Skip to content
Manual Release

Production Release v2.0.3 (pushed by eduardoRoth) #100

Sign in to view logs

Production Release v2.0.3 (pushed by eduardoRoth)

Production Release v2.0.3 (pushed by eduardoRoth) #100

Workflow file for this run

.github/workflows/manual-release.yml at 8569ec1
name: Manual Release
run-name: Production Release ${{ github.ref_name }} (pushed by ${{ github.actor }})
env:
IMAGE_NAME: ghcr.io/herodevs/eol-scan
on:
push:
tags:
- v*
permissions:
contents: read
jobs:
check-version:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
- uses: ./.github/actions/verify-version
id: verify-version
- name: Verify tag matches version
run: |
VERSION=${{ steps.verify-version.outputs.version }}
TAG_VERSION=${GITHUB_REF#refs/tags/v}
if [ "$VERSION" != "$TAG_VERSION" ]; then
echo "Error: Package version ($VERSION) does not match tag version ($TAG_VERSION)"
exit 1
fi
- name: Determine Oclif channel
id: determine-oclif-channel
run: |
VERSION=${{ steps.verify-version.outputs.version }}
if [[ "$VERSION" == *"-beta"* ]]; then
echo "oclif_channel=beta" >> $GITHUB_OUTPUT
elif [[ "$VERSION" == *"-alpha"* ]]; then
echo "oclif_channel=alpha" >> $GITHUB_OUTPUT
elif [[ "$VERSION" == *"-next"* ]]; then
echo "oclif_channel=next" >> $GITHUB_OUTPUT
else
echo "oclif_channel=latest" >> $GITHUB_OUTPUT
fi
outputs:
version: ${{ steps.verify-version.outputs.version }}
oclif_channel: ${{ steps.determine-oclif-channel.outputs.oclif_channel }}
test:
runs-on: ubuntu-latest
needs: check-version
env:
GRAPHQL_HOST: ${{ secrets.GRAPHQL_HOST }}
EOL_REPORT_URL: ${{ secrets.EOL_REPORT_URL }}
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
- run: npm ci
- run: npm run build
- run: npm test
- run: npm run test:e2e
upload-assets:
runs-on: ubuntu-latest
needs: [check-version, test]
permissions:
contents: write
id-token: write
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
registry-url: 'https://registry.npmjs.org'
# Build
- run: npm ci
- run: npm run build
# Build platform-specific tarballs
- name: Install linux toolchain
run: |
sudo apt update
sudo apt install nsis p7zip-full p7zip-rar -y
- name: Build all tarballs in parallel
run: |
npx oclif pack tarballs --targets=linux-x64,win32-x64,darwin-arm64 --no-xz --parallel
# Create GitHub Release (draft - will be published manually from GitHub UI or CLI)
- name: Create GitHub Release
run: |
gh release create v${{ needs.check-version.outputs.version }} \
--title "Release v${{ needs.check-version.outputs.version }} ${{ needs.check-version.outputs.oclif_channel == 'latest' && 'Latest' || needs.check-version.outputs.oclif_channel }}" \
--generate-notes \
--draft \
--prerelease=${{ needs.check-version.outputs.oclif_channel != 'latest' }} \
dist/*.tar.gz
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# S3 Distribution
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v5
with:
role-to-assume: ${{ vars.aws_oidc_role_arn }}
role-session-name: herodevs_cli_upload
aws-region: ${{ vars.AWS_REGION }}
- name: Upload and promote to S3
run: |
# Enable oclif debug logging
export DEBUG=oclif:*
# Upload tarballs
npx oclif upload tarballs \
--targets=linux-x64,win32-x64,darwin-arm64 \
--no-xz
# Get shortened SHA (first 7 characters)
SHORT_SHA=$(echo ${{ github.sha }} | cut -c1-7)
echo "Using shortened SHA: $SHORT_SHA"
# Promote to channel
npx oclif promote \
--channel=${{ needs.check-version.outputs.oclif_channel }} \
--version=${{ needs.check-version.outputs.version }} \
--sha=$SHORT_SHA \
--indexes \
--targets=linux-x64,win32-x64,darwin-arm64 \
--ignore-missing
npm-publish:
runs-on: ubuntu-latest
needs: [check-version, test, upload-assets]
permissions:
id-token: write # Required for OIDC
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version-file: '.nvmrc'
registry-url: 'https://registry.npmjs.org'
# Clean build for npm publishing
- run: npm ci
- run: npm run build
# Dry run NPM publish
- name: Dry run NPM publish
run: npm publish --tag ${{ needs.check-version.outputs.oclif_channel }} --access public --dry-run # --provenance no longer needed as OIDC uses that by default
# NPM Release
- name: Create NPM release
run: npm publish --tag ${{ needs.check-version.outputs.oclif_channel }} --access public # --provenance no longer needed as OIDC uses that by default
publish-images:
name: Publish Images
needs: [npm-publish]
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- uses: actions/checkout@v6
- uses: jlumbroso/free-disk-space@main
with:
tool-cache: true
large-packages: true
haskell: false
docker-images: false
swap-storage: false
- name: Set up Node
uses: actions/setup-node@v6.1.0
with:
node-version-file: '.nvmrc'
- name: Parse tag
run: echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
- uses: docker/metadata-action@v5
id: meta
with:
images: |
name=${{ env.IMAGE_NAME }}
tags: |
type=sha,format=long
type=raw,value=latest
type=raw,value=${{ env.VERSION }}
- uses: docker/login-action@v4
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/setup-buildx-action@v3
- uses: docker/build-push-action@v6
with:
context: .
file: ./ci/image.Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
VERSION=${{ needs.check-version.outputs.version }}