ci(release): fix tag variable #642

Workflow file for this run

	---
	name: "Commit"

	on:
	push:
	branches:
	- main
	pull_request:
	branches:
	- main

	env:
	python_version: "3.10"

	jobs:
	lint:
	name: Lint
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout the repository
	uses: actions/checkout@v3
	- uses: seisollc/goat@main
	with:
	exclude: (.tests/(ansible\|terraform\|cloudformation)/.\|.*build/Dockerfile\.j2$)
	disable_mypy: true
	generate-matrixes:
	name: Generate matrixes for future use in pipelines
	runs-on: ubuntu-22.04
	outputs:
	image-matrix: ${{ steps.set-image-outputs.outputs.image-matrix }}
	test-matrix: ${{ steps.set-testing-outputs.outputs.test-matrix }}
	steps:
	- name: Checkout the repository
	uses: actions/checkout@v3
	- uses: actions/setup-python@v4
	with:
	python-version: ${{ env.python_version }}
	- uses: actions/cache@v3
	with:
	path: ~/.local/share/virtualenvs
	key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
	- name: Install the dependencies
	run: \|
	python -m pip install --upgrade pipenv
	pipenv install --python ${{ env.python_version }} --deploy --ignore-pipfile --dev
	- name: Gather the image matrix
	id: set-image-outputs
	run: \|
	pipenv run python -c \
	'from easy_infra import utils; \
	print(utils.get_github_actions_matrix())' >> "${GITHUB_OUTPUT}"
	- name: Gather the testing matrix
	id: set-testing-outputs
	run: \|
	pipenv run python -c \
	'from easy_infra import utils; \
	print(utils.get_github_actions_matrix(testing=True))' >> "${GITHUB_OUTPUT}"
	test:
	name: Test
	needs: [generate-matrixes]
	if: github.event_name == 'pull_request'
	runs-on: ubuntu-22.04
	strategy:
	fail-fast: false
	matrix: ${{ fromJSON(needs.generate-matrixes.outputs.test-matrix) }}
	steps:
	- name: Checkout the repository
	uses: actions/checkout@v3
	- uses: actions/setup-python@v4
	with:
	python-version: ${{ env.python_version }}
	- uses: actions/cache@v3
	with:
	path: ~/.local/share/virtualenvs
	key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
	- name: Install the dependencies
	run: \|
	python -m pip install --upgrade pipenv
	pipenv install --python ${{ env.python_version }} --deploy --ignore-pipfile --dev
	mkdir "${RUNNER_TEMP}/bin"
	curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \| sh -s -- -b "${RUNNER_TEMP}/bin"
	chmod +x "${RUNNER_TEMP}/bin/syft"
	curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh \| sh -s -- -b "${RUNNER_TEMP}/bin"
	chmod +x "${RUNNER_TEMP}/bin/grype"
	echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
	- name: Build the image
	run: pipenv run invoke build --tool=${{ matrix.tool }} --environment=${{ matrix.environment }}
	- name: Generate the SBOM
	run: pipenv run invoke sbom --tool=${{ matrix.tool }} --environment=${{ matrix.environment }}
	- name: Upload the SBOM
	uses: actions/upload-artifact@v3
	with:
	name: SBOM_${{ matrix.tool }}_${{ matrix.environment }}
	path: sbom.*.json
	if-no-files-found: error
	- name: Generate Vuln scan results
	run: pipenv run invoke vulnscan --tool=${{ matrix.tool }} --environment=${{ matrix.environment }}
	- name: Upload Vuln scan result
	uses: actions/upload-artifact@v3
	with:
	name: Vulns_${{ matrix.tool }}_${{ matrix.environment }}
	path: vulns.*.json
	if-no-files-found: error
	- name: Run tests
	run: \|
	find tests -mindepth 1 -type d -exec chmod o+w {} \;
	pipenv run invoke test --tool=${{ matrix.tool }} --environment=${{ matrix.environment }} --user=${{ matrix.user }} --debug
	bump-version:
	name: Bump version
	needs: [lint]
	if: "${{ github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Bump version: 2') }}"
	permissions:
	contents: write
	runs-on: ubuntu-22.04
	outputs:
	git_tag: ${{ steps.bump-version.outputs.git_tag }}
	steps:
	- name: Checkout the repository
	uses: actions/checkout@v3
	with:
	token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
	fetch-depth: 0
	- uses: actions/setup-python@v4
	with:
	python-version: ${{ env.python_version }}
	- uses: actions/cache@v3
	with:
	path: ~/.local/share/virtualenvs
	key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
	- name: Install the dependencies
	run: \|
	python -m pip install --upgrade pipenv
	pipenv install --python ${{ env.python_version }} --deploy --ignore-pipfile --dev
	- name: Bump the version
	id: bump-version
	run: \|
	git config --global user.name 'Seiso Automation'
	git config --global user.email '[email protected]'
	pipenv run invoke release
	GIT_TAG="$(git describe --tags)"
	BRANCH="$(git branch --show-current)"
	git push --atomic origin "${BRANCH}" "${GIT_TAG}"
