-
Notifications
You must be signed in to change notification settings - Fork 2
168 lines (143 loc) · 5.96 KB
/
release.yml
File metadata and controls
168 lines (143 loc) · 5.96 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
name: release
on:
workflow_dispatch:
push:
branches:
- main
paths:
- lib/hooks/version.rb
permissions: {}
jobs:
build:
if: github.repository == 'github/hooks'
permissions:
contents: read
runs-on: ubuntu-latest
outputs:
artifact-id: ${{ steps.upload-artifact.outputs.artifact-id }}
gem_name: ${{ steps.build.outputs.gem_name }}
gem_version: ${{ steps.build.outputs.gem_version }}
gem_path: ${{ steps.build.outputs.gem_path }}
artifact_dir: ${{ steps.build.outputs.artifact_dir }}
steps:
- name: checkout
uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5 # pin@v5.0.1
with:
persist-credentials: false
- uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71 # pin@v1.268.0
with:
bundler-cache: false
- name: bootstrap
run: script/bootstrap
# IMPORTANT: this step MUST export for the following outputs:
# gem_name: the name of the gem - ex: "my-cool-gem"
# gem_version: the version of the gem - ex: "1.0.0"
# gem_path: the path/filename of the gem - ex: "my-cool-gem-1.0.0.gem"
# artifact_dir: the path to the dir where artifacts are stored - ex: "dist"
- name: build
id: build
run: script/build
- name: upload artifact
uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # pin@v5.0.0
id: upload-artifact
with:
name: ${{ steps.build.outputs.artifact_dir }}
path: ${{ steps.build.outputs.artifact_dir }}
if-no-files-found: error
release:
needs: build
environment: release
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
id-token: write
steps:
- uses: actions/checkout@c2d88d3ecc89a9ef08eebf45d9637801dcee7eb5 # pin@v5.0.1
with:
persist-credentials: false
- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # pin@v6.0.0
with:
artifact-ids: ${{ needs.build.outputs.artifact-id }}
path: ${{ needs.build.outputs.artifact_dir }}
- name: view artifact
env:
ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }}
run: tree -L 2 -a --dirsfirst -C -F -h -D "${ARTIFACT_PATH}"
- name: Publish to GitHub Packages
env:
OWNER: ${{ github.repository_owner }}
GEM_NAME: ${{ needs.build.outputs.gem_name }}
GEM_VERSION: ${{ needs.build.outputs.gem_version }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }}
run: |
GEM_HOST_API_KEY=${GITHUB_TOKEN} gem push --key github --host https://rubygems.pkg.github.com/${OWNER} $ARTIFACT_PATH/${GEM_NAME}-${GEM_VERSION}.gem
- uses: ruby/setup-ruby@8aeb6ff8030dd539317f8e1769a044873b56ea71 # pin@v1.268.0
with:
bundler-cache: false
- name: bootstrap
run: script/bootstrap
- name: Configure RubyGems Credentials
uses: rubygems/configure-rubygems-credentials@079b868399574998fd0fe9df2e03528f38cc6fa0 # pin@main
- name: sign ruby gem
env:
GEM_NAME: ${{ needs.build.outputs.gem_name }}
GEM_VERSION: ${{ needs.build.outputs.gem_version }}
ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }}
run: bundle exec sigstore-cli sign ${ARTIFACT_PATH}/${GEM_NAME}-${GEM_VERSION}.gem --bundle ${GEM_NAME}-${GEM_VERSION}.sigstore.json
- name: Publish to RubyGems
env:
GEM_NAME: ${{ needs.build.outputs.gem_name }}
GEM_VERSION: ${{ needs.build.outputs.gem_version }}
ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }}
run: gem push ${ARTIFACT_PATH}/${GEM_NAME}-${GEM_VERSION}.gem --attestation ${GEM_NAME}-${GEM_VERSION}.sigstore.json
- name: await gem
env:
GEM_NAME: ${{ needs.build.outputs.gem_name }}
GEM_VERSION: ${{ needs.build.outputs.gem_version }}
run: bundle exec rubygems-await "${GEM_NAME}:${GEM_VERSION}" --timeout 300
- name: GitHub Release
env:
GEM_NAME: ${{ needs.build.outputs.gem_name }}
GEM_VERSION: ${{ needs.build.outputs.gem_version }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
ARTIFACT_PATH: ${{ needs.build.outputs.artifact_dir }}
run: |
gh release create "v${GEM_VERSION}" \
"${ARTIFACT_PATH}/${GEM_NAME}-${GEM_VERSION}.gem" \
"${GEM_NAME}-${GEM_VERSION}.sigstore.json" \
--title "v${GEM_VERSION}" \
--generate-notes
sign:
needs: [build, release]
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
contents: read
steps:
- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # pin@v6.0.0
with:
path: ${{ needs.build.outputs.artifact_dir }}
artifact-ids: ${{ needs.build.outputs.artifact-id }}
- name: attest build provenance
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # pin@v3.0.0
with:
subject-path: "${{ needs.build.outputs.artifact_dir }}/${{ needs.build.outputs.gem_path }}"
verify:
permissions: {}
needs: [build, release, sign]
runs-on: ubuntu-latest
steps:
- uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # pin@v6.0.0
with:
path: ${{ needs.build.outputs.artifact_dir }}
artifact-ids: ${{ needs.build.outputs.artifact-id }}
- name: verify
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
OWNER: ${{ github.repository_owner }}
REPO: ${{ github.event.repository.name }}
ARTIFACT_PATH: "${{ needs.build.outputs.artifact_dir }}/${{ needs.build.outputs.gem_path }}"
run: gh attestation verify "$ARTIFACT_PATH" --repo ${OWNER}/${REPO} --signer-workflow ${OWNER}/${REPO}/.github/workflows/release.yml