fromJSON github-script output #51
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI/CD | |
on: | |
workflow_dispatch: | |
push: | |
branches: | |
- "**" | |
- "!dependabot/**" | |
tags: | |
- "release-**" | |
pull_request: | |
branches: | |
- "**" | |
permissions: | |
contents: read | |
jobs: | |
changed-files: | |
name: Detect Changed Files | |
runs-on: ubuntu-latest | |
outputs: | |
run-ci: ${{ steps.set-github-output.outputs.RUN_CI }} | |
run-tag-for-release: ${{ steps.set-github-output.outputs.RUN_TAG_FOR_RELEASE }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
github.com:443 | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Check for Tag | |
run: | | |
if git describe --contains "$GITHUB_SHA"; then | |
echo 'COMMIT_IS_TAGGED=true' >> "$GITHUB_ENV"; | |
else | |
echo 'COMMIT_IS_TAGGED=false' >> "$GITHUB_ENV"; | |
fi | |
- name: CI Files Changed | |
id: ci-files-changed | |
uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45.0.2 | |
with: | |
files_yaml: | | |
paths: | |
- "**" | |
- "!*.md" | |
- "!.github/**" | |
- ".github/workflows/*.yml" | |
- name: Release Files Changed | |
id: release-files-changed | |
uses: tj-actions/changed-files@48d8f15b2aaa3d255ca5af3eba4870f807ce6b3c # v45.0.2 | |
with: | |
files_yaml: | | |
paths: | |
- "make-release" | |
- "src/image/entrypoint" | |
- "src/user-mirror" | |
- name: Set GITHUB_OUTPUT | |
id: set-github-output | |
run: | | |
echo "RUN_CI=${{ github.ref_type == 'tag' || (github.ref_type != 'tag' && steps.ci-files-changed.outputs.paths_any_changed == 'true') }}" >> "$GITHUB_OUTPUT" | |
echo "RUN_TAG_FOR_RELEASE=${{ github.ref == 'refs/heads/main' && env.COMMIT_IS_TAGGED != 'true' && steps.release-files-changed.outputs.paths_any_changed == 'true' }}" >> "$GITHUB_OUTPUT" | |
ci: | |
name: Continuous Integration | |
runs-on: ubuntu-latest | |
needs: changed-files | |
if: ${{ needs.changed-files.outputs.run-ci == 'true' }} | |
strategy: | |
matrix: | |
container-context: ["docker-default", "docker-rootless", "podman"] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: ${{ matrix.container-context != 'docker-rootless' }} | |
egress-policy: block | |
allowed-endpoints: > | |
auth.docker.io:443 | |
dl-cdn.alpinelinux.org:443 | |
download.docker.com:443 | |
files.pythonhosted.org:443 | |
get.docker.com:443 | |
github.com:443 | |
objects.githubusercontent.com:443 | |
production.cloudflare.docker.com:443 | |
pypi.org:443 | |
quay.io:443 | |
registry-1.docker.io:443 | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Use Rootless Docker | |
if: ${{ matrix.container-context == 'docker-rootless' }} | |
uses: ScribeMD/rootless-docker@6bd157a512c2fafa4e0243a8aa87d964eb890886 # 0.2.2 | |
- name: Install Podman Compose | |
if: ${{ matrix.container-context == 'podman' }} | |
# Podman in the GitHub runner is out of date, so we either need to upgrade it ourselves or install an older version of podman-compose. | |
# https://github.com/containers/podman-compose/issues/980#issuecomment-2199531338 | |
run: | | |
echo 'podman-compose == 1.0.6 --hash=sha256:48c92e6cdac1732422c6cfa803d8a905a61be4119dc0d41f9ed42c66826e9a78' > /tmp/requirements.txt | |
echo 'python-dotenv == 1.0.1 --hash=sha256:f7b63ef50f1b690dddf550d03497b66d609393b40b564ed0d674909a68ebf16a' >> /tmp/requirements.txt | |
pip3 install --require-hashes --requirement /tmp/requirements.txt | |
rm /tmp/requirements.txt | |
- name: Docker Cache | |
id: docker-cache | |
uses: ScribeMD/docker-cache@fb28c93772363301b8d0a6072ce850224b73f74e # 0.5.0 | |
with: | |
key: docker-${{ runner.os }}-${{ hashFiles('./images/**/Dockerfile') }} | |
- name: Run Tests | |
run: | | |
grep -e '^#!/bin/sh' --exclude-dir=.git -lR | xargs chmod --changes +x | |
COMPOSE_ENGINE='${{ contains(matrix.container-context, 'podman') && 'podman-compose' || 'docker compose' }}' TESTING_ENVIRONMENT_DIR='/tmp/docker-user-mirror/' ./ci | |
- name: Test Release Script | |
run: | | |
chmod --changes +x ./make-release | |
./make-release | |
tag-for-release: | |
name: Tag for Release | |
runs-on: ubuntu-latest | |
needs: [changed-files, ci] | |
environment: release-tag | |
permissions: | |
contents: write | |
if: ${{ needs.changed-files.outputs.run-tag-for-release == 'true' }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
github.com:22 | |
github.com:443 | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
with: | |
fetch-depth: 0 | |
fetch-tags: true | |
filter: tree:0 | |
ssh-key: ${{ secrets.SSH_PRIVATE_KEY }} | |
- name: Get Latest Release Tag | |
run: echo "LATEST_RELEASE_TAG=$(git tag --list --sort=-v:refname release-* | head -1)" >> $GITHUB_ENV | |
- name: Increment Tag | |
id: increment-tag | |
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | |
env: | |
LATEST_RELEASE_TAG: ${{ env.LATEST_RELEASE_TAG }} | |
with: | |
script: | | |
const latestReleaseTag = process.env.LATEST_RELEASE_TAG; | |
if (latestReleaseTag.length > 0) { | |
const incrementReleaseTag = latestReleaseTag.replace(/(\d+)([^\.]*)$/, (_, x, y) => (Number(x) + 1) + y); | |
if (incrementReleaseTag.length >= latestReleaseTag.length && latestReleaseTag !== incrementReleaseTag) { | |
return incrementReleaseTag; | |
} | |
} | |
- name: Tag Release | |
env: | |
NEW_RELEASE_TAG: ${{ fromJson(steps.increment-tag.outputs.result) }} | |
run: | | |
git tag "$NEW_RELEASE_TAG" | |
git push origin tag "$NEW_RELEASE_TAG" | |
cd: | |
name: Continuous Deployment | |
runs-on: ubuntu-latest | |
needs: ci | |
permissions: | |
contents: write | |
if: ${{ startsWith(github.ref, 'refs/tags/release-') }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
disable-sudo: true | |
egress-policy: block | |
allowed-endpoints: > | |
api.github.com:443 | |
github.com:443 | |
uploads.github.com:443 | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Extract Version | |
run: echo "RELEASE_VERSION=$(echo "$GITHUB_REF" | cut -c 19-)" >> $GITHUB_ENV | |
- name: Generate Release Artifacts | |
run: | | |
chmod --changes +x ./make-release | |
./make-release | |
- name: Create Release | |
uses: ncipollo/release-action@2c591bcc8ecdcd2db72b97d6147f871fcd833ba5 # v1.14.0 | |
with: | |
artifactErrorsFailBuild: true | |
artifacts: "release/entrypoint,release/user-mirror" | |
generateReleaseNotes: true | |
name: Release ${{ env.RELEASE_VERSION }} |