From bb72bcc50293d4ce89ff5151a2490efc99217715 Mon Sep 17 00:00:00 2001 From: Reinaldy Rafli Date: Wed, 31 Jan 2024 20:13:28 +0700 Subject: [PATCH] ci: release pipeline (#53) --- .github/workflows/master.yml | 23 ++++++--------- .github/workflows/release.yml | 47 +++++++++++++++++++++++++++++++ .github/workflows/secret-scan.yml | 21 ++++++++++++++ 3 files changed, 76 insertions(+), 15 deletions(-) create mode 100644 .github/workflows/release.yml create mode 100644 .github/workflows/secret-scan.yml diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index 8c81915..a5c6f23 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -12,17 +12,7 @@ jobs: timeout-minutes: 15 steps: - name: Checkout code - uses: actions/checkout@v3 - with: - fetch-depth: 0 - - - name: TruffleHog OSS - uses: trufflesecurity/trufflehog@main - with: - path: ./ - base: ${{ github.event.repository.default_branch }} - head: HEAD - extra_args: --debug --only-verified + uses: actions/checkout@v4 - name: Install pnpm uses: pnpm/action-setup@v2 @@ -56,10 +46,13 @@ jobs: packages: write steps: - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 - name: Log in to the Container registry - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} @@ -67,7 +60,7 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: ghcr.io/${{ github.repository }} flavor: | @@ -77,7 +70,7 @@ jobs: type=sha - name: Build and push Docker image - uses: docker/build-push-action@v3 + uses: docker/build-push-action@v5 with: context: . push: true diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000..2ab87df --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,47 @@ +name: Release + +on: + release: + types: + - published + +jobs: + cd: + name: CD + needs: + - ci + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + steps: + - name: Checkout repository + uses: actions/checkout@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: ghcr.io/${{ github.repository }} + flavor: | + latest=true + tags: | + type=semver,pattern={{version}} + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/.github/workflows/secret-scan.yml b/.github/workflows/secret-scan.yml new file mode 100644 index 0000000..87b06c1 --- /dev/null +++ b/.github/workflows/secret-scan.yml @@ -0,0 +1,21 @@ +name: Secret Scan + +on: + push: + pull_request: + +jobs: + trufflehog: + name: Trufflehog + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: TruffleHog OSS + uses: trufflesecurity/trufflehog@main + with: + extra_args: --debug --only-verified \ No newline at end of file