-
Notifications
You must be signed in to change notification settings - Fork 1
128 lines (111 loc) · 4.01 KB
/
release.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
name: Release version
on:
push:
branches: [main, next]
jobs:
tests:
uses: "./.github/workflows/ci.yml"
secrets:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
release:
concurrency:
group: "release-${{ github.workflow }}-${{ github.ref }}"
permissions: write-all
outputs:
VERSION: ${{ steps.get-version.outputs.VERSION }}
PREV_VERSION: ${{ steps.get-prev-version.outputs.VERSION }}
runs-on: ubuntu-latest
steps:
- name: Checkout project
uses: actions/checkout@v4
with:
fetch-depth: 0
persist-credentials: true
- uses: actions/setup-node@v3
with:
node-version: 20
- uses: actions/cache@v3
with:
path: |
**/node_modules
.yarn/install-state.gz
.yarn/cache
key: yarn-${{ hashFiles('**/yarn.lock') }}
restore-keys: yarn-
- name: Install dependencies
run: yarn install
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
platforms: linux/amd64
install: true
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Expose GitHub Runtime
uses: crazy-max/ghaction-github-runtime@v2
- name: Retrieve previous version
id: get-prev-version
run: echo "VERSION=$(git describe --tags --abbrev=0 | cut -c2-)" >> "$GITHUB_OUTPUT"
- name: bump and release
run: yarn release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
GITHUB_REF_NAME: ${{ env.GITHUB_REF_NAME }}
- name: Retrieve new version
id: get-version
run: echo "VERSION=$(git describe --tags --abbrev=0 | cut -c2-)" >> "$GITHUB_OUTPUT"
docker-scout:
if: needs.release.outputs.VERSION != needs.release.outputs.PREV_VERSION
concurrency:
group: "scout-${{ github.workflow }}-${{ github.ref }}"
needs: ["release"]
runs-on: ubuntu-latest
steps:
- name: Authenticate to Docker
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USER }}
password: ${{ secrets.DOCKER_PAT }}
- name: Server Docker Scout
uses: docker/scout-action@v1
with:
command: quickview,cves,recommendations,compare
image: ghcr.io/mission-apprentissage/mna_bal_server:${{ needs.release.outputs.VERSION }}
to: ghcr.io/mission-apprentissage/mna_bal_server:${{ needs.release.outputs.PREV_VERSION }}
sarif-file: sarif-server.output.json
- name: Server Docker Upload SARIF result
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: sarif-server.output.json
category: Docker Server
- name: UI Docker Scout
uses: docker/scout-action@v1
with:
command: quickview,cves,recommendations,compare
image: ghcr.io/mission-apprentissage/mna_bal_ui:${{ needs.release.outputs.VERSION }}-production
to: ghcr.io/mission-apprentissage/mna_bal_ui:${{ needs.release.outputs.PREV_VERSION }}-production
sarif-file: sarif-ui.output.json
- name: UI Docker Upload SARIF result
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: sarif-ui.output.json
category: Docker UI
deploy:
concurrency:
group: "deploy-${{ github.workflow }}-${{ github.ref }}"
needs: ["release"]
name: Deploy ${{ needs.release.outputs.VERSION }} on recette
uses: "./.github/workflows/_deploy.yml"
with:
environment: recette
app_version: ${{ needs.release.outputs.VERSION }}
secrets:
DEPLOY_SSH_PRIVATE_KEY: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY }}
DEPLOY_PASS: ${{ secrets.DEPLOY_PASS }}
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
VAULT_PWD: ${{ secrets.VAULT_PWD }}