Release security patch release #12
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release security patch release | |
on: | |
workflow_dispatch: { } | |
schedule: | |
- cron: "0 4 */2 * *" | |
jobs: | |
release-security-patch-release: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: '0' # required by anothrNick/github-tag-action | |
- name: Download latest Linux release | |
uses: robinraju/release-downloader@v1 | |
with: | |
repository: ${{ github.repository }} | |
latest: true | |
fileName: '*_linux_amd64' | |
out-file-path: 'latest-release' # auto-creates the folder | |
- name: Scan Linux release for vulnerabilities | |
id: scan_latest_release | |
uses: anchore/scan-action@v4 | |
with: | |
path: "latest-release" | |
fail-build: true | |
severity-cutoff: negligible | |
output-format: table | |
continue-on-error: true | |
# If we found vulnerabilities, create a build for the default branch, where the vulnerabilities might be fixed | |
- name: Set up Go | |
uses: actions/setup-go@v5 | |
with: | |
# renovate: datasource=golang-version depName=go versioning=semver | |
go-version: "1.22.6" | |
if: steps.scan_latest_release.outcome == 'failure' | |
- name: Verify dependencies | |
run: go mod verify | |
if: steps.scan_latest_release.outcome == 'failure' | |
- name: Build | |
run: mkdir latest-build && go build -o latest-build/directory-checksum main.go | |
if: steps.scan_latest_release.outcome == 'failure' | |
- name: Scan built Linux binary for vulnerabilities | |
id: scan_latest_build | |
uses: anchore/scan-action@v4 | |
with: | |
path: "latest-build" | |
fail-build: true | |
severity-cutoff: negligible | |
output-format: table | |
continue-on-error: true | |
if: steps.scan_latest_release.outcome == 'failure' | |
# If the latest build has no vulnerabilities anymore, it makes sense to create a new patch-release automatically | |
- name: Bump version and push tag | |
if: steps.scan_latest_build.outcome == 'success' | |
uses: anothrNick/github-tag-action@1.70.0 | |
env: | |
# Note: we use a custom PAT, because secrets.GITHUB_TOKEN has a limitation that tags pushed with it | |
# will NOT trigger workflows that are configured for "on -> push -> tags") | |
GITHUB_TOKEN: ${{ secrets.GH_PAT }} | |
WITH_V: true | |
DEFAULT_BUMP: "patch" | |
FORCE_WITHOUT_CHANGES: true |