Skip to content

On Pre-Release

On Pre-Release #103

Workflow file for this run

# SPDX-License-Identifier: Apache-2.0
# Licensed to the Ed-Fi Alliance under one or more agreements.
# The Ed-Fi Alliance licenses this file to you under the Apache License, Version 2.0.
# See the LICENSE and NOTICES files in the project root for more information.
name: On Pre-Release
on:
release:
types:
- prereleased
env:
ARTIFACTS_API_KEY: ${{ secrets.AZURE_ARTIFACTS_PERSONAL_ACCESS_TOKEN }}
GITHUB_TOKEN: ${{ secrets.PAT_ATTACH_TO_RELEASE }}
DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }}
DOCKER_USERNAME: ${{ vars.DOCKER_USERNAME }}
REF: ${{ github.ref_name }}
IMAGE_NAME: ${{ vars.MEADOWLARK_IMAGE_NAME }}
NPM_REGISTRY: ${{ vars.NPM_REGISTRY }}
jobs:
azure-publish:
name: Publish to Azure Artifacts
runs-on: ubuntu-latest
defaults:
run:
working-directory: Meadowlark-js
outputs:
hash-code: ${{ steps.hash-code.outputs.hash-code }}
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Setup Node
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
node-version: "18"
cache: "npm"
cache-dependency-path: "**/package-lock.json"
- name: Install dependencies
run: npm ci
- name: Transpile to JS
run: npm run build --workspaces
- name: Create packages
# Explicit step is not required for publishing, but it allows us to upload artifacts
run: npm pack --workspaces
- name: Create .npmrc for Azure Artifacts publishing
run: |
echo "Configuring .npmrc for ${{ env.NPM_REGISTRY }}"
set +x # disable echo to shell so that the base64-encoded API key never escapes into the log.
# Create the user .npmrc file with proper settings
API_KEY=`echo -n "${{ env.ARTIFACTS_API_KEY }}" | base64`
touch $HOME/.npmrc
echo "; begin auth token" >> $HOME/.npmrc
echo ${{ env.NPM_REGISTRY }}:username=ed-fi-alliance >> $HOME/.npmrc
echo ${{ env.NPM_REGISTRY }}:_password=$API_KEY >> $HOME/.npmrc
echo ${{ env.NPM_REGISTRY }}:[email protected] >> $HOME/.npmrc
echo "; end auth token" >> $HOME/.npmrc
- name: Publish
run: npm publish --workspaces --tag dev
- name: Generate hash codes for npm tarballs
id: hash-code
run: echo "hash-code=$(sha256sum *.tgz | base64 -w0)" >> $GITHUB_OUTPUT
- name: Upload packages as artifacts
if: success()
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: npm
path: Meadowlark-js/*.tgz
if-no-files-found: error
retention-days: 30
docker-publish:
name: Publish to Docker Hub
runs-on: ubuntu-latest
needs:
- azure-publish
steps:
- name: Wait 20s
# Give Azure Artifacts caching a moment to catch up
run: sleep 20
- name: Prepare Tags
id: prepare-tags
run: |
BASE="${{ env.IMAGE_NAME }}"
REF="${{ env.REF }}"
NPM_VERSION=${REF:1} # strip off the leading 'v'
if [[ $REF =~ "pre" ]]
then
# Pre-releases get the version and the tag "pre"
TAGS="${{ env.IMAGE_NAME }}:${REF},${{ env.IMAGE_NAME }}:pre"
else
# Releases get the version, plus shortened form for minor release.
# We are not using shortened form for major or using "latest"
# because they are too imprecise.
MINOR=`echo ${REF} | awk -F"." '{print $1"."$2}'`
TAGS="${{ env.IMAGE_NAME }}:${REF},${{ env.IMAGE_NAME }}:${MINOR}"
fi
echo "TAGS=$TAGS" >> $GITHUB_OUTPUT
echo "NPM_VERSION=$NPM_VERSION" >> $GITHUB_OUTPUT
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Log in to Docker Hub
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
username: ${{ env.DOCKER_USERNAME }}
password: ${{ env.DOCKER_HUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
with:
images: ${{ env.IMAGE_NAME }}
- name: Build and push
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
with:
context: "{{defaultContext}}:docker"
cache-from: type=registry,ref=${{ env.IMAGE_NAME }}:pre
cache-to: type=inline
build-args: ML_VERSION=${{ steps.prepare-tags.outputs.NPM_VERSION }}
file: Dockerfile
tags: ${{ steps.prepare-tags.outputs.TAGS }}
labels: ${{ steps.meta.outputs.labels }}
push: true
sbom-create:
name: Create SBOM for NPM Packages
runs-on: ubuntu-latest
needs: azure-publish
permissions:
actions: read
contents: write
outputs:
sbom-hash-code: ${{ steps.sbom-hash-code.outputs.sbom-hash-code }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- name: Get Artifacts
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a #v3.0.2
with:
name: npm
- name: Generate Software Bill of Materials (SBOM) - API
shell: pwsh
run: |
$url = "https://github.com/microsoft/sbom-tool/releases/latest/download/sbom-tool-linux-x64"
$out = "$($env:RUNNER_TEMP)/sbom-tool"
Invoke-RestMethod -Uri $url -OutFile $out
chmod +x $out
New-Item -Path sbom -Type Directory
&$out generate `
-b . `
-pn "Ed-Fi-Meadowlark" `
-pv ${{ env.REF }} `
-nsb https://ed-fi.org `
-m sbom `
-ps "Ed-Fi Alliance"
- name: Upload SBOM
if: success()
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: meadowlark-SBOM
path: ./sbom
if-no-files-found: error
retention-days: 30
- name: Store hash code for SBOM
id: sbom-hash-code
shell: bash
run: |
echo sbom-hash-code=$(sha256sum ./sbom/_manifest/spdx_2.2/manifest.spdx.json | awk '{split($0,a); print a[1]}') >> $GITHUB_OUTPUT
sbom-attach:
name: Attach SBOM file
runs-on: ubuntu-latest
needs:
- sbom-create
permissions:
actions: read
contents: write
steps:
- name: Download the SBOM
uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@7f4fdb871876c23e455853d694197440c5a91506 #v1.5.0
with:
name: meadowlark-SBOM
path: _manifest/spdx_2.2/manifest.spdx.json
sha256: "${{ needs.sbom-create.outputs.sbom-hash-code }}"
- name: Attach to release
shell: pwsh
run: |
$release = "${{ env.REF }}"
$repo = "${{ github.repository }}"
$token = "${{ secrets.GITHUB_TOKEN }}"
$file = "_manifest/spdx_2.2/manifest.spdx.json"
$uploadName = "meadowlark-SBOM.zip"
$url = "https://api.github.com/repos/$repo/releases/tags/$release"
$gh_headers = @{
"Accept" = "application/vnd.github+json"
"Authorization" = "Bearer $token"
}
$response = Invoke-RestMethod -Uri $url -Headers $gh_headers
$releaseId = $response.id
$url = "https://uploads.github.com/repos/$repo/releases/$releaseId/assets"
Compress-Archive $file -DestinationPath $uploadName
$gh_headers["Content-Type"] = "application/octet"
Invoke-RestMethod -Method POST `
-Uri "$($url)?name=$($uploadName)" `
-Headers $gh_headers `
-InFile $uploadName
provenance-create:
name: Create Provenance
needs: azure-publish
permissions:
actions: read
id-token: write
contents: write
uses: Ed-Fi-Alliance-OSS/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: ${{ needs.azure-publish.outputs.hash-code }}
provenance-name: meadowlark.intoto.jsonl
upload-assets: true