v0.3.6-pre-72 #74

Workflow file for this run

.github/workflows/on-prerelease.yml at d08295f

	# SPDX-License-Identifier: Apache-2.0
	# Licensed to the Ed-Fi Alliance under one or more agreements.
	# The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0.
	# See the LICENSE and NOTICES files in the project root for more information.

	name: On Pre-Release
	on:
	release:
	types:
	- prereleased

	env:
	ARTIFACTS_API_KEY: ${{ secrets.AZURE_ARTIFACTS_PERSONAL_ACCESS_TOKEN }}
	GITHUB_TOKEN: ${{ secrets.PAT_ATTACH_TO_RELEASE }}
	DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}
	DOCKER_USERNAME: ${{ vars.DOCKER_USERNAME }}
	REF: ${{ github.ref_name }}
	IMAGE_NAME: ${{ vars.MEADOWLARK_IMAGE_NAME }}
	NPM_REGISTRY: ${{ vars.NPM_REGISTRY }}

	jobs:
	azure-publish:
	name: Publish to Azure Artifacts
	runs-on: ubuntu-latest
	defaults:
	run:
	working-directory: Meadowlark-js
	outputs:
	hash-code: ${{ steps.hash-code.outputs.hash-code }}
	steps:
	- name: Checkout repository
	uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
	with:
	# Need full Git history for calculating the version number
	fetch-depth: 0

	- name: Setup Node
	uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516 # v3.5.1
	with:
	node-version: "18"
	cache: "npm"
	cache-dependency-path: "**/package-lock.json"

	- name: Install dependencies
	if: ${{ steps.modules-cache.outputs.cache-hit != 'true' }}
	run: npm ci

	- name: Update version to match tag
	working-directory: eng/version
	run: \|
	npm ci --omit dev
	node ./set.js ${{ env.REF }}

	- name: Transpile to JS
	run: npm run build --workspaces

	- name: Create packages
	# Explicit step is not required for publishing, but it allows us to upload artifacts
	run: npm pack --workspaces

	- name: Create .npmrc for Azure Artifacts publishing
	run: \|
	echo "Configuring .npmrc for ${{ env.NPM_REGISTRY }}"
	set +x # disable echo to shell so that the base64-encoded API key never escapes into the log.

	# Create the user .npmrc file with proper settings
	API_KEY=`echo -n "${{ env.ARTIFACTS_API_KEY }}" \| base64`
	touch $HOME/.npmrc
	echo "; begin auth token" >> $HOME/.npmrc
	echo ${{ env.NPM_REGISTRY }}:username=ed-fi-alliance >> $HOME/.npmrc
	echo ${{ env.NPM_REGISTRY }}:_password=$API_KEY >> $HOME/.npmrc
	echo ${{ env.NPM_REGISTRY }}:[email protected] >> $HOME/.npmrc
	echo "; end auth token" >> $HOME/.npmrc

	- name: Publish
	run: npm publish --workspaces --tag dev
	# NOTE: there are uncommitted version number changes in package.json. No
	# problem! Our strategy is to rely on the tag history for version numbers,
	# not on package.json.

	- name: Generate hash codes for npm tarballs
	id: hash-code
	shell: bash
	run: \|
	echo "hash-code=$(sha256sum *.tgz \| base64 -w0)" >> $GITHUB_OUTPUT

	- name: Upload packages as artifacts
	if: success()
	uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
	with:
	name: npm
	path: Meadowlark-js/*.tgz
	if-no-files-found: error
	retention-days: 30

	docker-publish:
	name: Publish to Docker Hub
	runs-on: ubuntu-latest
	needs:
	- azure-publish
	steps:
	- name: Wait 20s
	# Give Azure Artifacts caching a moment to catch up
	run: sleep 20

	- name: Prepare Tags
	id: prepare-tags
	run: \|
	BASE="${{ env.IMAGE_NAME }}"

	REF="${{ env.REF }}"
	NPM_VERSION=${REF:1} # strip off the leading 'v'

	if [[ $REF =~ "pre" ]]
	then
	# Pre-releases get the version and the tag "pre"
	TAGS="${{ env.IMAGE_NAME }}:${REF},${{ env.IMAGE_NAME }}:pre"
	else
	# Releases get the version, plus shortened form for minor release.
	# We are not using shortened form for major or using "latest"
	# because they are too imprecise.
	MINOR=`echo ${REF} \| awk -F"." '{print $1"."$2}'`
	TAGS="${{ env.IMAGE_NAME }}:${REF},${{ env.IMAGE_NAME }}:${MINOR}"
	fi

	echo "TAGS=$TAGS" >> $GITHUB_OUTPUT
	echo "NPM_VERSION=$NPM_VERSION" >> $GITHUB_OUTPUT

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0

	- name: Log in to Docker Hub
	uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
	with:
	username: ${{ env.DOCKER_USERNAME }}
	password: ${{ env.DOCKER_HUB_TOKEN }}

