url: ${{ steps.create-release.outputs.upload_url }} | |
steps: | |
- name: Check out code | |
uses: actions/checkout@v4 | |
- name: Build project | |
run: | | |
if [[ ! "${{ github.event.inputs.release_version }}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then | |
echo 'version "${{ github.event.inputs.release_version }}" not in ###.###.### format' | |
exit 1 | |
fi | |
# TODO: run integration test? (Requries auth with GCP.) | |
./gradlew clean build --stacktrace | |
- name: Run Gradle release | |
run: | | |
git checkout -b cli-release-v${{ github.event.inputs.release_version }} | |
git config user.email ${{ github.actor }}@users.noreply.github.com | |
git config user.name ${{ github.actor }} | |
# This creates the tag (e.g., "v0.1.0-cli") and pushes the updated | |
# branch (e.g., "cli-release-v0.1.0") and the new tag. | |
./gradlew jib-cli:release \ | |
-Prelease.useAutomaticVersion=true \ | |
-Prelease.releaseVersion=${{ github.event.inputs.release_version }} | |
- name: Build Jib CLI release binaries | |
run: | | |
git checkout v${{ github.event.inputs.release_version }}-cli | |
./gradlew jib-cli:instDist --stacktrace | |
cd jib-cli/build/distributions | |
mv jib-${{ github.event.inputs.release_version }}.zip jib-jre-${{ github.event.inputs.release_version }}.zip | |
sha256sum jib-jre-${{ github.event.inputs.release_version }}.zip > zip.sha256 | |
- name: Generate SLSA subject for Jib CLI release binaries | |
id: hash | |
working-directory: jib-cli/build/distributions | |
run: echo "hashes=$(cat zip.sha256 | base64 -w0)" >> $GITHUB_OUTPUT | |
- name: Create pull request | |
uses: repo-sync/[email protected] | |
id: create-pr | |
with: | |
# Use a personal token to file a PR as a non-bot author to trigger other workflows (e.g., unit tests): | |
# https://docs.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token; | |
github_token: ${{ secrets.GA_RELEASE_PR_PERSONAL_TOKEN }} | |
source_branch: cli-release-v${{ github.event.inputs.release_version }} | |
pr_title: "CLI release v${{ github.event.inputs.release_version }}" | |
pr_body: "To be merged after the release is complete." | |
pr_label: "PR: Merge After Release" | |
- name: Draft GitHub release | |
uses: actions/[email protected] | |
id: create-release | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: v${{ github.event.inputs.release_version }}-cli | |
release_name: jib-cli v${{ github.event.inputs.release_version }} | |
draft: true | |
body: | | |
### Major Changes | |
See [CHANGELOG.md](https://github.com/GoogleContainerTools/jib/blob/master/jib-cli/CHANGELOG.md) for more details. | |
- name: Upload Jib CLI | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create-release.outputs.upload_url }} | |
asset_path: ./jib-cli/build/distributions/jib-jre-${{ github.event.inputs.release_version }}.zip | |
asset_name: jib-jre-${{ github.event.inputs.release_version }}.zip | |
asset_content_type: application/zip | |
- name: Upload Jib CLI checksum | |
uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.create-release.outputs.upload_url }} | |
asset_path: ./jib-cli/build/distributions/zip.sha256 | |
asset_name: jib-jre-${{ github.event.inputs.release_version }}.zip.sha256 | |
asset_content_type: text/plain | |
- name: Create Jib CLI release checklist issue | |
uses: JasonEtco/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
RELEASE_NAME: v${{ github.event.inputs.release_version }}-cli | |
CHANGELOG_URL: https://github.com/GoogleContainerTools/jib/blob/master/jib-cli/CHANGELOG.md | |
README_URL: https://github.com/GoogleContainerTools/jib/blob/master/jib-cli/README.md | |
GCS_UPDATE_SCRIPT: "`./jib-cli/scripts/update_gcs_latest.sh ${{ github.event.inputs.release_version }}`" | |
RELEASE_DRAFT: ${{ steps.create-release.outputs.html_url }} | |
RELEASE_PR: ${{steps.create-pr.outputs.pr_url}} | |
with: | |
filename: .github/RELEASE_TEMPLATES/cli_release_checklist.md | |
provenance: | |
needs: [release] | |
permissions: | |
actions: read # To read the workflow path. | |
id-token: write # To sign the provenance. | |
contents: write # To add assets to a release. | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
base64-subjects: "${{ needs.release.outputs.hashes }}" | |
upload: | |
needs: [release, provenance] | |
permissions: | |
contents: write | |
runs-on: ubuntu-latest | |
steps: | |
- name: Download attestation | |
uses: actions/download-artifact@v3 | |
with: | |
name: "${{ needs.provenance.outputs.attestation-name }}" | |
- uses: actions/[email protected] | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ needs.release.outputs.upload_url }} | |
asset_path: "${{ needs.provenance.outputs.attestation-name }}" | |
asset_name: "${{ needs.provenance.outputs.attestation-name }}" | |
asset_content_type: application/json |