Browse Source
feat(BUILD-2144): Make release workflow use Vault
Replace release and maven sync with `SonarSource/gh-action_release` Also fix secrets for Github release token and Slack, now using Vault. Replace slack action with `slackapi/slack-github-action`pull/139/head
Eric Lorenzana
1 year ago
1 changed files with 24 additions and 88 deletions
+ 24
- 88
.github/workflows/release.yml
View File
| @@ -5,58 +5,34 @@ on: | |||
| types: | |||
| - published | |||
| env: | |||
| PYTHONUNBUFFERED: 1 | |||
| jobs: | |||
| run_release: | |||
| release: | |||
| permissions: | |||
| id-token: write | |||
| contents: write | |||
| uses: SonarSource/gh-action_release/.github/workflows/main.yaml@5.0.1 | |||
| with: | |||
| publishToBinaries: true | |||
| mavenCentralSync: true | |||
| slackChannel: sonarqube-build | |||
| release_docker: | |||
| runs-on: ubuntu-latest | |||
| name: Start release process | |||
| name: Start Docker release process | |||
| needs: release | |||
| timeout-minutes: 60 | |||
| steps: | |||
| - name: Configure AWS Credentials | |||
| uses: aws-actions/configure-aws-credentials@v1 | |||
| with: | |||
| aws-access-key-id: ${{ secrets.BINARIES_AWS_ACCESS_KEY_ID }} | |||
| aws-secret-access-key: ${{ secrets.BINARIES_AWS_SECRET_ACCESS_KEY }} | |||
| aws-region: ${{ secrets.BINARIES_AWS_REGION }} | |||
| - name: Run release action | |||
| id: run_release | |||
| uses: SonarSource/gh-action_release/main@v4 | |||
| with: | |||
| distribute: true | |||
| publish_to_binaries: true | |||
| attach_artifacts_to_github_release: true | |||
| run_rules_cov: false | |||
| slack_channel: sonarqube-build | |||
| env: | |||
| ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }} | |||
| BINARIES_AWS_DEPLOY: ${{ secrets.BINARIES_AWS_DEPLOY }} | |||
| BURGRX_USER: ${{ secrets.BURGRX_USER }} | |||
| BURGRX_PASSWORD: ${{ secrets.BURGRX_PASSWORD }} | |||
| CIRRUS_TOKEN: ${{ secrets.CIRRUS_TOKEN }} | |||
| PATH_PREFIX: ${{ secrets.BINARIES_PATH_PREFIX }} | |||
| GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} | |||
| RELEASE_SSH_USER: ${{ secrets.RELEASE_SSH_USER }} | |||
| RELEASE_SSH_KEY: ${{ secrets.RELEASE_SSH_KEY }} | |||
| SLACK_API_TOKEN: ${{secrets.SLACK_API_TOKEN }} | |||
| - name: Log outputs | |||
| if: always() | |||
| run: | | |||
| echo "${{ steps.run_release.outputs.releasability }}" | |||
| echo "${{ steps.run_release.outputs.release }}" | |||
| echo "${{ steps.run_release.outputs.distribute_release }}" | |||
| - name: Notify success on Slack | |||
| uses: Ilshidur/action-slack@2.0.0 | |||
| env: | |||
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |||
| - name: get secrets | |||
| id: secrets | |||
| uses: SonarSource/vault-action-wrapper@8e22afd670393ed80f489f5dbd517d09ea21d75b | |||
| with: | |||
| args: "Release successful for {{ GITHUB_REPOSITORY }} by {{ GITHUB_ACTOR }}" | |||
| secrets: | | |||
| development/github/token/SonarSource-sonar-scanner-cli-release token | GITHUB_TOKEN_RELEASE; | |||
| development/kv/data/slack token | SLACK_BOT_TOKEN; | |||
| - name: Create Release for Docker Image | |||
| id: create_release | |||
| uses: softprops/action-gh-release@v1 | |||
| env: | |||
| GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }} | |||
| GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN_RELEASE }} | |||
| GITHUB_REPOSITORY: SonarSource/sonar-scanner-cli-docker | |||
| with: | |||
| tag_name: ${{ github.event.release.tag_name }} | |||
| @@ -64,50 +40,10 @@ jobs: | |||
| draft: false | |||
| prerelease: false | |||
| - name: Notify failures on Slack | |||
| uses: Ilshidur/action-slack@2.0.0 | |||
| uses: slackapi/slack-github-action@v1.23.0 | |||
| if: failure() | |||
| env: | |||
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} | |||
| with: | |||
| args: "Release failed, see the logs at https://github.com/{{ GITHUB_REPOSITORY }}/actions by {{ GITHUB_ACTOR }}" | |||
| maven-central-sync: | |||
| runs-on: ubuntu-latest | |||
| needs: | |||
| - run_release | |||
| steps: | |||
| - name: Setup JFrog CLI | |||
| uses: jfrog/setup-jfrog-cli@v1 | |||
| - name: JFrog config | |||
| run: jfrog rt config repox --url https://repox.jfrog.io/artifactory/ --apikey $ARTIFACTORY_API_KEY --basic-auth-only | |||
| env: | |||
| ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }} | |||
| - name: Get the version | |||
| id: get_version | |||
| run: | | |||
| IFS=. read major minor patch build <<< "${{ github.event.release.tag_name }}" | |||
| echo ::set-output name=build::"${build}" | |||
| - name: Create local repository directory | |||
| id: local_repo | |||
| run: echo ::set-output name=dir::"$(mktemp -d repo.XXXXXXXX)" | |||
| - name: Download Artifacts | |||
| uses: SonarSource/gh-action_release/download-build@v4 | |||
| with: | |||
| build-number: ${{ steps.get_version.outputs.build }} | |||
| local-repo-dir: ${{ steps.local_repo.outputs.dir }} | |||
| - name: Maven Central Sync | |||
| id: maven-central-sync | |||
| continue-on-error: true | |||
| uses: SonarSource/gh-action_release/maven-central-sync@v4 | |||
| with: | |||
| local-repo-dir: ${{ steps.local_repo.outputs.dir }} | |||
| env: | |||
| OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} | |||
| OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} | |||
| - name: Notify on failure | |||
| if: ${{ failure() || steps.maven-central-sync.outcome == 'failure' }} | |||
| uses: 8398a7/action-slack@v3 | |||
| with: | |||
| status: failure | |||
| fields: repo,author,eventName | |||
| env: | |||
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_BUILD_WEBHOOK }} | |||
| channel-id: sonarqube-build | |||
| slack-message: "Release failed, see the logs at https://github.com/{{ GITHUB_REPOSITORY }}/actions by {{ GITHUB_ACTOR }}" | |||
| env: | |||
| SLACK_BOT_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_BOT_TOKEN }} | |||
Loading…