aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Lorenzana <eric.lorenzana@sonarsource.com>2022-11-17 15:03:44 +0100
committerEric Lorenzana <eric.lorenzana@sonarsource.com>2022-11-25 12:37:35 +0100
commit902ba352c9e70be2b4375948985074ce941e1b5d (patch)
tree716a7c918e58503b5dfd03b9adea2a46fac9a9a7
parentf624cc7dad9f1f5eeddf9e2354df7073149ade02 (diff)
downloadsonar-scanner-cli-902ba352c9e70be2b4375948985074ce941e1b5d.tar.gz
sonar-scanner-cli-902ba352c9e70be2b4375948985074ce941e1b5d.zip
feat(BUILD-2144): Make release workflow use Vault
Replace release and maven sync with `SonarSource/gh-action_release` Also fix secrets for Github release token and Slack, now using Vault. Replace slack action with `slackapi/slack-github-action`
-rw-r--r--.github/workflows/release.yml112
1 files changed, 24 insertions, 88 deletions
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 38556ba..6b44210 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,58 +5,34 @@ on:
types:
- published
-env:
- PYTHONUNBUFFERED: 1
-
jobs:
- run_release:
+ release:
+ permissions:
+ id-token: write
+ contents: write
+ uses: SonarSource/gh-action_release/.github/workflows/main.yaml@5.0.1
+ with:
+ publishToBinaries: true
+ mavenCentralSync: true
+ slackChannel: sonarqube-build
+ release_docker:
runs-on: ubuntu-latest
- name: Start release process
+ name: Start Docker release process
+ needs: release
timeout-minutes: 60
steps:
- - name: Configure AWS Credentials
- uses: aws-actions/configure-aws-credentials@v1
- with:
- aws-access-key-id: ${{ secrets.BINARIES_AWS_ACCESS_KEY_ID }}
- aws-secret-access-key: ${{ secrets.BINARIES_AWS_SECRET_ACCESS_KEY }}
- aws-region: ${{ secrets.BINARIES_AWS_REGION }}
- - name: Run release action
- id: run_release
- uses: SonarSource/gh-action_release/main@v4
- with:
- distribute: true
- publish_to_binaries: true
- attach_artifacts_to_github_release: true
- run_rules_cov: false
- slack_channel: sonarqube-build
- env:
- ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }}
- BINARIES_AWS_DEPLOY: ${{ secrets.BINARIES_AWS_DEPLOY }}
- BURGRX_USER: ${{ secrets.BURGRX_USER }}
- BURGRX_PASSWORD: ${{ secrets.BURGRX_PASSWORD }}
- CIRRUS_TOKEN: ${{ secrets.CIRRUS_TOKEN }}
- PATH_PREFIX: ${{ secrets.BINARIES_PATH_PREFIX }}
- GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
- RELEASE_SSH_USER: ${{ secrets.RELEASE_SSH_USER }}
- RELEASE_SSH_KEY: ${{ secrets.RELEASE_SSH_KEY }}
- SLACK_API_TOKEN: ${{secrets.SLACK_API_TOKEN }}
- - name: Log outputs
- if: always()
- run: |
- echo "${{ steps.run_release.outputs.releasability }}"
- echo "${{ steps.run_release.outputs.release }}"
- echo "${{ steps.run_release.outputs.distribute_release }}"
- - name: Notify success on Slack
- uses: Ilshidur/action-slack@2.0.0
- env:
- SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+ - name: get secrets
+ id: secrets
+ uses: SonarSource/vault-action-wrapper@8e22afd670393ed80f489f5dbd517d09ea21d75b
with:
- args: "Release successful for {{ GITHUB_REPOSITORY }} by {{ GITHUB_ACTOR }}"
+ secrets: |
+ development/github/token/SonarSource-sonar-scanner-cli-release token | GITHUB_TOKEN_RELEASE;
+ development/kv/data/slack token | SLACK_BOT_TOKEN;
- name: Create Release for Docker Image
id: create_release
uses: softprops/action-gh-release@v1
env:
- GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
+ GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN_RELEASE }}
GITHUB_REPOSITORY: SonarSource/sonar-scanner-cli-docker
with:
tag_name: ${{ github.event.release.tag_name }}
@@ -64,50 +40,10 @@ jobs:
draft: false
prerelease: false
- name: Notify failures on Slack
- uses: Ilshidur/action-slack@2.0.0
+ uses: slackapi/slack-github-action@v1.23.0
if: failure()
- env:
- SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
with:
- args: "Release failed, see the logs at https://github.com/{{ GITHUB_REPOSITORY }}/actions by {{ GITHUB_ACTOR }}"
- maven-central-sync:
- runs-on: ubuntu-latest
- needs:
- - run_release
- steps:
- - name: Setup JFrog CLI
- uses: jfrog/setup-jfrog-cli@v1
- - name: JFrog config
- run: jfrog rt config repox --url https://repox.jfrog.io/artifactory/ --apikey $ARTIFACTORY_API_KEY --basic-auth-only
- env:
- ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }}
- - name: Get the version
- id: get_version
- run: |
- IFS=. read major minor patch build <<< "${{ github.event.release.tag_name }}"
- echo ::set-output name=build::"${build}"
- - name: Create local repository directory
- id: local_repo
- run: echo ::set-output name=dir::"$(mktemp -d repo.XXXXXXXX)"
- - name: Download Artifacts
- uses: SonarSource/gh-action_release/download-build@v4
- with:
- build-number: ${{ steps.get_version.outputs.build }}
- local-repo-dir: ${{ steps.local_repo.outputs.dir }}
- - name: Maven Central Sync
- id: maven-central-sync
- continue-on-error: true
- uses: SonarSource/gh-action_release/maven-central-sync@v4
- with:
- local-repo-dir: ${{ steps.local_repo.outputs.dir }}
- env:
- OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
- OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
- - name: Notify on failure
- if: ${{ failure() || steps.maven-central-sync.outcome == 'failure' }}
- uses: 8398a7/action-slack@v3
- with:
- status: failure
- fields: repo,author,eventName
- env:
- SLACK_WEBHOOK_URL: ${{ secrets.SLACK_BUILD_WEBHOOK }}
+ channel-id: sonarqube-build
+ slack-message: "Release failed, see the logs at https://github.com/{{ GITHUB_REPOSITORY }}/actions by {{ GITHUB_ACTOR }}"
+ env:
+ SLACK_BOT_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_BOT_TOKEN }}