generated from bitwarden/template
-
Notifications
You must be signed in to change notification settings - Fork 1
143 lines (120 loc) · 4.39 KB
/
cd.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
name: CD
on:
push:
branches:
- main
paths:
- "src/**"
workflow_dispatch:
jobs:
version-type:
name: Get version type
if: github.actor != 'bitwarden-devops-bot'
uses: ./.github/workflows/_version_type.yml
version-bump:
name: Version bump
if: github.actor != 'bitwarden-devops-bot'
runs-on: ubuntu-22.04
needs: version-type
outputs:
version: ${{ steps.get-version.outputs.version }}
steps:
- name: Login to Azure - CI Subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve secrets
id: retrieve-secrets
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "github-gpg-private-key,
github-gpg-private-key-passphrase,
github-pat-bitwarden-devops-bot-repo-scope"
- name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
token: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
- name: Set up Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version-file: ".python-version"
- name: Install hatch
run: pip install hatch
- name: Get current version
run: echo "OLD_VERSION=$(hatch version)" >> $GITHUB_ENV
- name: Bump version
run: hatch version ${{ needs.version-type.outputs.version_bump_type }}
- name: Get bumped version
id: get-version
run: |
VERSION=$(hatch version)
echo "version=$VERSION" >> $GITHUB_OUTPUT
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@cb9bde2e2525e640591a934b1fd28eef1dcaf5e5 # v6.2.0
with:
gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
git_user_signingkey: true
git_commit_gpgsign: true
- name: Setup git
run: |
git config --local user.email "106330231+bitwarden-devops-bot@users.noreply.github.com"
git config --local user.name "bitwarden-devops-bot"
- name: Commit version bump
env:
OLD_VERSION: ${{ env.OLD_VERSION }}
VERSION: ${{ steps.get-version.outputs.version }}
run: |
git commit -am "Bump version from $OLD_VERSION to $VERSION"
git tag v$VERSION
git push
git push --tags
release:
name: GitHub release
if: github.actor != 'bitwarden-devops-bot'
runs-on: ubuntu-22.04
needs: version-bump
steps:
- name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Create GitHub release
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0
with:
commit: ${{ github.sha }}
tag: v${{ needs.version-bump.outputs.version }}
name: v${{ needs.version-bump.outputs.version }}
token: ${{ secrets.GITHUB_TOKEN }}
draft: false
deploy:
name: Deploy workflow-linter (v2)
if: github.actor != 'bitwarden-devops-bot'
runs-on: ubuntu-22.04
needs: version-bump
steps:
- name: Check out repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up Python
uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
with:
python-version-file: ".python-version"
- name: Install hatch
run: pip install hatch
- name: Login to Azure - CI Subscription
uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0
with:
creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}
- name: Retrieve pypi api token
id: retrieve-secret
uses: bitwarden/gh-actions/get-keyvault-secrets@main
with:
keyvault: "bitwarden-ci"
secrets: "pypi-api-token"
- name: Build
run: hatch build
- name: Publish
env:
HATCH_INDEX_USER: __token__
HATCH_INDEX_AUTH: ${{ steps.retrieve-secret.outputs.pypi-api-token }}
run: hatch publish