	- name: Extract metadata (tags, labels) for Docker
	id: meta
	uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
	with:
	images: ${{ env.IMAGE_NAME }}

	- name: Build and push
	uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
	with:
	context: "{{defaultContext}}:docker"
	cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:pre
	cache-to: type=inline
	build-args: ML_VERSION=${{ steps.prepare-tags.outputs.NPM_VERSION }}
	file: Dockerfile
	tags: ${{ steps.prepare-tags.outputs.TAGS }}
	labels: ${{ steps.meta.outputs.labels }}
	push: true

	sbom-create:
	name: Create SBOM for NPM Packages
	runs-on: ubuntu-latest
	needs: azure-publish
	permissions:
	actions: read
	contents: write
	outputs:
	sbom-hash-code: ${{ steps.sbom-hash-code.outputs.sbom-hash-code }}
	steps:
	- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

	- name: Get Artifacts
	uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a #v3.0.2
	with:
	name: npm

	- name: Generate Software Bill of Materials (SBOM) - API
	shell: pwsh
	run: \|
	$url = "https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64"
	$out = "$($env:RUNNER_TEMP)/sbom-tool"
	Invoke-RestMethod -Uri $url -OutFile $out
	chmod +x $out
	New-Item -Path sbom -Type Directory
	&$out generate `
	-b . `
	-pn "Ed-Fi-Meadowlark" `
	-pv ${{ env.REF }} `
	-nsb https://ed-fi.org `
	-m sbom `
	-ps "Ed-Fi Alliance"
	- name: Upload SBOM
	if: success()
	uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
	with:
	name: meadowlark-SBOM
	path: ./sbom
	if-no-files-found: error
	retention-days: 30

	- name: Store hash code for SBOM
	id: sbom-hash-code
	shell: bash
	run: \|
	echo sbom-hash-code=$(sha256sum ./sbom/_manifest/spdx_2.2/manifest.spdx.json \| awk '{split($0,a); print a[1]}') >> $GITHUB_OUTPUT

	sbom-attach:
	name: Attach SBOM file
	runs-on: ubuntu-latest
	needs:
	- sbom-create
	permissions:
	actions: read
	contents: write
	steps:
	- name: Download the SBOM
	uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@7f4fdb871876c23e455853d694197440c5a91506 #v1.5.0
	with:
	name: meadowlark-SBOM
	path: _manifest/spdx_2.2/manifest.spdx.json
	sha256: "${{ needs.sbom-create.outputs.sbom-hash-code }}"

	- name: Attach to release
	shell: pwsh
	run: \|
	$release = "${{ env.REF }}"
	$repo = "${{ github.repository }}"
	$token = "${{ secrets.GITHUB_TOKEN }}"
	$file = "_manifest/spdx_2.2/manifest.spdx.json"
	$uploadName = "meadowlark-SBOM.zip"
	$url = "https://api.github.com/repos/$repo/releases/tags/$release"
	$gh_headers = @{
	"Accept" = "application/vnd.github+json"
	"Authorization" = "Bearer $token"
	}
	$response = Invoke-RestMethod -Uri $url -Headers $gh_headers
	$releaseId = $response.id
	$url = "https://uploads.github.com/repos/$repo/releases/$releaseId/assets"
	Compress-Archive $file -DestinationPath $uploadName
	$gh_headers["Content-Type"] = "application/octet"
	Invoke-RestMethod -Method POST `
	-Uri "$($url)?name=$($uploadName)" `
	-Headers $gh_headers `
	-InFile $uploadName

	provenance-create:
	name: Create Provenance
	needs: azure-publish
	permissions:
	actions: read
	id-token: write
	contents: write
	uses: Ed-Fi-Alliance-OSS/slsa-github-generator/.github/workflows/[email protected]
	with:
	base64-subjects: ${{ needs.azure-publish.outputs.hash-code }}
	provenance-name: meadowlark.intoto.jsonl
	upload-assets: true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v0.3.6-pre-72 #74

Workflow file

v0.3.6-pre-72 #74

Jobs

Run details

Workflow file for this run