	echo "git_tag=${GIT_TAG}" >> "${GITHUB_OUTPUT}"
	distribute:
	name: Distribute
	needs: [generate-matrixes, bump-version]
	strategy:
	fail-fast: false
	matrix: ${{ fromJSON(needs.generate-matrixes.outputs.image-matrix) }}
	if: "${{ github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Bump version: 2') }}"
	environment: "${{ needs.bump-version.outputs.git_tag }}"
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout the repository
	uses: actions/checkout@v3
	with:
	fetch-depth: 0
	ref: "${{ needs.bump-version.outputs.git_tag }}"
	- uses: actions/setup-python@v4
	with:
	python-version: ${{ env.python_version }}
	- uses: actions/cache@v3
	with:
	path: ~/.local/share/virtualenvs
	key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
	- name: Install the dependencies
	run: \|
	python -m pip install --upgrade pipenv
	pipenv install --python ${{ env.python_version }} --deploy --ignore-pipfile --dev
	mkdir "${RUNNER_TEMP}/bin"
	curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh \| sh -s -- -b "${RUNNER_TEMP}/bin"
	chmod +x "${RUNNER_TEMP}/bin/syft"
	curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh \| sh -s -- -b "${RUNNER_TEMP}/bin"
	chmod +x "${RUNNER_TEMP}/bin/grype"
	echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
	- name: Build the image
	run: pipenv run invoke build --tool=${{ matrix.tool }} --environment=${{ matrix.environment }}
	- name: Generate the SBOM
	run: pipenv run invoke sbom --tool=${{ matrix.tool }} --environment=${{ matrix.environment }}
	- name: Upload the SBOM
	uses: actions/upload-artifact@v3
	with:
	name: SBOM_${{ matrix.tool }}_${{ matrix.environment }}
	path: sbom.*.json
	if-no-files-found: error
	- name: Generate Vuln scan results
	run: pipenv run invoke vulnscan --tool=${{ matrix.tool }} --environment=${{ matrix.environment }}
	- name: Upload Vuln scan result
	uses: actions/upload-artifact@v3
	with:
	name: Vulns_${{ matrix.tool }}_${{ matrix.environment }}
	path: vulns.*.json
	if-no-files-found: error
	- name: Run tests
	run: \|
	find tests -mindepth 1 -type d -exec chmod o+w {} \;
	# We only test with the easy_infra user here; all supported users are tested via the PR workflow
	pipenv run invoke test --tool=${{ matrix.tool }} --environment=${{ matrix.environment }} --user=easy_infra --debug
	- name: Log in to Docker Hub
	uses: docker/login-action@v2
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}
	- name: Publish the image to Docker Hub
	run: pipenv run invoke publish --tool=${{ matrix.tool }} --environment=${{ matrix.environment }}
	- name: Install cosign
	uses: sigstore/cosign-installer@main
	- name: Sign the image
	run: \|
	image_and_versioned_tag=$(pipenv run python -c \
	"from easy_infra.utils import get_image_and_tag; \
	print(get_image_and_tag(tool='${TOOL}', environment='${ENVIRONMENT}'))")
	versioned_tag="${image_and_versioned_tag#*:}"
	# Requires that the image is available in the local daemon and was pushed to the remote repo
	image_and_digest=$(docker inspect --format='{{index .RepoDigests 0}}' \
	"${image_and_versioned_tag}" )
	echo -n "${COSIGN_PASSWORD}" \|
	cosign sign --yes --key cosign.key \
	-a git_sha="${GITHUB_SHA}" \
	-a tag="${versioned_tag}" \
	"${image_and_digest}"
	env:
	COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	TOOL: ${{ matrix.tool }}
	ENVIRONMENT: ${{ matrix.environment }}
	finalize-the-release:
	name: Finalize the release
	needs: [bump-version, distribute]
	if: "${{ github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Bump version: 2') }}"
	runs-on: ubuntu-22.04
	steps:
	- name: Checkout the repository
	uses: actions/checkout@v3
	with:
	fetch-depth: 0
	ref: "${{ needs.bump-version.outputs.git_tag }}"
	- name: Download the SBOMs and Vuln scan results
	uses: actions/download-artifact@v3
	with:
	path: ${{ runner.temp }}
	- name: Publish the release to GitHub
	uses: softprops/action-gh-release@v1
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	with:
	name: ${{ needs.bump-version.outputs.git_tag }}
	tag_name: ${{ needs.bump-version.outputs.git_tag }}
	generate_release_notes: true
	files: \|
	Vulns_/vulns..json
	SBOM_/sbom..json
	fail_on_unmatched_files: true
	draft: false
	prerelease: false
	- name: Publish the release README to Docker Hub
	uses: peter-evans/dockerhub-description@v3
	with:
	username: ${{ secrets.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}
	repository: seiso/easy_infra

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci(release): fix tag variable #642

Workflow file

ci(release): fix tag variable #642

Jobs

Run details

Workflow file for this run